Analysis Report

Overview

General Information

Analysis ID:45855
Start time:14:14:49
Start date:07/08/2014
Overall analysis duration:0h 2m 41s
Report type:full
Sample file name:894c20f0d97c5a1dee106331e00abd48.exe
Cookbook file name:default.jbs
Analysis system description:XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
HCA enabled:true
HCA success:
  • true, ratio: 97%
  • Number of executed functions: 27
  • Number of non-executed functions: 177


Detection

StrategyReport FP/FN
Threshold malicious


Signature Overview


Networking:

barindex
Uses ping.exe to check the status of other devices and networksShow sources
Source: unknownProcess created: C:\WINDOWS\system32\ping.exe

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run 894c20f0d97c5a1dee106331e00abd48
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run 894c20f0d97c5a1dee106331e00abd48
Drops PE files to the user root directory (C:\Documents and Settings\User or C:\Users\User)Show sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeFile created: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeFile created: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe
Drops PE files to the user directory (C:\Documents and Settings\)Show sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeFile created: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_0041F19A LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_0041F19A
PE file contains an invalid checksumShow sources
Source: initial sampleStatic PE information: real checksum: 0x1815c should be: 0x67433

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_00405880 GetEnvironmentVariableA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,RegOpenKeyExA,RegOpenKeyExA,RegEnumKeyExA,RegCloseKey,lstrcatA,RegOpenKeyExA,RegCloseKey,RegCloseKey,RegCloseKey,RegQueryValueExA,RegCloseKey,RegCloseKey,GetCurrentDirectoryA,SetCurrentDirectoryA,SetCurrentDirectoryA,LoadLibraryA,SetCurrentDirectoryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FindFirstFileA,FreeLibrary,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,FreeLibrary,1_2_00405880

System Summary:

barindex
Contains functionality for error loggingShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_00402860 lstrlenA,lstrcpynA,GetStockObject,LoadCursorA,GetLastError,FormatMessageA,CreateWindowExA,GetClassInfoA,SetWindowLongA,SendMessageA,1_2_00402860
Contains functionality to access the windows certificate storeShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_00406690 Sleep,CertOpenSystemStoreA,GetLastError,CertCreateCertificateContext,CertCloseStore,CreateThread,CertAddCertificateContextToStore,GetLastError,TerminateThread,CertFreeCertificateContext,CertCloseStore,1_2_00406690
Contains functionality to enum processes or threadsShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_0040D5D0 CreateToolhelp32Snapshot,Process32First,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,1_2_0040D5D0
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_0041751C GetStartupInfoW,GetFileType,InitializeCriticalSectionAndSpinCount,GetStdHandle,GetFileType,InitializeCriticalSectionAndSpinCount,LockResource,1_2_0041751C
Creates files inside the user directoryShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeFile created: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe
Executable uses VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeSection loaded: C:\WINDOWS\system32\msvbvm60.dll
Executes batch filesShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess created: C:\WINDOWS\system32\cmd.exe cmd /c C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.bat
Reads ini filesShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeFile read: C:\Documents and Settings\Administrator\My Documents\desktop.ini
Spawns processesShow sources
Source: unknownProcess created: C:\894c20f0d97c5a1dee106331e00abd48.exe
Source: unknownProcess created: C:\894c20f0d97c5a1dee106331e00abd48.exe
Source: unknownProcess created: C:\WINDOWS\system32\cmd.exe
Source: unknownProcess created: C:\WINDOWS\system32\ping.exe
Source: unknownProcess created: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe
Source: unknownProcess created: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess created: C:\894c20f0d97c5a1dee106331e00abd48.exe C:\894c20f0d97c5a1dee106331e00abd48.exe
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess created: C:\WINDOWS\system32\cmd.exe cmd /c C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.bat
Source: C:\WINDOWS\system32\cmd.exeProcess created: C:\WINDOWS\system32\ping.exe ping -n 1 localhost
Source: C:\WINDOWS\system32\cmd.exeProcess created: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess created: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe
Enables driver privilegesShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess token adjusted: Load Driver

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to create a new security descriptorShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_0040D2D0 LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeLibrary,1_2_0040D2D0
Contains functionality to launch a program with higher privilegesShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_004060D0 GetModuleFileNameA,KillTimer,ShellExecuteA,PostQuitMessage,ShellExecuteA,PostQuitMessage,1_2_004060D0
Injects a PE file into a foreign processesShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeMemory written: C:\894c20f0d97c5a1dee106331e00abd48.exe base: 400000 value starts with: 4D5A
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeMemory written: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe base: 400000 value starts with: 4D5A
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeThread register set: target process: 3488

Anti Debugging and Sandbox Evasion:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_0041B1D4 SetUnhandledExceptionFilter,1_2_0041B1D4
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_00410A4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00410A4E
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_0041695A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0041695A
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_1_0041B1D4 SetUnhandledExceptionFilter,1_1_0041B1D4
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_1_00410A4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_1_00410A4E
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_1_0041695A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_1_0041695A
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeCode function: 5_2_0041B1D4 SetUnhandledExceptionFilter,5_2_0041B1D4
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeCode function: 5_2_00410A4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00410A4E
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeCode function: 5_2_0041695A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0041695A
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_00410A4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00410A4E
Contains functionality to dynamically determine API callsShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_0041F19A LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_0041F19A
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_0040C850 Sleep,RasEnumEntriesA,RasEnumEntriesA,GetProcessHeap,HeapAlloc,RasEnumEntriesA,RasGetEntryPropertiesA,RasSetEntryPropertiesA,GetProcessHeap,HeapFree,1_2_0040C850
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeMemory protected: page read and write and page guard

Virtual Machine Detection:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_00405880 GetEnvironmentVariableA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,RegOpenKeyExA,RegOpenKeyExA,RegEnumKeyExA,RegCloseKey,lstrcatA,RegOpenKeyExA,RegCloseKey,RegCloseKey,RegCloseKey,RegQueryValueExA,RegCloseKey,RegCloseKey,GetCurrentDirectoryA,SetCurrentDirectoryA,SetCurrentDirectoryA,LoadLibraryA,SetCurrentDirectoryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FindFirstFileA,FreeLibrary,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,FreeLibrary,1_2_00405880
Queries a list of all running processesShow sources
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information queried: ProcessInformation

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Deletes itself after installationShow sources
Source: C:\WINDOWS\system32\cmd.exeFile deleted: c:\894c20f0d97c5a1dee106331e00abd48.exe

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_00411553 GetSystemTimeAsFileTime,1_2_00411553

Yara Overview

No Yara matches

Screenshot

Startup

  • system is xp
  • cleanup

Created / dropped Files

File PathType and Hashes
C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.bat
  • Type: ASCII text, with CRLF line terminators
  • MD5: D1C03BFDCC8411B9475F5853B4181794
  • SHA: 7B08E10D36D19E74C95FBF8FC5B8EEFB1395F73C
  • SHA-256: 6CA61E83124B3A859E30FECDA890BA15CD1546738F5A240E6944ED745369085A
  • SHA-512: 2617C134C5F6FD784D9507244E37CC515FC012FF6F439E8B1CC318C97E2029A21CB7850B4BB91AB2D293B2AB137CCD068269EBACA21A5AB05F4145A7EB87868D
C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe
  • Type: PE32 executable (GUI) Intel 80386, for MS Windows
  • MD5: 894C20F0D97C5A1DEE106331E00ABD48
  • SHA: 3C748800EF937E690D6779E4424CE30F7CA12911
  • SHA-256: 6AEF8BF0505A203D9A63A8EA0711C98C8AAD5B6EDE641FE11EE42402D0D10A54
  • SHA-512: E22CB8D5E54079797EE02B86EBA152E39C37350202E83155D8A8AD6A02380F5747F4183CBD449A79A8FEB6665BDDC2888779606A8306432B1100294246D724A0
\Device\Null
  • Type: ASCII text, with CRLF, CR line terminators
  • MD5: E33CC7998AEDAA2E2E6A52CB06F1CA2E
  • SHA: D950B332D697BA3B19B9F56393D50D7DE650EEA6
  • SHA-256: E1A2C6E7C7DA582CEDB448BD0A078501C1B02F858FBBCE4A53699F3381E4D269
  • SHA-512: C5A6453BB93D3E5DDB79B54D042A8653CC0283ECE8D9EAF6883F8BBCC3D711F03FF9A8431FAE44BE3D78A95C61E1C87C5B8F6BDB4DF48B3B0E9D2833784C42A9

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
File name:894c20f0d97c5a1dee106331e00abd48.exe
File size:359678
MD5:894c20f0d97c5a1dee106331e00abd48
SHA1:3c748800ef937e690d6779e4424ce30f7ca12911
SHA256:6aef8bf0505a203d9a63a8ea0711c98c8aad5b6ede641fe11ee42402d0d10a54
SHA512:e22cb8d5e54079797ee02b86eba152e39c37350202e83155d8a8ad6a02380f5747f4183cbd449a79a8feb6665bddc2888779606a8306432b1100294246d724a0

File Icon

Static PE Info

General

Entrypoint:0x4015fc
Entrypoint Section:.text
Digitally signed:true
Signature Valid:
Signature Issuer:
Signature Validation Error:
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x53CDECFE [Tue Jul 22 04:47:58 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0

Entrypoint Preview

Instruction
push 004018ACh
call 00007F1DD0A322C3h
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], bh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+3A7882A7h], bl
js 00007F1DD0A32341h
dec esi
mov ecx, BB0995D4h
or ecx, dword ptr [edx]
pop ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jne 00007F1DD0A3233Ch
jne 00007F1DD0A3234Bh
je 00007F1DD0A322D2h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+00000000h], cl
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], al
add byte ptr [esi-08h], al
fstcw word ptr [edi]
lodsb
imul dword ptr [ebx+4501B143h]
xor cl, bh
or byte ptr [esi+00000001h], FFFFFF98h
add byte ptr [eax], al
add byte ptr [eax+01000000h], ch
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
and byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+6Fh], al
insb
outsd
jc 00007F1DD0A32338h
jne 00007F1DD0A3233Eh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or ah, cl
in eax, dx
movsb
and edx, dword ptr [ebp+60h]
dec esp
mov byte ptr [A5C5307Dh], al
imul ecx, esp, 4Dh
or dl, byte ptr [ebx+ebp*2+6Ah]
dec esp
add al, 8Eh
dec edi
mov ah, 8Bh

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xd0840x3c.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x8d8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x50000000x505
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2380x30
IMAGE_DIRECTORY_ENTRY_IAT0x10000x1a4.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeEntropyXored PEZLIB ComplexityFile TypeCharacteristics
.text0x10000xc8000xd0004.48505293235False0.334097055288dataIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0xe0000x26340x10000.0False0.00634765625dataIMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x110000x8d80x10001.96916043516False0.170654296875dataIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryNbr Of FunctionsXored PE
RT_ICON0x117a80x130data0False
RT_ICON0x114c00x2e8data0False
RT_ICON0x113980x128GLS_BINARY_LSB_FIRST0False
RT_GROUP_ICON0x113680x30MS Windows icon resource - 3 icons, 32x32, 2-colors0False
RT_VERSION0x111500x218dataEnglishUnited States0False

Imports

DLLImport
USER32.DLLCallWindowProcA
MSVBVM60.DLL__vbaVarSub, __vbaVarTstGt, _CIcos, _adj_fptan, __vbaStrI4, __vbaVarMove, __vbaVarVargNofree, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaLenBstr, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaLenBstrB, __vbaVargVarCopy, _adj_fdiv_m32, __vbaVarXor, __vbaAryDestruct, __vbaExitProc, __vbaVarForInit, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR4, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaAryConstruct2, __vbaVarTstEq, __vbaI2I4, DllFunctionCall, __vbaFpUI1, __vbaRedimPreserve, __vbaLbound, _adj_fpatan, __vbaFixstrConstruct, __vbaRedim, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaVarMul, __vbaStr2Vec, __vbaUI1I4, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaUbound, __vbaI2Var, _CIlog, __vbaErrorOverflow, __vbaVar2Vec, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaVarAdd, __vbaAryLock, __vbaVarDup, __vbaStrToAnsi, __vbaVarMod, __vbaVarCopy, __vbaFpI4, _CIatan, __vbaStrMove, __vbaAryCopy, __vbaStrVarCopy, _allmul, _CItan, __vbaUI1Var, __vbaAryUnlock, __vbaVarForNext, _CIexp, __vbaFreeStr

Version Infos

DescriptionData
Translation0x0409 0x04b0
InternalName544
FileVersion8.01.0001
CompanyNamebhhyvcde
ProductNamenbhvgtcxwqa
ProductVersion8.01.0001
OriginalFilename544.exe

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

Hooks - Code Manipulation Behavior

System Behavior

Analysis Process: 894c20f0d97c5a1dee106331e00abd48.exe PID: 3044 Parent PID: 1740

General

Start time:14:15:16
Start date:07/08/2014
Path:C:\894c20f0d97c5a1dee106331e00abd48.exe
Wow64 process (32bit):false
Commandline:unknown
Imagebase:0x400000
File size:359678 bytes
MD5 hash:894C20F0D97C5A1DEE106331E00ABD48

Chronological Activities

Analysis Process: 894c20f0d97c5a1dee106331e00abd48.exe PID: 3488 Parent PID: 3044

General

Start time:14:15:17
Start date:07/08/2014
Path:C:\894c20f0d97c5a1dee106331e00abd48.exe
Wow64 process (32bit):false
Commandline:C:\894c20f0d97c5a1dee106331e00abd48.exe
Imagebase:0x400000
File size:359678 bytes
MD5 hash:894C20F0D97C5A1DEE106331E00ABD48

Chronological Activities

Analysis Process: cmd.exe PID: 944 Parent PID: 3488

General

Start time:14:15:57
Start date:07/08/2014
Path:C:\WINDOWS\system32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd /c C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.bat
Imagebase:0x4ad00000
File size:389120 bytes
MD5 hash:6D778E0F95447E6546553EEEA709D03C

Chronological Activities

Analysis Process: ping.exe PID: 2368 Parent PID: 944

General

Start time:14:15:57
Start date:07/08/2014
Path:C:\WINDOWS\system32\ping.exe
Wow64 process (32bit):false
Commandline:ping -n 1 localhost
Imagebase:0x7c900000
File size:17920 bytes
MD5 hash:66CDF02D86C9F0B4300EE981A614D296

Chronological Activities

Analysis Process: 894c20f0d97c5a1dee106331e00abd48.exe PID: 3552 Parent PID: 944

General

Start time:14:15:58
Start date:07/08/2014
Path:C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe
Wow64 process (32bit):false
Commandline:C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe
Imagebase:0x400000
File size:359678 bytes
MD5 hash:894C20F0D97C5A1DEE106331E00ABD48

Chronological Activities

Analysis Process: 894c20f0d97c5a1dee106331e00abd48.exe PID: 1708 Parent PID: 3552

General

Start time:14:15:59
Start date:07/08/2014
Path:C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe
Wow64 process (32bit):false
Commandline:C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe
Imagebase:0x400000
File size:359678 bytes
MD5 hash:894C20F0D97C5A1DEE106331E00ABD48

Chronological Activities

Disassembly

Code Analysis

< >

    Analysis Process: 894c20f0d97c5a1dee106331e00abd48.exe PID: 3044 Parent PID: 1740

    Executed Functions

    Function 0040B6D0, Relevance: 75.6, APIs: 40, Strings: 3, Instructions: 370
    APIs
    • __vbaStrCopy.MSVBVM60(004011D8,?,00000001,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B70A
    • __vbaStr2Vec.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B718
    • __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B726
    • __vbaErrorOverflow.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B790
    • __vbaStrCopy.MSVBVM60(004011D8,?,00000001), ref: 0040B7E3
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,735068BA), ref: 0040BDF4
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,735068BA), ref: 0040BDFC
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,735068BA), ref: 0040BE02
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,735068BA), ref: 0040BE31
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BE46
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,735068BA), ref: 0040BE57
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,00000000,735068BA), ref: 0040BE8B
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BEC2
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BED4
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,00000000,735068BA), ref: 0040BED7
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BEEE
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BEF1
      • Part of subcall function 0040BD90: #697.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF03
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF0E
      • Part of subcall function 0040BD90: __vbaStrCat.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF11
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF1C
      • Part of subcall function 0040BD90: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF2C
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000004,00000002,?,00000002,?,?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF44
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(0040BFB4,?,00000000,735068BA), ref: 0040BFAC
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,00000000,735068BA), ref: 0040BFB1
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BFCA
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(73506A74,?,73501785), ref: 0040C039
      • Part of subcall function 0040BD90: __vbaAryMove.MSVBVM60(?,?,?,?,73501785), ref: 0040C059
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,73501785), ref: 0040C063
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,73501785), ref: 0040C0DC
      • Part of subcall function 0040BD90: __vbaUbound.MSVBVM60(00000001,?,?,73501785), ref: 0040C141
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,73501785), ref: 0040C1B6
      • Part of subcall function 0040BD90: __vbaAryLock.MSVBVM60(?,?,?,?,73501785), ref: 0040C284
      • Part of subcall function 0040BD90: __vbaAryUnlock.MSVBVM60(?,?,?,00004003,?,?,?,73501785), ref: 0040C2CB
      • Part of subcall function 0040BD90: __vbaUI1Var.MSVBVM60(?,?,?,?,73501785), ref: 0040C2E3
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?,73501785), ref: 0040C2FE
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,0040C358,?,?,73501785), ref: 0040C344
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,73501785), ref: 0040C34C
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,73501785), ref: 0040C351
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,73501785), ref: 0040C36B
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,00000001,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C40D
      • Part of subcall function 0040BD90: __vbaAryCopy.MSVBVM60(?,?), ref: 0040C41E
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C431
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C447
      • Part of subcall function 0040BD90: __vbaVarForInit.MSVBVM60(?,?,?,?,?,?,00000001,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C50D
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C51F
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C53B
      • Part of subcall function 0040BD90: __vbaVarForNext.MSVBVM60(?,?,?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C563
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,-00000002,00000000,?,?,?,?,00000000,00000000), ref: 0040C588
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?), ref: 0040C5B4
      • Part of subcall function 0040BD90: #631.MSVBVM60(?,?,?), ref: 0040C618
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040C623
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040C63B
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040C644
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0040C650
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000002,?,?,0040C6C7), ref: 0040C69E
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60 ref: 0040C6AA
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6BC
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6C4
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(00000000,?,?,?,?,00000000,00000000), ref: 0040C6DD
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(00000000,?,00000001), ref: 0040C733
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(?,?,00000001), ref: 0040C73C
      • Part of subcall function 0040BD90: __vbaVarXor.MSVBVM60(?,?,?,?,00000001), ref: 0040C743
      • Part of subcall function 0040BD90: __vbaVarMove.MSVBVM60(?,?,?,00000001), ref: 0040C74E
    • __vbaStrMove.MSVBVM60(V:nX@BfX@B,prVh), ref: 0040B7FD
    • __vbaI4Str.MSVBVM60 ref: 0040B804
    • __vbaFreeStr.MSVBVM60 ref: 0040B815
      • Part of subcall function 0040CFC0: #578.MSVBVM60(?,0040B821,?,00000000), ref: 0040CFC7
    • __vbaErrorOverflow.MSVBVM60(?,00000000), ref: 0040B92A
    • __vbaLenBstr.MSVBVM60(?,00000000,00000000,00000000,73501785), ref: 0040B97D
    • __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000000,00000000,73501785), ref: 0040B998
    • __vbaLenBstr.MSVBVM60(?,00000000), ref: 0040B9A5
    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B9C0
    • __vbaUbound.MSVBVM60(00000001,?), ref: 0040B9CF
    • #632.MSVBVM60(?,?,?,?), ref: 0040BA16
    • __vbaStrVarVal.MSVBVM60(?,?), ref: 0040BA24
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B766
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B772
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B83A
      • Part of subcall function 0040B6D0: __vbaStrToAnsi.MSVBVM60(?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B853
      • Part of subcall function 0040B6D0: __vbaSetSystemError.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B861
      • Part of subcall function 0040B6D0: __vbaStrToUnicode.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B86F
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B878
      • Part of subcall function 0040B6D0: __vbaAryLock.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B882
      • Part of subcall function 0040B6D0: __vbaUbound.MSVBVM60(00000001,?,?,00000000,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B893
      • Part of subcall function 0040B6D0: ReadFile.KERNEL32(?,?), ref: 0040B8B3
      • Part of subcall function 0040B6D0: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8BD
      • Part of subcall function 0040B6D0: __vbaAryCopy.MSVBVM60(?,?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8CB
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,0040B914,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B904
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B90D
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040BA44
      • Part of subcall function 0040B6D0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0040BA54
      • Part of subcall function 0040B6D0: __vbaUI1I4.MSVBVM60 ref: 0040BA6D
    • __vbaAryCopy.MSVBVM60(?,?), ref: 0040BA94
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BAE7), ref: 0040BADD
    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040BAE4
    • __vbaErrorOverflow.MSVBVM60(?,00000000,00000000,00000000,73501785), ref: 0040BAFD
      • Part of subcall function 0040C8C0: __vbaChkstk.MSVBVM60(?,00401396,?,?,0040BCC4,?,?,735068BA), ref: 0040C8DE
      • Part of subcall function 0040C8C0: __vbaOnError.MSVBVM60(000000FF,?,00000000,735068BA,?,00401396), ref: 0040C90E
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(00403434,S76O), ref: 0040C94B
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?,00000000), ref: 0040C98F
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60 ref: 0040C9CF
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0040C9EB
      • Part of subcall function 0040C8C0: __vbaFreeStr.MSVBVM60 ref: 0040C9F4
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(735068BA,?,?,00000000), ref: 0040CA39
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,735068BA), ref: 0040CA6E
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CA95
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CAA9
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,735068BA), ref: 0040CADE
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CB05
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CB19
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040CB9F
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000,?,?), ref: 0040CBBB
      • Part of subcall function 0040C8C0: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,?,?), ref: 0040CBDE
      • Part of subcall function 0040C8C0: __vbaEnd.MSVBVM60(735068BA,?,00401396), ref: 0040CBEE
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,0040CC95,?,00401396), ref: 0040CC1F
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC2B
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC37
    • __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,73506A74,735068BA), ref: 0040BB4F
    • __vbaUI1I2.MSVBVM60 ref: 0040BB6E
    • _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
    • __vbaFpUI1.MSVBVM60 ref: 0040BBB9
    • __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
    • __vbaStrMove.MSVBVM60 ref: 0040BBE1
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
    • __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040CFD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D00D
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D01F
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D027
      • Part of subcall function 0040CFD0: #644.MSVBVM60(?,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D02D
      • Part of subcall function 0040CFD0: __vbaSetSystemError.MSVBVM60(00000000,?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D03F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(0040D06C,?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D05F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D064
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D069
    • __vbaStrMove.MSVBVM60(?,?,735068BA), ref: 0040BC71
    • #582.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BC94
    • #585.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BCA4
    • __vbaEnd.MSVBVM60(?,?,735068BA), ref: 0040BCC4
    • __vbaFreeStr.MSVBVM60(0040BCDA,?,?,735068BA), ref: 0040BCD3
    • __vbaErrorOverflow.MSVBVM60(?,?,735068BA), ref: 0040BCF0
    • __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
    • __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
    • __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
    • __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
    • __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    Strings
    Memory Dump Source
    • Source File: 00000000.00000001.190629717.00402000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000001.190593547.00400000.00000002.sdmp
    • Associated: 00000000.00000001.190615562.00401000.00000004.sdmp
    • Associated: 00000000.00000001.190641546.0040E000.00000008.sdmp
    • Associated: 00000000.00000001.190653105.0040F000.00000004.sdmp
    • Associated: 00000000.00000001.190670002.00411000.00000002.sdmp
    Function 0040B6D0, Relevance: 73.9, APIs: 40, Strings: 2, Instructions: 370
    APIs
    • __vbaStrCopy.MSVBVM60(004011D8,?,00000001,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B70A
    • __vbaStr2Vec.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B718
    • __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B726
    • __vbaErrorOverflow.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B790
    • __vbaStrCopy.MSVBVM60(004011D8,?,00000001), ref: 0040B7E3
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76), ref: 0040BDF4
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76), ref: 0040BDFC
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,72A26A76), ref: 0040BE02
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,72A26A76), ref: 0040BE31
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BE46
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,72A26A76), ref: 0040BE57
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,00000000,72A26A76), ref: 0040BE8B
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BEC2
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BED4
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,00000000,72A26A76), ref: 0040BED7
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BEEE
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BEF1
      • Part of subcall function 0040BD90: #697.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF03
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF0E
      • Part of subcall function 0040BD90: __vbaStrCat.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF11
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF1C
      • Part of subcall function 0040BD90: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF2C
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000004,00000002,?,00000002,?,?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF44
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(0040BFB4,?,00000000,72A26A76), ref: 0040BFAC
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,00000000,72A26A76), ref: 0040BFB1
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BFCA
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(72A26C30,?,72A21948), ref: 0040C039
      • Part of subcall function 0040BD90: __vbaAryMove.MSVBVM60(?,?,?,?,72A21948), ref: 0040C059
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,72A21948), ref: 0040C063
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,72A21948), ref: 0040C0DC
      • Part of subcall function 0040BD90: __vbaUbound.MSVBVM60(00000001,?,?,72A21948), ref: 0040C141
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,72A21948), ref: 0040C1B6
      • Part of subcall function 0040BD90: __vbaAryLock.MSVBVM60(?,?,?,?,72A21948), ref: 0040C284
      • Part of subcall function 0040BD90: __vbaAryUnlock.MSVBVM60(?,?,?,00004003,?,?,?,72A21948), ref: 0040C2CB
      • Part of subcall function 0040BD90: __vbaUI1Var.MSVBVM60(?,?,?,?,72A21948), ref: 0040C2E3
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?,72A21948), ref: 0040C2FE
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,0040C358,?,?,72A21948), ref: 0040C344
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,72A21948), ref: 0040C34C
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,72A21948), ref: 0040C351
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,72A21948), ref: 0040C36B
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,00000001,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C40D
      • Part of subcall function 0040BD90: __vbaAryCopy.MSVBVM60(?,?), ref: 0040C41E
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C431
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C447
      • Part of subcall function 0040BD90: __vbaVarForInit.MSVBVM60(?,?,?,?,?,?,00000001,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C50D
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C51F
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C53B
      • Part of subcall function 0040BD90: __vbaVarForNext.MSVBVM60(?,?,?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C563
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,-00000002,00000000,?,?,?,?,00000000,00000000), ref: 0040C588
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?), ref: 0040C5B4
      • Part of subcall function 0040BD90: #631.MSVBVM60(?,?,?), ref: 0040C618
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040C623
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040C63B
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040C644
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0040C650
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000002,?,?,0040C6C7), ref: 0040C69E
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60 ref: 0040C6AA
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6BC
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6C4
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(00000000,?,?,?,?,00000000,00000000), ref: 0040C6DD
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(00000000,?,00000001), ref: 0040C733
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(?,?,00000001), ref: 0040C73C
      • Part of subcall function 0040BD90: __vbaVarXor.MSVBVM60(?,?,?,?,00000001), ref: 0040C743
      • Part of subcall function 0040BD90: __vbaVarMove.MSVBVM60(?,?,?,00000001), ref: 0040C74E
    • __vbaStrMove.MSVBVM60(V:nX@BfX@B,prVh), ref: 0040B7FD
    • __vbaI4Str.MSVBVM60 ref: 0040B804
    • __vbaFreeStr.MSVBVM60 ref: 0040B815
      • Part of subcall function 0040CFC0: #578.MSVBVM60(?,0040B821,?,00000000), ref: 0040CFC7
    • __vbaErrorOverflow.MSVBVM60(?,00000000), ref: 0040B92A
    • __vbaLenBstr.MSVBVM60(?,00000000,00000000,00000000,72A21948), ref: 0040B97D
    • __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000000,00000000,72A21948), ref: 0040B998
    • __vbaLenBstr.MSVBVM60(?,00000000), ref: 0040B9A5
    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B9C0
    • __vbaUbound.MSVBVM60(00000001,?), ref: 0040B9CF
    • #632.MSVBVM60(?,?,?,?), ref: 0040BA16
    • __vbaStrVarVal.MSVBVM60(?,?), ref: 0040BA24
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B766
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B772
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B83A
      • Part of subcall function 0040B6D0: __vbaStrToAnsi.MSVBVM60(?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B853
      • Part of subcall function 0040B6D0: __vbaSetSystemError.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B861
      • Part of subcall function 0040B6D0: __vbaStrToUnicode.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B86F
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B878
      • Part of subcall function 0040B6D0: __vbaAryLock.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B882
      • Part of subcall function 0040B6D0: __vbaUbound.MSVBVM60(00000001,?,?,00000000,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B893
      • Part of subcall function 0040B6D0: ReadFile.KERNEL32(?,?), ref: 0040B8B3
      • Part of subcall function 0040B6D0: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8BD
      • Part of subcall function 0040B6D0: __vbaAryCopy.MSVBVM60(?,?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8CB
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,0040B914,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B904
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B90D
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040BA44
      • Part of subcall function 0040B6D0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0040BA54
      • Part of subcall function 0040B6D0: __vbaUI1I4.MSVBVM60 ref: 0040BA6D
    • __vbaAryCopy.MSVBVM60(?,?), ref: 0040BA94
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BAE7), ref: 0040BADD
    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040BAE4
    • __vbaErrorOverflow.MSVBVM60(?,00000000,00000000,00000000,72A21948), ref: 0040BAFD
      • Part of subcall function 0040C8C0: __vbaChkstk.MSVBVM60(?,00401396,?,?,0040BCC4,?,?,72A26A76), ref: 0040C8DE
      • Part of subcall function 0040C8C0: __vbaOnError.MSVBVM60(000000FF,?,00000000,72A26A76,?,00401396), ref: 0040C90E
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(00403434,S76O), ref: 0040C94B
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?,00000000), ref: 0040C98F
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60 ref: 0040C9CF
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0040C9EB
      • Part of subcall function 0040C8C0: __vbaFreeStr.MSVBVM60 ref: 0040C9F4
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(72A26A76,?,?,00000000), ref: 0040CA39
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,72A26A76), ref: 0040CA6E
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CA95
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CAA9
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,72A26A76), ref: 0040CADE
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CB05
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CB19
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040CB9F
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000,?,?), ref: 0040CBBB
      • Part of subcall function 0040C8C0: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,?,?), ref: 0040CBDE
      • Part of subcall function 0040C8C0: __vbaEnd.MSVBVM60(72A26A76,?,00401396), ref: 0040CBEE
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,0040CC95,?,00401396), ref: 0040CC1F
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC2B
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC37
    • __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,72A26C30,72A26A76), ref: 0040BB4F
    • __vbaUI1I2.MSVBVM60 ref: 0040BB6E
    • _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
    • __vbaFpUI1.MSVBVM60 ref: 0040BBB9
    • __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
    • __vbaStrMove.MSVBVM60 ref: 0040BBE1
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
    • __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040CFD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D00D
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D01F
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D027
      • Part of subcall function 0040CFD0: #644.MSVBVM60(?,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D02D
      • Part of subcall function 0040CFD0: __vbaSetSystemError.MSVBVM60(00000000,?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D03F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(0040D06C,?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D05F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D064
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D069
    • __vbaStrMove.MSVBVM60(?,?,72A26A76), ref: 0040BC71
    • #582.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BC94
    • #585.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BCA4
    • __vbaEnd.MSVBVM60(?,?,72A26A76), ref: 0040BCC4
    • __vbaFreeStr.MSVBVM60(0040BCDA,?,?,72A26A76), ref: 0040BCD3
    • __vbaErrorOverflow.MSVBVM60(?,?,72A26A76), ref: 0040BCF0
    • __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
    • __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
    • __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
    • __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
    • __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    Strings
    Memory Dump Source
    • Source File: 00000000.00000000.190469383.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000000.190464558.00400000.00000002.sdmp
    • Associated: 00000000.00000000.190477852.0040E000.00000008.sdmp
    • Associated: 00000000.00000000.190483406.00411000.00000002.sdmp

    Non-executed Functions

    Function 0040CCB0, Relevance: 63.2, APIs: 35, Strings: 1, Instructions: 232
    APIs
    • __vbaStrCopy.MSVBVM60(?,00000000,735068BA), ref: 0040CD0B
    • __vbaLenBstr.MSVBVM60(?,00000000,?,00000000,735068BA), ref: 0040CD18
    • _adj_fdiv_m64.MSVBVM60(?,00000000,?,00000000,735068BA), ref: 0040CD53
    • __vbaFpI4.MSVBVM60(?,00000000,?,00000000,735068BA), ref: 0040CD62
    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000,?,00000000,735068BA), ref: 0040CD78
    • #632.MSVBVM60(?,?,-00000001,?), ref: 0040CDC3
    • __vbaStrVarMove.MSVBVM60(?), ref: 0040CDCD
    • __vbaStrMove.MSVBVM60 ref: 0040CDD8
    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0040CDE3
      • Part of subcall function 0040BB10: __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,73506A74,735068BA), ref: 0040BB4F
      • Part of subcall function 0040BB10: __vbaUI1I2.MSVBVM60 ref: 0040BB6E
      • Part of subcall function 0040BB10: _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
      • Part of subcall function 0040BB10: __vbaFpUI1.MSVBVM60 ref: 0040BBB9
      • Part of subcall function 0040BB10: __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
      • Part of subcall function 0040BB10: __vbaStrMove.MSVBVM60 ref: 0040BBE1
      • Part of subcall function 0040BB10: __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
      • Part of subcall function 0040BB10: __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040BB10: __vbaStrMove.MSVBVM60(?,?,735068BA), ref: 0040BC71
      • Part of subcall function 0040BB10: #582.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BC94
      • Part of subcall function 0040BB10: #585.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BCA4
      • Part of subcall function 0040BB10: __vbaEnd.MSVBVM60(?,?,735068BA), ref: 0040BCC4
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(0040BCDA,?,?,735068BA), ref: 0040BCD3
      • Part of subcall function 0040BB10: __vbaErrorOverflow.MSVBVM60(?,?,735068BA), ref: 0040BCF0
      • Part of subcall function 0040BB10: __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
      • Part of subcall function 0040BB10: __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
      • Part of subcall function 0040BB10: __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    • __vbaStrMove.MSVBVM60(00000026), ref: 0040CDF8
    • __vbaStrMove.MSVBVM60(00000048), ref: 0040CE07
    • __vbaStrCat.MSVBVM60 ref: 0040CE10
    • __vbaStrMove.MSVBVM60 ref: 0040CE17
    • __vbaStrCat.MSVBVM60(?), ref: 0040CE1E
    • __vbaStrMove.MSVBVM60 ref: 0040CE25
    • __vbaI4Str.MSVBVM60 ref: 0040CE28
    • __vbaUI1I4.MSVBVM60 ref: 0040CE30
    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040CE4A
    • _adj_fdiv_m64.MSVBVM60 ref: 0040CE7F
    • __vbaFpI4.MSVBVM60 ref: 0040CE8E
    • __vbaLenBstr.MSVBVM60 ref: 0040CEB2
    • __vbaAryLock.MSVBVM60(?,?), ref: 0040CECE
    • #644.MSVBVM60 ref: 0040CEE2
    • __vbaAryUnlock.MSVBVM60(?), ref: 0040CEEA
    • #644.MSVBVM60(?), ref: 0040CEF4
    • __vbaAryLock.MSVBVM60(?), ref: 0040CF0A
    • #644.MSVBVM60 ref: 0040CF18
    • __vbaAryUnlock.MSVBVM60(?), ref: 0040CF20
    • CallWindowProcA.USER32(?,?,?,00000000,00000000), ref: 0040CF33
    • __vbaFreeStr.MSVBVM60(0040CF99,?,?,?,00000000,00000000), ref: 0040CF80
    • __vbaFreeStr.MSVBVM60(?,?,?,00000000,00000000), ref: 0040CF85
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,00000000), ref: 0040CF8D
    • __vbaFreeStr.MSVBVM60(?,?,?,00000000,00000000), ref: 0040CF96
    • __vbaErrorOverflow.MSVBVM60(?), ref: 0040CFB1
    • #578.MSVBVM60(?,0040B821,?,00000000), ref: 0040CFC7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000001.190629717.00402000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000001.190593547.00400000.00000002.sdmp
    • Associated: 00000000.00000001.190615562.00401000.00000004.sdmp
    • Associated: 00000000.00000001.190641546.0040E000.00000008.sdmp
    • Associated: 00000000.00000001.190653105.0040F000.00000004.sdmp
    • Associated: 00000000.00000001.190670002.00411000.00000002.sdmp
    Function 0040C8C0, Relevance: 56.3, APIs: 29, Strings: 3, Instructions: 264
    APIs
      • Part of subcall function 0040B6D0: __vbaStrCopy.MSVBVM60(004011D8,?,00000001), ref: 0040B7E3
      • Part of subcall function 0040B6D0: __vbaStrMove.MSVBVM60(V:nX@BfX@B,prVh), ref: 0040B7FD
      • Part of subcall function 0040B6D0: __vbaI4Str.MSVBVM60 ref: 0040B804
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040B815
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B83A
      • Part of subcall function 0040B6D0: __vbaStrToAnsi.MSVBVM60(?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B853
      • Part of subcall function 0040B6D0: __vbaSetSystemError.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B861
      • Part of subcall function 0040B6D0: __vbaStrToUnicode.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B86F
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B878
      • Part of subcall function 0040B6D0: __vbaAryLock.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B882
      • Part of subcall function 0040B6D0: __vbaUbound.MSVBVM60(00000001,?,?,00000000,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B893
      • Part of subcall function 0040B6D0: ReadFile.KERNEL32(?,?), ref: 0040B8B3
      • Part of subcall function 0040B6D0: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8BD
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60(?,00000000), ref: 0040B92A
      • Part of subcall function 0040B6D0: __vbaLenBstr.MSVBVM60(?,00000000,00000000,00000000,73501785), ref: 0040B97D
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000000,00000000,73501785), ref: 0040B998
      • Part of subcall function 0040B6D0: __vbaLenBstr.MSVBVM60(?,00000000), ref: 0040B9A5
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B9C0
      • Part of subcall function 0040B6D0: __vbaUbound.MSVBVM60(00000001,?), ref: 0040B9CF
      • Part of subcall function 0040B6D0: #632.MSVBVM60(?,?,?,?), ref: 0040BA16
      • Part of subcall function 0040B6D0: __vbaStrVarVal.MSVBVM60(?,?), ref: 0040BA24
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040BA44
      • Part of subcall function 0040B6D0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0040BA54
      • Part of subcall function 0040B6D0: __vbaUI1I4.MSVBVM60 ref: 0040BA6D
      • Part of subcall function 0040B6D0: __vbaAryCopy.MSVBVM60(?,?), ref: 0040BA94
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,0040BAE7), ref: 0040BADD
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040BAE4
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60(?,00000000,00000000,00000000,73501785), ref: 0040BAFD
      • Part of subcall function 0040B6D0: __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,73506A74,735068BA), ref: 0040BB4F
      • Part of subcall function 0040B6D0: __vbaUI1I2.MSVBVM60 ref: 0040BB6E
      • Part of subcall function 0040B6D0: _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
      • Part of subcall function 0040B6D0: __vbaFpUI1.MSVBVM60 ref: 0040BBB9
      • Part of subcall function 0040B6D0: __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
      • Part of subcall function 0040B6D0: __vbaStrMove.MSVBVM60 ref: 0040BBE1
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040B6D0: __vbaStrMove.MSVBVM60(?,?,735068BA), ref: 0040BC71
      • Part of subcall function 0040B6D0: #582.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BC94
      • Part of subcall function 0040B6D0: #585.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BCA4
      • Part of subcall function 0040B6D0: __vbaEnd.MSVBVM60(?,?,735068BA), ref: 0040BCC4
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(0040BCDA,?,?,735068BA), ref: 0040BCD3
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60(?,?,735068BA), ref: 0040BCF0
      • Part of subcall function 0040B6D0: __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
      • Part of subcall function 0040B6D0: __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
      • Part of subcall function 0040B6D0: __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    • __vbaChkstk.MSVBVM60(?,00401396,?,?,0040BCC4,?,?,735068BA), ref: 0040C8DE
    • __vbaOnError.MSVBVM60(000000FF,?,00000000,735068BA,?,00401396), ref: 0040C90E
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,735068BA), ref: 0040BDF4
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,735068BA), ref: 0040BDFC
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,735068BA), ref: 0040BE02
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,735068BA), ref: 0040BE31
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BE46
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,735068BA), ref: 0040BE57
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,00000000,735068BA), ref: 0040BE8B
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BEC2
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BED4
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,00000000,735068BA), ref: 0040BED7
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BEEE
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BEF1
      • Part of subcall function 0040BD90: #697.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF03
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF0E
      • Part of subcall function 0040BD90: __vbaStrCat.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF11
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF1C
      • Part of subcall function 0040BD90: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF2C
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000004,00000002,?,00000002,?,?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF44
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(0040BFB4,?,00000000,735068BA), ref: 0040BFAC
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,00000000,735068BA), ref: 0040BFB1
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BFCA
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(73506A74,?,73501785), ref: 0040C039
      • Part of subcall function 0040BD90: __vbaAryMove.MSVBVM60(?,?,?,?,73501785), ref: 0040C059
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,73501785), ref: 0040C063
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,73501785), ref: 0040C0DC
      • Part of subcall function 0040BD90: __vbaUbound.MSVBVM60(00000001,?,?,73501785), ref: 0040C141
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,73501785), ref: 0040C1B6
      • Part of subcall function 0040BD90: __vbaAryLock.MSVBVM60(?,?,?,?,73501785), ref: 0040C284
      • Part of subcall function 0040BD90: __vbaAryUnlock.MSVBVM60(?,?,?,00004003,?,?,?,73501785), ref: 0040C2CB
      • Part of subcall function 0040BD90: __vbaUI1Var.MSVBVM60(?,?,?,?,73501785), ref: 0040C2E3
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?,73501785), ref: 0040C2FE
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,0040C358,?,?,73501785), ref: 0040C344
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,73501785), ref: 0040C34C
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,73501785), ref: 0040C351
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,73501785), ref: 0040C36B
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,00000001,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C40D
      • Part of subcall function 0040BD90: __vbaAryCopy.MSVBVM60(?,?), ref: 0040C41E
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C431
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C447
      • Part of subcall function 0040BD90: __vbaVarForInit.MSVBVM60(?,?,?,?,?,?,00000001,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C50D
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C51F
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C53B
      • Part of subcall function 0040BD90: __vbaVarForNext.MSVBVM60(?,?,?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C563
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,-00000002,00000000,?,?,?,?,00000000,00000000), ref: 0040C588
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?), ref: 0040C5B4
      • Part of subcall function 0040BD90: #631.MSVBVM60(?,?,?), ref: 0040C618
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040C623
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040C63B
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040C644
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0040C650
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000002,?,?,0040C6C7), ref: 0040C69E
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60 ref: 0040C6AA
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6BC
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6C4
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(00000000,?,?,?,?,00000000,00000000), ref: 0040C6DD
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(00000000,?,00000001), ref: 0040C733
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(?,?,00000001), ref: 0040C73C
      • Part of subcall function 0040BD90: __vbaVarXor.MSVBVM60(?,?,?,?,00000001), ref: 0040C743
      • Part of subcall function 0040BD90: __vbaVarMove.MSVBVM60(?,?,?,00000001), ref: 0040C74E
    • __vbaStrMove.MSVBVM60(00403434,S76O), ref: 0040C94B
    • __vbaAryMove.MSVBVM60(?,?,00000000), ref: 0040C98F
    • __vbaStrCopy.MSVBVM60 ref: 0040C9CF
      • Part of subcall function 0040B580: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401396), ref: 0040B5BC
      • Part of subcall function 0040B580: __vbaUbound.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401396), ref: 0040B5CA
      • Part of subcall function 0040B580: __vbaStrMove.MSVBVM60(?,?), ref: 0040B60C
      • Part of subcall function 0040B580: __vbaStrCat.MSVBVM60(?,?,?), ref: 0040B60F
      • Part of subcall function 0040B580: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040B616
      • Part of subcall function 0040B580: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040B61B
      • Part of subcall function 0040B580: __vbaLenBstr.MSVBVM60(?,?,?,?), ref: 0040B625
      • Part of subcall function 0040B580: __vbaStrCat.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0040B63A
      • Part of subcall function 0040B580: __vbaStrMove.MSVBVM60(?,?,?,?,?,?), ref: 0040B641
      • Part of subcall function 0040B580: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?), ref: 0040B64B
      • Part of subcall function 0040B580: __vbaLenBstrB.MSVBVM60(?), ref: 0040B660
      • Part of subcall function 0040B580: __vbaStrCat.MSVBVM60(?,?), ref: 0040B672
      • Part of subcall function 0040B580: __vbaStrMove.MSVBVM60 ref: 0040B679
      • Part of subcall function 0040B580: __vbaFreeStr.MSVBVM60(0040B6AC), ref: 0040B6A4
      • Part of subcall function 0040B580: __vbaFreeStr.MSVBVM60 ref: 0040B6A9
      • Part of subcall function 0040B580: __vbaErrorOverflow.MSVBVM60(?,?,?), ref: 0040B6C2
      • Part of subcall function 0040B580: __vbaStrCopy.MSVBVM60(004011D8,?,00000001,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B70A
      • Part of subcall function 0040B580: __vbaStr2Vec.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B718
      • Part of subcall function 0040B580: __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B726
      • Part of subcall function 0040B580: __vbaFreeStr.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B766
      • Part of subcall function 0040B580: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B772
      • Part of subcall function 0040B580: __vbaErrorOverflow.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B790
      • Part of subcall function 0040B580: __vbaAryCopy.MSVBVM60(?,?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8CB
      • Part of subcall function 0040B580: __vbaAryDestruct.MSVBVM60(00000000,?,0040B914,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B904
      • Part of subcall function 0040B580: __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B90D
    • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0040C9EB
    • __vbaFreeStr.MSVBVM60 ref: 0040C9F4
    • __vbaAryMove.MSVBVM60(735068BA,?,?,00000000), ref: 0040CA39
    • __vbaAryLock.MSVBVM60(?,735068BA), ref: 0040CA6E
    • __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CA95
    • __vbaAryMove.MSVBVM60(?,?), ref: 0040CAA9
    • __vbaAryLock.MSVBVM60(?,735068BA), ref: 0040CADE
    • __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CB05
    • __vbaAryMove.MSVBVM60(?,?), ref: 0040CB19
      • Part of subcall function 0040C7B0: __vbaRedim.MSVBVM60(00000080,00000002,0040E070,00000002,00000001,000000FF,00000000,?,00000000,735068BA), ref: 0040C806
      • Part of subcall function 0040C7B0: __vbaVarForInit.MSVBVM60(?,?,?,?,?,?), ref: 0040C841
      • Part of subcall function 0040C7B0: __vbaI2Var.MSVBVM60(?), ref: 0040C855
      • Part of subcall function 0040C7B0: __vbaI4Var.MSVBVM60(?), ref: 0040C862
      • Part of subcall function 0040C7B0: __vbaVarForNext.MSVBVM60(?,?,?), ref: 0040C883
      • Part of subcall function 0040C7B0: __vbaFreeVarList.MSVBVM60(00000002,?,?,0040C8AD), ref: 0040C89A
      • Part of subcall function 0040C7B0: __vbaFreeVar.MSVBVM60 ref: 0040C8A6
    • __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040CB9F
    • __vbaStrMove.MSVBVM60(?,?,00000000,?,?), ref: 0040CBBB
      • Part of subcall function 0040CCB0: __vbaStrCopy.MSVBVM60(?,00000000,735068BA), ref: 0040CD0B
      • Part of subcall function 0040CCB0: __vbaLenBstr.MSVBVM60(?,00000000,?,00000000,735068BA), ref: 0040CD18
      • Part of subcall function 0040CCB0: _adj_fdiv_m64.MSVBVM60(?,00000000,?,00000000,735068BA), ref: 0040CD53
      • Part of subcall function 0040CCB0: __vbaFpI4.MSVBVM60(?,00000000,?,00000000,735068BA), ref: 0040CD62
      • Part of subcall function 0040CCB0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000,?,00000000,735068BA), ref: 0040CD78
      • Part of subcall function 0040CCB0: #632.MSVBVM60(?,?,-00000001,?), ref: 0040CDC3
      • Part of subcall function 0040CCB0: __vbaStrVarMove.MSVBVM60(?), ref: 0040CDCD
      • Part of subcall function 0040CCB0: __vbaStrMove.MSVBVM60 ref: 0040CDD8
      • Part of subcall function 0040CCB0: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0040CDE3
      • Part of subcall function 0040CCB0: __vbaStrMove.MSVBVM60(00000026), ref: 0040CDF8
      • Part of subcall function 0040CCB0: __vbaStrMove.MSVBVM60(00000048), ref: 0040CE07
      • Part of subcall function 0040CCB0: __vbaStrCat.MSVBVM60 ref: 0040CE10
      • Part of subcall function 0040CCB0: __vbaStrMove.MSVBVM60 ref: 0040CE17
      • Part of subcall function 0040CCB0: __vbaStrCat.MSVBVM60(?), ref: 0040CE1E
      • Part of subcall function 0040CCB0: __vbaStrMove.MSVBVM60 ref: 0040CE25
      • Part of subcall function 0040CCB0: __vbaI4Str.MSVBVM60 ref: 0040CE28
      • Part of subcall function 0040CCB0: __vbaUI1I4.MSVBVM60 ref: 0040CE30
      • Part of subcall function 0040CCB0: __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040CE4A
      • Part of subcall function 0040CCB0: _adj_fdiv_m64.MSVBVM60 ref: 0040CE7F
      • Part of subcall function 0040CCB0: __vbaFpI4.MSVBVM60 ref: 0040CE8E
      • Part of subcall function 0040CCB0: __vbaLenBstr.MSVBVM60 ref: 0040CEB2
      • Part of subcall function 0040CCB0: __vbaAryLock.MSVBVM60(?,?), ref: 0040CECE
      • Part of subcall function 0040CCB0: #644.MSVBVM60 ref: 0040CEE2
      • Part of subcall function 0040CCB0: __vbaAryUnlock.MSVBVM60(?), ref: 0040CEEA
      • Part of subcall function 0040CCB0: #644.MSVBVM60(?), ref: 0040CEF4
      • Part of subcall function 0040CCB0: __vbaAryLock.MSVBVM60(?), ref: 0040CF0A
      • Part of subcall function 0040CCB0: #644.MSVBVM60 ref: 0040CF18
      • Part of subcall function 0040CCB0: __vbaAryUnlock.MSVBVM60(?), ref: 0040CF20
      • Part of subcall function 0040CCB0: CallWindowProcA.USER32(?,?,?,00000000,00000000), ref: 0040CF33
      • Part of subcall function 0040CCB0: __vbaFreeStr.MSVBVM60(0040CF99,?,?,?,00000000,00000000), ref: 0040CF80
      • Part of subcall function 0040CCB0: __vbaFreeStr.MSVBVM60(?,?,?,00000000,00000000), ref: 0040CF85
      • Part of subcall function 0040CCB0: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,00000000), ref: 0040CF8D
      • Part of subcall function 0040CCB0: __vbaFreeStr.MSVBVM60(?,?,?,00000000,00000000), ref: 0040CF96
      • Part of subcall function 0040CCB0: __vbaErrorOverflow.MSVBVM60(?), ref: 0040CFB1
      • Part of subcall function 0040CCB0: #578.MSVBVM60(?,0040B821,?,00000000), ref: 0040CFC7
    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,?,?), ref: 0040CBDE
    • __vbaEnd.MSVBVM60(735068BA,?,00401396), ref: 0040CBEE
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040CC95,?,00401396), ref: 0040CC1F
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC2B
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC37
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC43
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC4F
    • __vbaFreeStr.MSVBVM60(?,00401396), ref: 0040CC58
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC64
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC70
    • __vbaFreeStr.MSVBVM60(?,00401396), ref: 0040CC79
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC85
    • __vbaFreeStr.MSVBVM60(?,00401396), ref: 0040CC8E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000001.190629717.00402000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000001.190593547.00400000.00000002.sdmp
    • Associated: 00000000.00000001.190615562.00401000.00000004.sdmp
    • Associated: 00000000.00000001.190641546.0040E000.00000008.sdmp
    • Associated: 00000000.00000001.190653105.0040F000.00000004.sdmp
    • Associated: 00000000.00000001.190670002.00411000.00000002.sdmp
    Function 0040C8C0, Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 264
    APIs
      • Part of subcall function 0040B6D0: __vbaStrCopy.MSVBVM60(004011D8,?,00000001), ref: 0040B7E3
      • Part of subcall function 0040B6D0: __vbaStrMove.MSVBVM60(V:nX@BfX@B,prVh), ref: 0040B7FD
      • Part of subcall function 0040B6D0: __vbaI4Str.MSVBVM60 ref: 0040B804
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040B815
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B83A
      • Part of subcall function 0040B6D0: __vbaStrToAnsi.MSVBVM60(?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B853
      • Part of subcall function 0040B6D0: __vbaSetSystemError.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B861
      • Part of subcall function 0040B6D0: __vbaStrToUnicode.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B86F
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B878
      • Part of subcall function 0040B6D0: __vbaAryLock.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B882
      • Part of subcall function 0040B6D0: __vbaUbound.MSVBVM60(00000001,?,?,00000000,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B893
      • Part of subcall function 0040B6D0: ReadFile.KERNEL32(?,?), ref: 0040B8B3
      • Part of subcall function 0040B6D0: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8BD
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60(?,00000000), ref: 0040B92A
      • Part of subcall function 0040B6D0: __vbaLenBstr.MSVBVM60(?,00000000,00000000,00000000,72A21948), ref: 0040B97D
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000000,00000000,72A21948), ref: 0040B998
      • Part of subcall function 0040B6D0: __vbaLenBstr.MSVBVM60(?,00000000), ref: 0040B9A5
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B9C0
      • Part of subcall function 0040B6D0: __vbaUbound.MSVBVM60(00000001,?), ref: 0040B9CF
      • Part of subcall function 0040B6D0: #632.MSVBVM60(?,?,?,?), ref: 0040BA16
      • Part of subcall function 0040B6D0: __vbaStrVarVal.MSVBVM60(?,?), ref: 0040BA24
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040BA44
      • Part of subcall function 0040B6D0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0040BA54
      • Part of subcall function 0040B6D0: __vbaUI1I4.MSVBVM60 ref: 0040BA6D
      • Part of subcall function 0040B6D0: __vbaAryCopy.MSVBVM60(?,?), ref: 0040BA94
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,0040BAE7), ref: 0040BADD
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040BAE4
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60(?,00000000,00000000,00000000,72A21948), ref: 0040BAFD
      • Part of subcall function 0040B6D0: __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,72A26C30,72A26A76), ref: 0040BB4F
      • Part of subcall function 0040B6D0: __vbaUI1I2.MSVBVM60 ref: 0040BB6E
      • Part of subcall function 0040B6D0: _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
      • Part of subcall function 0040B6D0: __vbaFpUI1.MSVBVM60 ref: 0040BBB9
      • Part of subcall function 0040B6D0: __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
      • Part of subcall function 0040B6D0: __vbaStrMove.MSVBVM60 ref: 0040BBE1
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040B6D0: __vbaStrMove.MSVBVM60(?,?,72A26A76), ref: 0040BC71
      • Part of subcall function 0040B6D0: #582.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BC94
      • Part of subcall function 0040B6D0: #585.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BCA4
      • Part of subcall function 0040B6D0: __vbaEnd.MSVBVM60(?,?,72A26A76), ref: 0040BCC4
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(0040BCDA,?,?,72A26A76), ref: 0040BCD3
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60(?,?,72A26A76), ref: 0040BCF0
      • Part of subcall function 0040B6D0: __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
      • Part of subcall function 0040B6D0: __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
      • Part of subcall function 0040B6D0: __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    • __vbaChkstk.MSVBVM60(?,00401396,?,?,0040BCC4,?,?,72A26A76), ref: 0040C8DE
    • __vbaOnError.MSVBVM60(000000FF,?,00000000,72A26A76,?,00401396), ref: 0040C90E
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76), ref: 0040BDF4
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76), ref: 0040BDFC
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,72A26A76), ref: 0040BE02
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,72A26A76), ref: 0040BE31
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BE46
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,72A26A76), ref: 0040BE57
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,00000000,72A26A76), ref: 0040BE8B
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BEC2
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BED4
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,00000000,72A26A76), ref: 0040BED7
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BEEE
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BEF1
      • Part of subcall function 0040BD90: #697.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF03
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF0E
      • Part of subcall function 0040BD90: __vbaStrCat.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF11
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF1C
      • Part of subcall function 0040BD90: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF2C
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000004,00000002,?,00000002,?,?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF44
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(0040BFB4,?,00000000,72A26A76), ref: 0040BFAC
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,00000000,72A26A76), ref: 0040BFB1
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BFCA
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(72A26C30,?,72A21948), ref: 0040C039
      • Part of subcall function 0040BD90: __vbaAryMove.MSVBVM60(?,?,?,?,72A21948), ref: 0040C059
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,72A21948), ref: 0040C063
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,72A21948), ref: 0040C0DC
      • Part of subcall function 0040BD90: __vbaUbound.MSVBVM60(00000001,?,?,72A21948), ref: 0040C141
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,72A21948), ref: 0040C1B6
      • Part of subcall function 0040BD90: __vbaAryLock.MSVBVM60(?,?,?,?,72A21948), ref: 0040C284
      • Part of subcall function 0040BD90: __vbaAryUnlock.MSVBVM60(?,?,?,00004003,?,?,?,72A21948), ref: 0040C2CB
      • Part of subcall function 0040BD90: __vbaUI1Var.MSVBVM60(?,?,?,?,72A21948), ref: 0040C2E3
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?,72A21948), ref: 0040C2FE
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,0040C358,?,?,72A21948), ref: 0040C344
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,72A21948), ref: 0040C34C
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,72A21948), ref: 0040C351
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,72A21948), ref: 0040C36B
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,00000001,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C40D
      • Part of subcall function 0040BD90: __vbaAryCopy.MSVBVM60(?,?), ref: 0040C41E
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C431
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C447
      • Part of subcall function 0040BD90: __vbaVarForInit.MSVBVM60(?,?,?,?,?,?,00000001,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C50D
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C51F
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C53B
      • Part of subcall function 0040BD90: __vbaVarForNext.MSVBVM60(?,?,?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C563
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,-00000002,00000000,?,?,?,?,00000000,00000000), ref: 0040C588
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?), ref: 0040C5B4
      • Part of subcall function 0040BD90: #631.MSVBVM60(?,?,?), ref: 0040C618
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040C623
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040C63B
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040C644
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0040C650
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000002,?,?,0040C6C7), ref: 0040C69E
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60 ref: 0040C6AA
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6BC
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6C4
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(00000000,?,?,?,?,00000000,00000000), ref: 0040C6DD
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(00000000,?,00000001), ref: 0040C733
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(?,?,00000001), ref: 0040C73C
      • Part of subcall function 0040BD90: __vbaVarXor.MSVBVM60(?,?,?,?,00000001), ref: 0040C743
      • Part of subcall function 0040BD90: __vbaVarMove.MSVBVM60(?,?,?,00000001), ref: 0040C74E
    • __vbaStrMove.MSVBVM60(00403434,S76O), ref: 0040C94B
    • __vbaAryMove.MSVBVM60(?,?,00000000), ref: 0040C98F
    • __vbaStrCopy.MSVBVM60 ref: 0040C9CF
      • Part of subcall function 0040B580: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401396), ref: 0040B5BC
      • Part of subcall function 0040B580: __vbaUbound.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401396), ref: 0040B5CA
      • Part of subcall function 0040B580: __vbaStrMove.MSVBVM60(?,?), ref: 0040B60C
      • Part of subcall function 0040B580: __vbaStrCat.MSVBVM60(?,?,?), ref: 0040B60F
      • Part of subcall function 0040B580: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040B616
      • Part of subcall function 0040B580: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040B61B
      • Part of subcall function 0040B580: __vbaLenBstr.MSVBVM60(?,?,?,?), ref: 0040B625
      • Part of subcall function 0040B580: __vbaStrCat.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0040B63A
      • Part of subcall function 0040B580: __vbaStrMove.MSVBVM60(?,?,?,?,?,?), ref: 0040B641
      • Part of subcall function 0040B580: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?), ref: 0040B64B
      • Part of subcall function 0040B580: __vbaLenBstrB.MSVBVM60(?), ref: 0040B660
      • Part of subcall function 0040B580: __vbaStrCat.MSVBVM60(?,?), ref: 0040B672
      • Part of subcall function 0040B580: __vbaStrMove.MSVBVM60 ref: 0040B679
      • Part of subcall function 0040B580: __vbaFreeStr.MSVBVM60(0040B6AC), ref: 0040B6A4
      • Part of subcall function 0040B580: __vbaFreeStr.MSVBVM60 ref: 0040B6A9
      • Part of subcall function 0040B580: __vbaErrorOverflow.MSVBVM60(?,?,?), ref: 0040B6C2
      • Part of subcall function 0040B580: __vbaStrCopy.MSVBVM60(004011D8,?,00000001,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B70A
      • Part of subcall function 0040B580: __vbaStr2Vec.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B718
      • Part of subcall function 0040B580: __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B726
      • Part of subcall function 0040B580: __vbaFreeStr.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B766
      • Part of subcall function 0040B580: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B772
      • Part of subcall function 0040B580: __vbaErrorOverflow.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B790
      • Part of subcall function 0040B580: __vbaAryCopy.MSVBVM60(?,?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8CB
      • Part of subcall function 0040B580: __vbaAryDestruct.MSVBVM60(00000000,?,0040B914,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B904
      • Part of subcall function 0040B580: __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B90D
    • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0040C9EB
    • __vbaFreeStr.MSVBVM60 ref: 0040C9F4
    • __vbaAryMove.MSVBVM60(72A26A76,?,?,00000000), ref: 0040CA39
    • __vbaAryLock.MSVBVM60(?,72A26A76), ref: 0040CA6E
    • __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CA95
    • __vbaAryMove.MSVBVM60(?,?), ref: 0040CAA9
    • __vbaAryLock.MSVBVM60(?,72A26A76), ref: 0040CADE
    • __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CB05
    • __vbaAryMove.MSVBVM60(?,?), ref: 0040CB19
      • Part of subcall function 0040C7B0: __vbaRedim.MSVBVM60(00000080,00000002,0040E070,00000002,00000001,000000FF,00000000,?,00000000,72A26A76), ref: 0040C806
      • Part of subcall function 0040C7B0: __vbaVarForInit.MSVBVM60(?,?,?,?,?,?), ref: 0040C841
      • Part of subcall function 0040C7B0: __vbaI2Var.MSVBVM60(?), ref: 0040C855
      • Part of subcall function 0040C7B0: __vbaI4Var.MSVBVM60(?), ref: 0040C862
      • Part of subcall function 0040C7B0: __vbaVarForNext.MSVBVM60(?,?,?), ref: 0040C883
      • Part of subcall function 0040C7B0: __vbaFreeVarList.MSVBVM60(00000002,?,?,0040C8AD), ref: 0040C89A
      • Part of subcall function 0040C7B0: __vbaFreeVar.MSVBVM60 ref: 0040C8A6
    • __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040CB9F
    • __vbaStrMove.MSVBVM60(?,?,00000000,?,?), ref: 0040CBBB
      • Part of subcall function 0040CCB0: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76), ref: 0040CD0B
      • Part of subcall function 0040CCB0: __vbaLenBstr.MSVBVM60(?,00000000,?,00000000,72A26A76), ref: 0040CD18
      • Part of subcall function 0040CCB0: _adj_fdiv_m64.MSVBVM60(?,00000000,?,00000000,72A26A76), ref: 0040CD53
      • Part of subcall function 0040CCB0: __vbaFpI4.MSVBVM60(?,00000000,?,00000000,72A26A76), ref: 0040CD62
      • Part of subcall function 0040CCB0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000,?,00000000,72A26A76), ref: 0040CD78
      • Part of subcall function 0040CCB0: #632.MSVBVM60(?,?,-00000001,?), ref: 0040CDC3
      • Part of subcall function 0040CCB0: __vbaStrVarMove.MSVBVM60(?), ref: 0040CDCD
      • Part of subcall function 0040CCB0: __vbaStrMove.MSVBVM60 ref: 0040CDD8
      • Part of subcall function 0040CCB0: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0040CDE3
      • Part of subcall function 0040CCB0: __vbaStrMove.MSVBVM60(00000026), ref: 0040CDF8
      • Part of subcall function 0040CCB0: __vbaStrMove.MSVBVM60(00000048), ref: 0040CE07
      • Part of subcall function 0040CCB0: __vbaStrCat.MSVBVM60 ref: 0040CE10
      • Part of subcall function 0040CCB0: __vbaStrMove.MSVBVM60 ref: 0040CE17
      • Part of subcall function 0040CCB0: __vbaStrCat.MSVBVM60(?), ref: 0040CE1E
      • Part of subcall function 0040CCB0: __vbaStrMove.MSVBVM60 ref: 0040CE25
      • Part of subcall function 0040CCB0: __vbaI4Str.MSVBVM60 ref: 0040CE28
      • Part of subcall function 0040CCB0: __vbaUI1I4.MSVBVM60 ref: 0040CE30
      • Part of subcall function 0040CCB0: __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040CE4A
      • Part of subcall function 0040CCB0: _adj_fdiv_m64.MSVBVM60 ref: 0040CE7F
      • Part of subcall function 0040CCB0: __vbaFpI4.MSVBVM60 ref: 0040CE8E
      • Part of subcall function 0040CCB0: __vbaLenBstr.MSVBVM60 ref: 0040CEB2
      • Part of subcall function 0040CCB0: __vbaAryLock.MSVBVM60(?,?), ref: 0040CECE
      • Part of subcall function 0040CCB0: #644.MSVBVM60 ref: 0040CEE2
      • Part of subcall function 0040CCB0: __vbaAryUnlock.MSVBVM60(?), ref: 0040CEEA
      • Part of subcall function 0040CCB0: #644.MSVBVM60(?), ref: 0040CEF4
      • Part of subcall function 0040CCB0: __vbaAryLock.MSVBVM60(?), ref: 0040CF0A
      • Part of subcall function 0040CCB0: #644.MSVBVM60 ref: 0040CF18
      • Part of subcall function 0040CCB0: __vbaAryUnlock.MSVBVM60(?), ref: 0040CF20
      • Part of subcall function 0040CCB0: CallWindowProcA.USER32(?,?,?,00000000,00000000), ref: 0040CF33
      • Part of subcall function 0040CCB0: __vbaFreeStr.MSVBVM60(0040CF99,?,?,?,00000000,00000000), ref: 0040CF80
      • Part of subcall function 0040CCB0: __vbaFreeStr.MSVBVM60(?,?,?,00000000,00000000), ref: 0040CF85
      • Part of subcall function 0040CCB0: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,00000000), ref: 0040CF8D
      • Part of subcall function 0040CCB0: __vbaFreeStr.MSVBVM60(?,?,?,00000000,00000000), ref: 0040CF96
      • Part of subcall function 0040CCB0: __vbaErrorOverflow.MSVBVM60(?), ref: 0040CFB1
      • Part of subcall function 0040CCB0: #578.MSVBVM60(?,0040B821,?,00000000), ref: 0040CFC7
    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,?,?), ref: 0040CBDE
    • __vbaEnd.MSVBVM60(72A26A76,?,00401396), ref: 0040CBEE
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040CC95,?,00401396), ref: 0040CC1F
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC2B
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC37
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC43
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC4F
    • __vbaFreeStr.MSVBVM60(?,00401396), ref: 0040CC58
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC64
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC70
    • __vbaFreeStr.MSVBVM60(?,00401396), ref: 0040CC79
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC85
    • __vbaFreeStr.MSVBVM60(?,00401396), ref: 0040CC8E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000000.190469383.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000000.190464558.00400000.00000002.sdmp
    • Associated: 00000000.00000000.190477852.0040E000.00000008.sdmp
    • Associated: 00000000.00000000.190483406.00411000.00000002.sdmp
    Function 0040CCB0, Relevance: 52.7, APIs: 35, Instructions: 232
    APIs
    • __vbaStrCopy.MSVBVM60(?,00000000,72A26A76), ref: 0040CD0B
    • __vbaLenBstr.MSVBVM60(?,00000000,?,00000000,72A26A76), ref: 0040CD18
    • _adj_fdiv_m64.MSVBVM60(?,00000000,?,00000000,72A26A76), ref: 0040CD53
    • __vbaFpI4.MSVBVM60(?,00000000,?,00000000,72A26A76), ref: 0040CD62
    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000,?,00000000,72A26A76), ref: 0040CD78
    • #632.MSVBVM60(?,?,-00000001,?), ref: 0040CDC3
    • __vbaStrVarMove.MSVBVM60(?), ref: 0040CDCD
    • __vbaStrMove.MSVBVM60 ref: 0040CDD8
    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0040CDE3
      • Part of subcall function 0040BB10: __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,72A26C30,72A26A76), ref: 0040BB4F
      • Part of subcall function 0040BB10: __vbaUI1I2.MSVBVM60 ref: 0040BB6E
      • Part of subcall function 0040BB10: _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
      • Part of subcall function 0040BB10: __vbaFpUI1.MSVBVM60 ref: 0040BBB9
      • Part of subcall function 0040BB10: __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
      • Part of subcall function 0040BB10: __vbaStrMove.MSVBVM60 ref: 0040BBE1
      • Part of subcall function 0040BB10: __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
      • Part of subcall function 0040BB10: __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040BB10: __vbaStrMove.MSVBVM60(?,?,72A26A76), ref: 0040BC71
      • Part of subcall function 0040BB10: #582.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BC94
      • Part of subcall function 0040BB10: #585.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BCA4
      • Part of subcall function 0040BB10: __vbaEnd.MSVBVM60(?,?,72A26A76), ref: 0040BCC4
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(0040BCDA,?,?,72A26A76), ref: 0040BCD3
      • Part of subcall function 0040BB10: __vbaErrorOverflow.MSVBVM60(?,?,72A26A76), ref: 0040BCF0
      • Part of subcall function 0040BB10: __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
      • Part of subcall function 0040BB10: __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
      • Part of subcall function 0040BB10: __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    • __vbaStrMove.MSVBVM60(00000026), ref: 0040CDF8
    • __vbaStrMove.MSVBVM60(00000048), ref: 0040CE07
    • __vbaStrCat.MSVBVM60 ref: 0040CE10
    • __vbaStrMove.MSVBVM60 ref: 0040CE17
    • __vbaStrCat.MSVBVM60(?), ref: 0040CE1E
    • __vbaStrMove.MSVBVM60 ref: 0040CE25
    • __vbaI4Str.MSVBVM60 ref: 0040CE28
    • __vbaUI1I4.MSVBVM60 ref: 0040CE30
    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040CE4A
    • _adj_fdiv_m64.MSVBVM60 ref: 0040CE7F
    • __vbaFpI4.MSVBVM60 ref: 0040CE8E
    • __vbaLenBstr.MSVBVM60 ref: 0040CEB2
    • __vbaAryLock.MSVBVM60(?,?), ref: 0040CECE
    • #644.MSVBVM60 ref: 0040CEE2
    • __vbaAryUnlock.MSVBVM60(?), ref: 0040CEEA
    • #644.MSVBVM60(?), ref: 0040CEF4
    • __vbaAryLock.MSVBVM60(?), ref: 0040CF0A
    • #644.MSVBVM60 ref: 0040CF18
    • __vbaAryUnlock.MSVBVM60(?), ref: 0040CF20
    • CallWindowProcA.USER32(?,?,?,00000000,00000000), ref: 0040CF33
    • __vbaFreeStr.MSVBVM60(0040CF99,?,?,?,00000000,00000000), ref: 0040CF80
    • __vbaFreeStr.MSVBVM60(?,?,?,00000000,00000000), ref: 0040CF85
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,00000000), ref: 0040CF8D
    • __vbaFreeStr.MSVBVM60(?,?,?,00000000,00000000), ref: 0040CF96
    • __vbaErrorOverflow.MSVBVM60(?), ref: 0040CFB1
    • #578.MSVBVM60(?,0040B821,?,00000000), ref: 0040CFC7
    Memory Dump Source
    • Source File: 00000000.00000000.190469383.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000000.190464558.00400000.00000002.sdmp
    • Associated: 00000000.00000000.190477852.0040E000.00000008.sdmp
    • Associated: 00000000.00000000.190483406.00411000.00000002.sdmp
    Function 0040B930, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 219
    APIs
    • __vbaLenBstr.MSVBVM60(?,00000000,00000000,00000000,73501785), ref: 0040B97D
    • __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000000,00000000,73501785), ref: 0040B998
    • __vbaLenBstr.MSVBVM60(?,00000000), ref: 0040B9A5
    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B9C0
    • __vbaUbound.MSVBVM60(00000001,?), ref: 0040B9CF
    • #632.MSVBVM60(?,?,?,?), ref: 0040BA16
    • __vbaStrVarVal.MSVBVM60(?,?), ref: 0040BA24
      • Part of subcall function 0040B6D0: __vbaStrCopy.MSVBVM60(004011D8,?,00000001,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B70A
      • Part of subcall function 0040B6D0: __vbaStr2Vec.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B718
      • Part of subcall function 0040B6D0: __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B726
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B766
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B772
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B790
      • Part of subcall function 0040B6D0: __vbaStrCopy.MSVBVM60(004011D8,?,00000001), ref: 0040B7E3
      • Part of subcall function 0040B6D0: __vbaStrMove.MSVBVM60(V:nX@BfX@B,prVh), ref: 0040B7FD
      • Part of subcall function 0040B6D0: __vbaI4Str.MSVBVM60 ref: 0040B804
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040B815
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B83A
      • Part of subcall function 0040B6D0: __vbaStrToAnsi.MSVBVM60(?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B853
      • Part of subcall function 0040B6D0: __vbaSetSystemError.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B861
      • Part of subcall function 0040B6D0: __vbaStrToUnicode.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B86F
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B878
      • Part of subcall function 0040B6D0: __vbaAryLock.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B882
      • Part of subcall function 0040B6D0: __vbaUbound.MSVBVM60(00000001,?,?,00000000,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B893
      • Part of subcall function 0040B6D0: ReadFile.KERNEL32(?,?), ref: 0040B8B3
      • Part of subcall function 0040B6D0: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8BD
      • Part of subcall function 0040B6D0: __vbaAryCopy.MSVBVM60(?,?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8CB
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,0040B914,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B904
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B90D
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60(?,00000000), ref: 0040B92A
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040BA44
      • Part of subcall function 0040B6D0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0040BA54
      • Part of subcall function 0040B6D0: __vbaUI1I4.MSVBVM60 ref: 0040BA6D
    • __vbaAryCopy.MSVBVM60(?,?), ref: 0040BA94
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BAE7), ref: 0040BADD
    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040BAE4
    • __vbaErrorOverflow.MSVBVM60(?,00000000,00000000,00000000,73501785), ref: 0040BAFD
      • Part of subcall function 0040C8C0: __vbaChkstk.MSVBVM60(?,00401396,?,?,0040BCC4,?,?,735068BA), ref: 0040C8DE
      • Part of subcall function 0040C8C0: __vbaOnError.MSVBVM60(000000FF,?,00000000,735068BA,?,00401396), ref: 0040C90E
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(00403434,S76O), ref: 0040C94B
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?,00000000), ref: 0040C98F
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60 ref: 0040C9CF
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0040C9EB
      • Part of subcall function 0040C8C0: __vbaFreeStr.MSVBVM60 ref: 0040C9F4
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(735068BA,?,?,00000000), ref: 0040CA39
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,735068BA), ref: 0040CA6E
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CA95
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CAA9
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,735068BA), ref: 0040CADE
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CB05
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CB19
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040CB9F
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000,?,?), ref: 0040CBBB
      • Part of subcall function 0040C8C0: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,?,?), ref: 0040CBDE
      • Part of subcall function 0040C8C0: __vbaEnd.MSVBVM60(735068BA,?,00401396), ref: 0040CBEE
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,0040CC95,?,00401396), ref: 0040CC1F
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC2B
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC37
    • __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,73506A74,735068BA), ref: 0040BB4F
    • __vbaUI1I2.MSVBVM60 ref: 0040BB6E
    • _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
    • __vbaFpUI1.MSVBVM60 ref: 0040BBB9
    • __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
    • __vbaStrMove.MSVBVM60 ref: 0040BBE1
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
    • __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040CFD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D00D
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D01F
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D027
      • Part of subcall function 0040CFD0: #644.MSVBVM60(?,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D02D
      • Part of subcall function 0040CFD0: __vbaSetSystemError.MSVBVM60(00000000,?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D03F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(0040D06C,?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D05F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D064
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D069
    • __vbaStrMove.MSVBVM60(?,?,735068BA), ref: 0040BC71
    • #582.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BC94
    • #585.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BCA4
    • __vbaEnd.MSVBVM60(?,?,735068BA), ref: 0040BCC4
    • __vbaFreeStr.MSVBVM60(0040BCDA,?,?,735068BA), ref: 0040BCD3
    • __vbaErrorOverflow.MSVBVM60(?,?,735068BA), ref: 0040BCF0
    • __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
    • __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
    • __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
    • __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
    • __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    Strings
    Memory Dump Source
    • Source File: 00000000.00000001.190629717.00402000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000001.190593547.00400000.00000002.sdmp
    • Associated: 00000000.00000001.190615562.00401000.00000004.sdmp
    • Associated: 00000000.00000001.190641546.0040E000.00000008.sdmp
    • Associated: 00000000.00000001.190653105.0040F000.00000004.sdmp
    • Associated: 00000000.00000001.190670002.00411000.00000002.sdmp
    Function 0040B580, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 153
    APIs
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401396), ref: 0040B5BC
    • __vbaUbound.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401396), ref: 0040B5CA
    • __vbaStrMove.MSVBVM60(?,?), ref: 0040B60C
    • __vbaStrCat.MSVBVM60(?,?,?), ref: 0040B60F
    • __vbaStrMove.MSVBVM60(?,?,?), ref: 0040B616
    • __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040B61B
    • __vbaLenBstr.MSVBVM60(?,?,?,?), ref: 0040B625
    • __vbaStrCat.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0040B63A
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?), ref: 0040B641
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?), ref: 0040B64B
    • __vbaLenBstrB.MSVBVM60(?), ref: 0040B660
    • __vbaStrCat.MSVBVM60(?,?), ref: 0040B672
    • __vbaStrMove.MSVBVM60 ref: 0040B679
    • __vbaFreeStr.MSVBVM60(0040B6AC), ref: 0040B6A4
    • __vbaFreeStr.MSVBVM60 ref: 0040B6A9
      • Part of subcall function 0040BB10: __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,73506A74,735068BA), ref: 0040BB4F
      • Part of subcall function 0040BB10: __vbaUI1I2.MSVBVM60 ref: 0040BB6E
      • Part of subcall function 0040BB10: _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
      • Part of subcall function 0040BB10: __vbaFpUI1.MSVBVM60 ref: 0040BBB9
      • Part of subcall function 0040BB10: __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
      • Part of subcall function 0040BB10: __vbaStrMove.MSVBVM60 ref: 0040BBE1
      • Part of subcall function 0040BB10: __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
      • Part of subcall function 0040BB10: __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040BB10: __vbaStrMove.MSVBVM60(?,?,735068BA), ref: 0040BC71
      • Part of subcall function 0040BB10: #582.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BC94
      • Part of subcall function 0040BB10: #585.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BCA4
      • Part of subcall function 0040BB10: __vbaEnd.MSVBVM60(?,?,735068BA), ref: 0040BCC4
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(0040BCDA,?,?,735068BA), ref: 0040BCD3
      • Part of subcall function 0040BB10: __vbaErrorOverflow.MSVBVM60(?,?,735068BA), ref: 0040BCF0
      • Part of subcall function 0040BB10: __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
      • Part of subcall function 0040BB10: __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
      • Part of subcall function 0040BB10: __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    • __vbaErrorOverflow.MSVBVM60(?,?,?), ref: 0040B6C2
    • __vbaStrCopy.MSVBVM60(004011D8,?,00000001,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B70A
    • __vbaStr2Vec.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B718
    • __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B726
    • __vbaErrorOverflow.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B790
    • __vbaStrCopy.MSVBVM60(004011D8,?,00000001), ref: 0040B7E3
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,735068BA), ref: 0040BDF4
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,735068BA), ref: 0040BDFC
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,735068BA), ref: 0040BE02
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,735068BA), ref: 0040BE31
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BE46
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,735068BA), ref: 0040BE57
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,00000000,735068BA), ref: 0040BE8B
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BEC2
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BED4
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,00000000,735068BA), ref: 0040BED7
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BEEE
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BEF1
      • Part of subcall function 0040BD90: #697.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF03
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF0E
      • Part of subcall function 0040BD90: __vbaStrCat.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF11
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF1C
      • Part of subcall function 0040BD90: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF2C
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000004,00000002,?,00000002,?,?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF44
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(0040BFB4,?,00000000,735068BA), ref: 0040BFAC
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,00000000,735068BA), ref: 0040BFB1
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BFCA
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(73506A74,?,73501785), ref: 0040C039
      • Part of subcall function 0040BD90: __vbaAryMove.MSVBVM60(?,?,?,?,73501785), ref: 0040C059
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,73501785), ref: 0040C063
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,73501785), ref: 0040C0DC
      • Part of subcall function 0040BD90: __vbaUbound.MSVBVM60(00000001,?,?,73501785), ref: 0040C141
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,73501785), ref: 0040C1B6
      • Part of subcall function 0040BD90: __vbaAryLock.MSVBVM60(?,?,?,?,73501785), ref: 0040C284
      • Part of subcall function 0040BD90: __vbaAryUnlock.MSVBVM60(?,?,?,00004003,?,?,?,73501785), ref: 0040C2CB
      • Part of subcall function 0040BD90: __vbaUI1Var.MSVBVM60(?,?,?,?,73501785), ref: 0040C2E3
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?,73501785), ref: 0040C2FE
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,0040C358,?,?,73501785), ref: 0040C344
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,73501785), ref: 0040C34C
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,73501785), ref: 0040C351
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,73501785), ref: 0040C36B
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,00000001,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C40D
      • Part of subcall function 0040BD90: __vbaAryCopy.MSVBVM60(?,?), ref: 0040C41E
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C431
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C447
      • Part of subcall function 0040BD90: __vbaVarForInit.MSVBVM60(?,?,?,?,?,?,00000001,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C50D
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C51F
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C53B
      • Part of subcall function 0040BD90: __vbaVarForNext.MSVBVM60(?,?,?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C563
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,-00000002,00000000,?,?,?,?,00000000,00000000), ref: 0040C588
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?), ref: 0040C5B4
      • Part of subcall function 0040BD90: #631.MSVBVM60(?,?,?), ref: 0040C618
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040C623
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040C63B
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040C644
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0040C650
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000002,?,?,0040C6C7), ref: 0040C69E
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60 ref: 0040C6AA
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6BC
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6C4
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(00000000,?,?,?,?,00000000,00000000), ref: 0040C6DD
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(00000000,?,00000001), ref: 0040C733
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(?,?,00000001), ref: 0040C73C
      • Part of subcall function 0040BD90: __vbaVarXor.MSVBVM60(?,?,?,?,00000001), ref: 0040C743
      • Part of subcall function 0040BD90: __vbaVarMove.MSVBVM60(?,?,?,00000001), ref: 0040C74E
    • __vbaStrMove.MSVBVM60(V:nX@BfX@B,prVh), ref: 0040B7FD
    • __vbaI4Str.MSVBVM60 ref: 0040B804
    • __vbaFreeStr.MSVBVM60 ref: 0040B815
      • Part of subcall function 0040CFC0: #578.MSVBVM60(?,0040B821,?,00000000), ref: 0040CFC7
    • __vbaErrorOverflow.MSVBVM60(?,00000000), ref: 0040B92A
    • __vbaLenBstr.MSVBVM60(?,00000000,00000000,00000000,73501785), ref: 0040B97D
    • __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000000,00000000,73501785), ref: 0040B998
    • __vbaLenBstr.MSVBVM60(?,00000000), ref: 0040B9A5
    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B9C0
    • __vbaUbound.MSVBVM60(00000001,?), ref: 0040B9CF
    • #632.MSVBVM60(?,?,?,?), ref: 0040BA16
    • __vbaStrVarVal.MSVBVM60(?,?), ref: 0040BA24
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B766
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B772
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B83A
      • Part of subcall function 0040B6D0: __vbaStrToAnsi.MSVBVM60(?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B853
      • Part of subcall function 0040B6D0: __vbaSetSystemError.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B861
      • Part of subcall function 0040B6D0: __vbaStrToUnicode.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B86F
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B878
      • Part of subcall function 0040B6D0: __vbaAryLock.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B882
      • Part of subcall function 0040B6D0: __vbaUbound.MSVBVM60(00000001,?,?,00000000,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B893
      • Part of subcall function 0040B6D0: ReadFile.KERNEL32(?,?), ref: 0040B8B3
      • Part of subcall function 0040B6D0: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8BD
      • Part of subcall function 0040B6D0: __vbaAryCopy.MSVBVM60(?,?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8CB
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,0040B914,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B904
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B90D
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040BA44
      • Part of subcall function 0040B6D0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0040BA54
      • Part of subcall function 0040B6D0: __vbaUI1I4.MSVBVM60 ref: 0040BA6D
    • __vbaAryCopy.MSVBVM60(?,?), ref: 0040BA94
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BAE7), ref: 0040BADD
    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040BAE4
    • __vbaErrorOverflow.MSVBVM60(?,00000000,00000000,00000000,73501785), ref: 0040BAFD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000001.190629717.00402000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000001.190593547.00400000.00000002.sdmp
    • Associated: 00000000.00000001.190615562.00401000.00000004.sdmp
    • Associated: 00000000.00000001.190641546.0040E000.00000008.sdmp
    • Associated: 00000000.00000001.190653105.0040F000.00000004.sdmp
    • Associated: 00000000.00000001.190670002.00411000.00000002.sdmp
    Function 0040BB10, Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 175
    APIs
    • __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,73506A74,735068BA), ref: 0040BB4F
    • __vbaUI1I2.MSVBVM60 ref: 0040BB6E
    • _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
    • __vbaFpUI1.MSVBVM60 ref: 0040BBB9
    • __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
    • __vbaStrMove.MSVBVM60 ref: 0040BBE1
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
    • __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040CFD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D00D
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D01F
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D027
      • Part of subcall function 0040CFD0: #644.MSVBVM60(?,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D02D
      • Part of subcall function 0040CFD0: __vbaSetSystemError.MSVBVM60(00000000,?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D03F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(0040D06C,?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D05F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D064
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D069
    • __vbaStrMove.MSVBVM60(?,?,735068BA), ref: 0040BC71
    • #582.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BC94
    • #585.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BCA4
      • Part of subcall function 0040C8C0: __vbaChkstk.MSVBVM60(?,00401396,?,?,0040BCC4,?,?,735068BA), ref: 0040C8DE
      • Part of subcall function 0040C8C0: __vbaOnError.MSVBVM60(000000FF,?,00000000,735068BA,?,00401396), ref: 0040C90E
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(00403434,S76O), ref: 0040C94B
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?,00000000), ref: 0040C98F
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60 ref: 0040C9CF
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0040C9EB
      • Part of subcall function 0040C8C0: __vbaFreeStr.MSVBVM60 ref: 0040C9F4
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(735068BA,?,?,00000000), ref: 0040CA39
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,735068BA), ref: 0040CA6E
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CA95
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CAA9
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,735068BA), ref: 0040CADE
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CB05
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CB19
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040CB9F
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000,?,?), ref: 0040CBBB
      • Part of subcall function 0040C8C0: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,?,?), ref: 0040CBDE
      • Part of subcall function 0040C8C0: __vbaEnd.MSVBVM60(735068BA,?,00401396), ref: 0040CBEE
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,0040CC95,?,00401396), ref: 0040CC1F
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC2B
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC37
    • __vbaEnd.MSVBVM60(?,?,735068BA), ref: 0040BCC4
    • __vbaFreeStr.MSVBVM60(0040BCDA,?,?,735068BA), ref: 0040BCD3
    • __vbaErrorOverflow.MSVBVM60(?,?,735068BA), ref: 0040BCF0
    • __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
    • __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
    • __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
    • __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
    • __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    Strings
    Memory Dump Source
    • Source File: 00000000.00000001.190629717.00402000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000001.190593547.00400000.00000002.sdmp
    • Associated: 00000000.00000001.190615562.00401000.00000004.sdmp
    • Associated: 00000000.00000001.190641546.0040E000.00000008.sdmp
    • Associated: 00000000.00000001.190653105.0040F000.00000004.sdmp
    • Associated: 00000000.00000001.190670002.00411000.00000002.sdmp
    Function 0040BB10, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 175
    APIs
    • __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,72A26C30,72A26A76), ref: 0040BB4F
    • __vbaUI1I2.MSVBVM60 ref: 0040BB6E
    • _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
    • __vbaFpUI1.MSVBVM60 ref: 0040BBB9
    • __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
    • __vbaStrMove.MSVBVM60 ref: 0040BBE1
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
    • __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040CFD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D00D
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D01F
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D027
      • Part of subcall function 0040CFD0: #644.MSVBVM60(?,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D02D
      • Part of subcall function 0040CFD0: __vbaSetSystemError.MSVBVM60(00000000,?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D03F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(0040D06C,?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D05F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D064
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D069
    • __vbaStrMove.MSVBVM60(?,?,72A26A76), ref: 0040BC71
    • #582.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BC94
    • #585.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BCA4
      • Part of subcall function 0040C8C0: __vbaChkstk.MSVBVM60(?,00401396,?,?,0040BCC4,?,?,72A26A76), ref: 0040C8DE
      • Part of subcall function 0040C8C0: __vbaOnError.MSVBVM60(000000FF,?,00000000,72A26A76,?,00401396), ref: 0040C90E
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(00403434,S76O), ref: 0040C94B
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?,00000000), ref: 0040C98F
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60 ref: 0040C9CF
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0040C9EB
      • Part of subcall function 0040C8C0: __vbaFreeStr.MSVBVM60 ref: 0040C9F4
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(72A26A76,?,?,00000000), ref: 0040CA39
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,72A26A76), ref: 0040CA6E
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CA95
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CAA9
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,72A26A76), ref: 0040CADE
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CB05
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CB19
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040CB9F
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000,?,?), ref: 0040CBBB
      • Part of subcall function 0040C8C0: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,?,?), ref: 0040CBDE
      • Part of subcall function 0040C8C0: __vbaEnd.MSVBVM60(72A26A76,?,00401396), ref: 0040CBEE
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,0040CC95,?,00401396), ref: 0040CC1F
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC2B
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC37
    • __vbaEnd.MSVBVM60(?,?,72A26A76), ref: 0040BCC4
    • __vbaFreeStr.MSVBVM60(0040BCDA,?,?,72A26A76), ref: 0040BCD3
    • __vbaErrorOverflow.MSVBVM60(?,?,72A26A76), ref: 0040BCF0
    • __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
    • __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
    • __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
    • __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
    • __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    Strings
    Memory Dump Source
    • Source File: 00000000.00000000.190469383.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000000.190464558.00400000.00000002.sdmp
    • Associated: 00000000.00000000.190477852.0040E000.00000008.sdmp
    • Associated: 00000000.00000000.190483406.00411000.00000002.sdmp
    Function 0040B930, Relevance: 31.7, APIs: 21, Instructions: 219
    APIs
    • __vbaLenBstr.MSVBVM60(?,00000000,00000000,00000000,72A21948), ref: 0040B97D
    • __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000000,00000000,72A21948), ref: 0040B998
    • __vbaLenBstr.MSVBVM60(?,00000000), ref: 0040B9A5
    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B9C0
    • __vbaUbound.MSVBVM60(00000001,?), ref: 0040B9CF
    • #632.MSVBVM60(?,?,?,?), ref: 0040BA16
    • __vbaStrVarVal.MSVBVM60(?,?), ref: 0040BA24
      • Part of subcall function 0040B6D0: __vbaStrCopy.MSVBVM60(004011D8,?,00000001,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B70A
      • Part of subcall function 0040B6D0: __vbaStr2Vec.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B718
      • Part of subcall function 0040B6D0: __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B726
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B766
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B772
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B790
      • Part of subcall function 0040B6D0: __vbaStrCopy.MSVBVM60(004011D8,?,00000001), ref: 0040B7E3
      • Part of subcall function 0040B6D0: __vbaStrMove.MSVBVM60(V:nX@BfX@B,prVh), ref: 0040B7FD
      • Part of subcall function 0040B6D0: __vbaI4Str.MSVBVM60 ref: 0040B804
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040B815
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B83A
      • Part of subcall function 0040B6D0: __vbaStrToAnsi.MSVBVM60(?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B853
      • Part of subcall function 0040B6D0: __vbaSetSystemError.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B861
      • Part of subcall function 0040B6D0: __vbaStrToUnicode.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B86F
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B878
      • Part of subcall function 0040B6D0: __vbaAryLock.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B882
      • Part of subcall function 0040B6D0: __vbaUbound.MSVBVM60(00000001,?,?,00000000,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B893
      • Part of subcall function 0040B6D0: ReadFile.KERNEL32(?,?), ref: 0040B8B3
      • Part of subcall function 0040B6D0: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8BD
      • Part of subcall function 0040B6D0: __vbaAryCopy.MSVBVM60(?,?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8CB
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,0040B914,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B904
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B90D
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60(?,00000000), ref: 0040B92A
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040BA44
      • Part of subcall function 0040B6D0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0040BA54
      • Part of subcall function 0040B6D0: __vbaUI1I4.MSVBVM60 ref: 0040BA6D
    • __vbaAryCopy.MSVBVM60(?,?), ref: 0040BA94
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BAE7), ref: 0040BADD
    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040BAE4
    • __vbaErrorOverflow.MSVBVM60(?,00000000,00000000,00000000,72A21948), ref: 0040BAFD
      • Part of subcall function 0040C8C0: __vbaChkstk.MSVBVM60(?,00401396,?,?,0040BCC4,?,?,72A26A76), ref: 0040C8DE
      • Part of subcall function 0040C8C0: __vbaOnError.MSVBVM60(000000FF,?,00000000,72A26A76,?,00401396), ref: 0040C90E
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(00403434,S76O), ref: 0040C94B
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?,00000000), ref: 0040C98F
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60 ref: 0040C9CF
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0040C9EB
      • Part of subcall function 0040C8C0: __vbaFreeStr.MSVBVM60 ref: 0040C9F4
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(72A26A76,?,?,00000000), ref: 0040CA39
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,72A26A76), ref: 0040CA6E
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CA95
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CAA9
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,72A26A76), ref: 0040CADE
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CB05
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CB19
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040CB9F
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000,?,?), ref: 0040CBBB
      • Part of subcall function 0040C8C0: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,?,?), ref: 0040CBDE
      • Part of subcall function 0040C8C0: __vbaEnd.MSVBVM60(72A26A76,?,00401396), ref: 0040CBEE
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,0040CC95,?,00401396), ref: 0040CC1F
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC2B
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC37
    • __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,72A26C30,72A26A76), ref: 0040BB4F
    • __vbaUI1I2.MSVBVM60 ref: 0040BB6E
    • _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
    • __vbaFpUI1.MSVBVM60 ref: 0040BBB9
    • __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
    • __vbaStrMove.MSVBVM60 ref: 0040BBE1
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
    • __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040CFD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D00D
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D01F
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D027
      • Part of subcall function 0040CFD0: #644.MSVBVM60(?,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D02D
      • Part of subcall function 0040CFD0: __vbaSetSystemError.MSVBVM60(00000000,?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D03F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(0040D06C,?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D05F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D064
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D069
    • __vbaStrMove.MSVBVM60(?,?,72A26A76), ref: 0040BC71
    • #582.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BC94
    • #585.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BCA4
    • __vbaEnd.MSVBVM60(?,?,72A26A76), ref: 0040BCC4
    • __vbaFreeStr.MSVBVM60(0040BCDA,?,?,72A26A76), ref: 0040BCD3
    • __vbaErrorOverflow.MSVBVM60(?,?,72A26A76), ref: 0040BCF0
    • __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
    • __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
    • __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
    • __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
    • __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    Memory Dump Source
    • Source File: 00000000.00000000.190469383.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000000.190464558.00400000.00000002.sdmp
    • Associated: 00000000.00000000.190477852.0040E000.00000008.sdmp
    • Associated: 00000000.00000000.190483406.00411000.00000002.sdmp
    Function 0040B580, Relevance: 31.7, APIs: 21, Instructions: 153
    APIs
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401396), ref: 0040B5BC
    • __vbaUbound.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401396), ref: 0040B5CA
    • __vbaStrMove.MSVBVM60(?,?), ref: 0040B60C
    • __vbaStrCat.MSVBVM60(?,?,?), ref: 0040B60F
    • __vbaStrMove.MSVBVM60(?,?,?), ref: 0040B616
    • __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040B61B
    • __vbaLenBstr.MSVBVM60(?,?,?,?), ref: 0040B625
    • __vbaStrCat.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0040B63A
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?), ref: 0040B641
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?), ref: 0040B64B
    • __vbaLenBstrB.MSVBVM60(?), ref: 0040B660
    • __vbaStrCat.MSVBVM60(?,?), ref: 0040B672
    • __vbaStrMove.MSVBVM60 ref: 0040B679
    • __vbaFreeStr.MSVBVM60(0040B6AC), ref: 0040B6A4
    • __vbaFreeStr.MSVBVM60 ref: 0040B6A9
      • Part of subcall function 0040BB10: __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,72A26C30,72A26A76), ref: 0040BB4F
      • Part of subcall function 0040BB10: __vbaUI1I2.MSVBVM60 ref: 0040BB6E
      • Part of subcall function 0040BB10: _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
      • Part of subcall function 0040BB10: __vbaFpUI1.MSVBVM60 ref: 0040BBB9
      • Part of subcall function 0040BB10: __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
      • Part of subcall function 0040BB10: __vbaStrMove.MSVBVM60 ref: 0040BBE1
      • Part of subcall function 0040BB10: __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
      • Part of subcall function 0040BB10: __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040BB10: __vbaStrMove.MSVBVM60(?,?,72A26A76), ref: 0040BC71
      • Part of subcall function 0040BB10: #582.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BC94
      • Part of subcall function 0040BB10: #585.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BCA4
      • Part of subcall function 0040BB10: __vbaEnd.MSVBVM60(?,?,72A26A76), ref: 0040BCC4
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(0040BCDA,?,?,72A26A76), ref: 0040BCD3
      • Part of subcall function 0040BB10: __vbaErrorOverflow.MSVBVM60(?,?,72A26A76), ref: 0040BCF0
      • Part of subcall function 0040BB10: __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
      • Part of subcall function 0040BB10: __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
      • Part of subcall function 0040BB10: __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    • __vbaErrorOverflow.MSVBVM60(?,?,?), ref: 0040B6C2
    • __vbaStrCopy.MSVBVM60(004011D8,?,00000001,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B70A
    • __vbaStr2Vec.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B718
    • __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B726
    • __vbaErrorOverflow.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B790
    • __vbaStrCopy.MSVBVM60(004011D8,?,00000001), ref: 0040B7E3
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76), ref: 0040BDF4
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76), ref: 0040BDFC
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,72A26A76), ref: 0040BE02
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,72A26A76), ref: 0040BE31
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BE46
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,72A26A76), ref: 0040BE57
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,00000000,72A26A76), ref: 0040BE8B
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BEC2
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BED4
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,00000000,72A26A76), ref: 0040BED7
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BEEE
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BEF1
      • Part of subcall function 0040BD90: #697.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF03
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF0E
      • Part of subcall function 0040BD90: __vbaStrCat.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF11
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF1C
      • Part of subcall function 0040BD90: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF2C
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000004,00000002,?,00000002,?,?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF44
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(0040BFB4,?,00000000,72A26A76), ref: 0040BFAC
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,00000000,72A26A76), ref: 0040BFB1
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BFCA
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(72A26C30,?,72A21948), ref: 0040C039
      • Part of subcall function 0040BD90: __vbaAryMove.MSVBVM60(?,?,?,?,72A21948), ref: 0040C059
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,72A21948), ref: 0040C063
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,72A21948), ref: 0040C0DC
      • Part of subcall function 0040BD90: __vbaUbound.MSVBVM60(00000001,?,?,72A21948), ref: 0040C141
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,72A21948), ref: 0040C1B6
      • Part of subcall function 0040BD90: __vbaAryLock.MSVBVM60(?,?,?,?,72A21948), ref: 0040C284
      • Part of subcall function 0040BD90: __vbaAryUnlock.MSVBVM60(?,?,?,00004003,?,?,?,72A21948), ref: 0040C2CB
      • Part of subcall function 0040BD90: __vbaUI1Var.MSVBVM60(?,?,?,?,72A21948), ref: 0040C2E3
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?,72A21948), ref: 0040C2FE
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,0040C358,?,?,72A21948), ref: 0040C344
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,72A21948), ref: 0040C34C
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,72A21948), ref: 0040C351
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,72A21948), ref: 0040C36B
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,00000001,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C40D
      • Part of subcall function 0040BD90: __vbaAryCopy.MSVBVM60(?,?), ref: 0040C41E
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C431
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C447
      • Part of subcall function 0040BD90: __vbaVarForInit.MSVBVM60(?,?,?,?,?,?,00000001,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C50D
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C51F
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C53B
      • Part of subcall function 0040BD90: __vbaVarForNext.MSVBVM60(?,?,?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C563
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,-00000002,00000000,?,?,?,?,00000000,00000000), ref: 0040C588
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?), ref: 0040C5B4
      • Part of subcall function 0040BD90: #631.MSVBVM60(?,?,?), ref: 0040C618
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040C623
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040C63B
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040C644
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0040C650
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000002,?,?,0040C6C7), ref: 0040C69E
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60 ref: 0040C6AA
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6BC
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6C4
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(00000000,?,?,?,?,00000000,00000000), ref: 0040C6DD
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(00000000,?,00000001), ref: 0040C733
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(?,?,00000001), ref: 0040C73C
      • Part of subcall function 0040BD90: __vbaVarXor.MSVBVM60(?,?,?,?,00000001), ref: 0040C743
      • Part of subcall function 0040BD90: __vbaVarMove.MSVBVM60(?,?,?,00000001), ref: 0040C74E
    • __vbaStrMove.MSVBVM60(V:nX@BfX@B,prVh), ref: 0040B7FD
    • __vbaI4Str.MSVBVM60 ref: 0040B804
    • __vbaFreeStr.MSVBVM60 ref: 0040B815
      • Part of subcall function 0040CFC0: #578.MSVBVM60(?,0040B821,?,00000000), ref: 0040CFC7
    • __vbaErrorOverflow.MSVBVM60(?,00000000), ref: 0040B92A
    • __vbaLenBstr.MSVBVM60(?,00000000,00000000,00000000,72A21948), ref: 0040B97D
    • __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000000,00000000,72A21948), ref: 0040B998
    • __vbaLenBstr.MSVBVM60(?,00000000), ref: 0040B9A5
    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B9C0
    • __vbaUbound.MSVBVM60(00000001,?), ref: 0040B9CF
    • #632.MSVBVM60(?,?,?,?), ref: 0040BA16
    • __vbaStrVarVal.MSVBVM60(?,?), ref: 0040BA24
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B766
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B772
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B83A
      • Part of subcall function 0040B6D0: __vbaStrToAnsi.MSVBVM60(?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B853
      • Part of subcall function 0040B6D0: __vbaSetSystemError.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B861
      • Part of subcall function 0040B6D0: __vbaStrToUnicode.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B86F
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B878
      • Part of subcall function 0040B6D0: __vbaAryLock.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B882
      • Part of subcall function 0040B6D0: __vbaUbound.MSVBVM60(00000001,?,?,00000000,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B893
      • Part of subcall function 0040B6D0: ReadFile.KERNEL32(?,?), ref: 0040B8B3
      • Part of subcall function 0040B6D0: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8BD
      • Part of subcall function 0040B6D0: __vbaAryCopy.MSVBVM60(?,?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8CB
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,0040B914,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B904
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B90D
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040BA44
      • Part of subcall function 0040B6D0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0040BA54
      • Part of subcall function 0040B6D0: __vbaUI1I4.MSVBVM60 ref: 0040BA6D
    • __vbaAryCopy.MSVBVM60(?,?), ref: 0040BA94
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BAE7), ref: 0040BADD
    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040BAE4
    • __vbaErrorOverflow.MSVBVM60(?,00000000,00000000,00000000,72A21948), ref: 0040BAFD
    Memory Dump Source
    • Source File: 00000000.00000000.190469383.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000000.190464558.00400000.00000002.sdmp
    • Associated: 00000000.00000000.190477852.0040E000.00000008.sdmp
    • Associated: 00000000.00000000.190483406.00411000.00000002.sdmp
    Function 0040CFD0, Relevance: 12.0, APIs: 8, Instructions: 46
    APIs
    • __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D00D
    • __vbaStrCopy.MSVBVM60(?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D01F
    • __vbaStrCopy.MSVBVM60(?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D027
    • #644.MSVBVM60(?,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D02D
    • __vbaSetSystemError.MSVBVM60(00000000,?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D03F
    • __vbaFreeStr.MSVBVM60(0040D06C,?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D05F
    • __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D064
    • __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D069
    Memory Dump Source
    • Source File: 00000000.00000000.190469383.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000000.190464558.00400000.00000002.sdmp
    • Associated: 00000000.00000000.190477852.0040E000.00000008.sdmp
    • Associated: 00000000.00000000.190483406.00411000.00000002.sdmp
    Function 0040C7B0, Relevance: 10.6, APIs: 7, Instructions: 84
    APIs
    • __vbaRedim.MSVBVM60(00000080,00000002,0040E070,00000002,00000001,000000FF,00000000,?,00000000,72A26A76), ref: 0040C806
    • __vbaVarForInit.MSVBVM60(?,?,?,?,?,?), ref: 0040C841
    • __vbaI2Var.MSVBVM60(?), ref: 0040C855
    • __vbaI4Var.MSVBVM60(?), ref: 0040C862
    • __vbaVarForNext.MSVBVM60(?,?,?), ref: 0040C883
    • __vbaFreeVarList.MSVBVM60(00000002,?,?,0040C8AD), ref: 0040C89A
    • __vbaFreeVar.MSVBVM60 ref: 0040C8A6
    Memory Dump Source
    • Source File: 00000000.00000000.190469383.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000000.190464558.00400000.00000002.sdmp
    • Associated: 00000000.00000000.190477852.0040E000.00000008.sdmp
    • Associated: 00000000.00000000.190483406.00411000.00000002.sdmp
    Function 0040BD00, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
    APIs
    • __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
    • __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
    • __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
    • __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
    • __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    Strings
    Memory Dump Source
    • Source File: 00000000.00000001.190629717.00402000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000001.190593547.00400000.00000002.sdmp
    • Associated: 00000000.00000001.190615562.00401000.00000004.sdmp
    • Associated: 00000000.00000001.190641546.0040E000.00000008.sdmp
    • Associated: 00000000.00000001.190653105.0040F000.00000004.sdmp
    • Associated: 00000000.00000001.190670002.00411000.00000002.sdmp
    Function 0040BD00, Relevance: 7.5, APIs: 5, Instructions: 40
    APIs
    • __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
    • __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
    • __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
    • __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
    • __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    Memory Dump Source
    • Source File: 00000000.00000000.190469383.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000000.190464558.00400000.00000002.sdmp
    • Associated: 00000000.00000000.190477852.0040E000.00000008.sdmp
    • Associated: 00000000.00000000.190483406.00411000.00000002.sdmp
    Function 0040BF64, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24
    APIs
    • __vbaFreeStr.MSVBVM60 ref: 0040BF6D
    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0040BF81
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0040BF99
    Strings
    Memory Dump Source
    • Source File: 00000000.00000001.190629717.00402000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000001.190593547.00400000.00000002.sdmp
    • Associated: 00000000.00000001.190615562.00401000.00000004.sdmp
    • Associated: 00000000.00000001.190641546.0040E000.00000008.sdmp
    • Associated: 00000000.00000001.190653105.0040F000.00000004.sdmp
    • Associated: 00000000.00000001.190670002.00411000.00000002.sdmp
    Function 0040BAA1, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
    APIs
    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040BAAD
    • __vbaFreeStr.MSVBVM60 ref: 0040BAB6
    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0040BAC6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000001.190629717.00402000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000001.190593547.00400000.00000002.sdmp
    • Associated: 00000000.00000001.190615562.00401000.00000004.sdmp
    • Associated: 00000000.00000001.190641546.0040E000.00000008.sdmp
    • Associated: 00000000.00000001.190653105.0040F000.00000004.sdmp
    • Associated: 00000000.00000001.190670002.00411000.00000002.sdmp
    Function 0040B8D8, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 12
    APIs
    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040B8E4
    • __vbaAryUnlock.MSVBVM60(?), ref: 0040B8EE
    • __vbaFreeStr.MSVBVM60 ref: 0040B8F7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000001.190629717.00402000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000001.190593547.00400000.00000002.sdmp
    • Associated: 00000000.00000001.190615562.00401000.00000004.sdmp
    • Associated: 00000000.00000001.190641546.0040E000.00000008.sdmp
    • Associated: 00000000.00000001.190653105.0040F000.00000004.sdmp
    • Associated: 00000000.00000001.190670002.00411000.00000002.sdmp
    Function 0040C666, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 11
    APIs
    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C672
    • __vbaFreeStr.MSVBVM60 ref: 0040C67B
    • __vbaFreeVar.MSVBVM60 ref: 0040C687
    Strings
    Memory Dump Source
    • Source File: 00000000.00000001.190629717.00402000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000001.190593547.00400000.00000002.sdmp
    • Associated: 00000000.00000001.190615562.00401000.00000004.sdmp
    • Associated: 00000000.00000001.190641546.0040E000.00000008.sdmp
    • Associated: 00000000.00000001.190653105.0040F000.00000004.sdmp
    • Associated: 00000000.00000001.190670002.00411000.00000002.sdmp
    Function 0040B682, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000001.190629717.00402000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000001.190593547.00400000.00000002.sdmp
    • Associated: 00000000.00000001.190615562.00401000.00000004.sdmp
    • Associated: 00000000.00000001.190641546.0040E000.00000008.sdmp
    • Associated: 00000000.00000001.190653105.0040F000.00000004.sdmp
    • Associated: 00000000.00000001.190670002.00411000.00000002.sdmp

    Analysis Process: 894c20f0d97c5a1dee106331e00abd48.exe PID: 3488 Parent PID: 3044

    Executed Functions

    Function 00421960, Relevance: 19.9, APIs: 9, Strings: 2, Instructions: 610
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00417D90, Relevance: 18.5, APIs: 12, Instructions: 494
    APIs
    • GetConsoleMode.KERNEL32(?,?), ref: 00417EA0
    • GetConsoleCP.KERNEL32 ref: 00417EC0
    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00417FB0
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00417FD9
    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00418032
      • Part of subcall function 0042000A: WriteConsoleW.KERNEL32(?,7C802446,00000001,00000000,00000000), ref: 0042003C
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004181A0
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0041827A
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000), ref: 0041834A
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0041837B
    • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,00000D55,00000000,00000000), ref: 00418391
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004183D2
    • GetLastError.KERNEL32(?,?,?,?,00000000,?,00000001,?,?,00418522,?,?,?,0042FFD0,00000010,004174F9), ref: 004183F1
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
      • Part of subcall function 00417C21: SetFilePointer.KERNEL32(?,7C802446,00000000,00418B97), ref: 00417C63
      • Part of subcall function 00417C21: GetLastError.KERNEL32(?,7C802446,00000000,00418B97,?,7C802446,?,?,?,00417E63,7C802446,00000000,00000000,00000002,?,00000001), ref: 00417C70
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 004086F0, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 217
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00408759
    • ExpandEnvironmentStringsA.KERNEL32(%ALLUSERSPROFILE%,?,00000104), ref: 004087AC
    • GetFileAttributesA.KERNEL32(?), ref: 004087FC
    • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040881B
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
      • Part of subcall function 00411553: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0041155E
    • Sleep.KERNEL32 ref: 00408885
      • Part of subcall function 0040D0C0: ExpandEnvironmentStringsA.KERNEL32(%ALLUSERSPROFILE%,?,00000104), ref: 0040D118
      • Part of subcall function 0040D0C0: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 0040D165
      • Part of subcall function 004084B0: lstrlenA.KERNEL32(.bat,?,.bat,00000004), ref: 004084DC
      • Part of subcall function 004084B0: lstrlenA.KERNEL32(0042DCF0,?,00000000,?,.bat,00000004), ref: 004084ED
    • Sleep.KERNEL32 ref: 00408973
    • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000002), ref: 00408980
    • PostQuitMessage.USER32(00000000), ref: 00408987
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041F55B, Relevance: 12.5, APIs: 8, Instructions: 500
    APIs
      • Part of subcall function 004159EC: Sleep.KERNEL32(00000000), ref: 00415A0D
      • Part of subcall function 00417C21: SetFilePointer.KERNEL32(?,7C802446,00000000,00418B97), ref: 00417C63
      • Part of subcall function 00417C21: GetLastError.KERNEL32(?,7C802446,00000000,00418B97,?,7C802446,?,?,?,00417E63,7C802446,00000000,00000000,00000002,?,00000001), ref: 00417C70
    • ReadFile.KERNEL32(?,?,?,00421E7F,00000000), ref: 0041F74F
    • ReadFile.KERNEL32(?,?,00000001,00421E7F,00000000), ref: 0041F805
    • GetLastError.KERNEL32(?,?,00000001,00421E7F,00000000,?,?,?,00421E7F,00000000,?,00000000,?,?,?,00421E7F), ref: 0041F80F
    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000003), ref: 0041F949
    • GetLastError.KERNEL32(?,?,?,00421E7F,00000000,?,00000000,?,?,?,00421E7F,?,?,00000003,?,00000109), ref: 0041F956
      • Part of subcall function 0041165D: HeapFree.KERNEL32(00000000,00000000,?,00410AEB,?,?,00401021), ref: 00411673
      • Part of subcall function 0041165D: GetLastError.KERNEL32(?,?,00410AEB,?,?,00401021), ref: 00411685
    • ReadFile.KERNEL32(?,?,00000002,00421E7F,00000000), ref: 0041FA2B
    • GetLastError.KERNEL32(?,?,00000002,00421E7F,00000000,?,?,?,00421E7F,00000000,?,00000000,?,?,?,00421E7F), ref: 0041FA35
    • GetLastError.KERNEL32(?,?,?,00421E7F,00000000,?,00000000,?,?,?,00421E7F,?,?,00000003,?,00000109), ref: 0041FAD5
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00408541, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 129
    APIs
      • Part of subcall function 00411553: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0041155E
    • Sleep.KERNEL32 ref: 004085A9
      • Part of subcall function 004086F0: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00408759
      • Part of subcall function 004086F0: ExpandEnvironmentStringsA.KERNEL32(%ALLUSERSPROFILE%,?,00000104), ref: 004087AC
      • Part of subcall function 004086F0: GetFileAttributesA.KERNEL32(?), ref: 004087FC
      • Part of subcall function 004086F0: SetFileAttributesA.KERNEL32(?,00000080), ref: 0040881B
      • Part of subcall function 004086F0: Sleep.KERNEL32 ref: 00408885
      • Part of subcall function 004086F0: Sleep.KERNEL32 ref: 00408973
      • Part of subcall function 004086F0: ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000002), ref: 00408980
      • Part of subcall function 004086F0: PostQuitMessage.USER32(00000000), ref: 00408987
    • Sleep.KERNEL32 ref: 004085E8
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
    • Sleep.KERNEL32 ref: 00408687
    • SetTimer.USER32(?,00000001,?,00000000), ref: 004086BE
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
      • Part of subcall function 00405D30: Sleep.KERNEL32 ref: 00405DEB
      • Part of subcall function 00405D30: Sleep.KERNEL32 ref: 00405E1E
      • Part of subcall function 00405D30: Sleep.KERNEL32 ref: 00405E65
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00417C21, Relevance: 3.1, APIs: 2, Instructions: 52
    APIs
    • SetFilePointer.KERNEL32(?,7C802446,00000000,00418B97), ref: 00417C63
    • GetLastError.KERNEL32(?,7C802446,00000000,00418B97,?,7C802446,?,?,?,00417E63,7C802446,00000000,00000000,00000002,?,00000001), ref: 00417C70
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 004077F0, Relevance: 3.0, APIs: 2, Instructions: 42
    APIs
      • Part of subcall function 00411553: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0041155E
    • Sleep.KERNEL32 ref: 00407823
      • Part of subcall function 00406B80: InitializeCriticalSection.KERNEL32(?), ref: 00406CAF
      • Part of subcall function 00406B80: InitializeCriticalSection.KERNEL32(?), ref: 00406CB5
    • PostQuitMessage.USER32(000000FF), ref: 00407874
      • Part of subcall function 00407040: IsWindow.USER32(?), ref: 00407144
      • Part of subcall function 00407040: DestroyWindow.USER32(?), ref: 0040714F
      • Part of subcall function 00407040: TlsSetValue.KERNEL32(?,00000000), ref: 004072F6
      • Part of subcall function 00407040: TlsFree.KERNEL32(?), ref: 00407303
      • Part of subcall function 00407040: DeleteCriticalSection.KERNEL32(?), ref: 00407320
      • Part of subcall function 00407040: DeleteCriticalSection.KERNEL32(?), ref: 00407326
      • Part of subcall function 00407040: DeleteCriticalSection.KERNEL32(?), ref: 0040732C
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00411260, Relevance: 1.5, APIs: 1, Instructions: 13
    APIs
      • Part of subcall function 00411235: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 00411235: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
    • ExitProcess.KERNEL32(00000000,?,004116C6,000000FF,0000001E,00000001,00000000,00000000,?,004159FD,00000000,00000001,?,?,004164D4,00000018), ref: 00411271
      • Part of subcall function 00416549: EnterCriticalSection.KERNEL32(?,00000000,?,00416BB2,0000000D), ref: 00416573
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00417398, Relevance: 1.5, APIs: 1, Instructions: 10
    APIs
    • HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 004173A1
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 004109BB, Relevance: 1.3, APIs: 1, Instructions: 7
    APIs
    • InitializeCriticalSection.KERNEL32(?), ref: 004109C3
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

    Non-executed Functions

    Function 00405880, Relevance: 82.6, APIs: 34, Strings: 13, Instructions: 312
    APIs
    • GetEnvironmentVariableA.KERNEL32(APPDATA,?,00000400), ref: 00405938
    • lstrcatA.KERNEL32(?,\Mozilla\Firefox\Profiles,?,?,?,?,?,00426E2E,000000FF), ref: 00405958
    • lstrcpyA.KERNEL32(?,?,?,?,?,?,?,00426E2E,000000FF), ref: 00405968
    • lstrcatA.KERNEL32(?,\*.*,?,?,?,?,?,00426E2E,000000FF), ref: 0040597A
    • RegOpenKeyExA.ADVAPI32(80000002,Software\Mozilla\Mozilla Firefox,00000000,00020019,?), ref: 0040599A
    • RegEnumKeyExA.ADVAPI32(?,?,?,?), ref: 004059BA
    • RegCloseKey.ADVAPI32(?), ref: 004059CB
    • lstrcatA.KERNEL32(?,\Main,?,?,?,?,?,?,?,?,?,?,?,?,00426E2E,000000FF), ref: 004059E4
    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00405A02
    • RegCloseKey.ADVAPI32(?), ref: 00405A0F
    • RegCloseKey.ADVAPI32(?), ref: 00405A29
    • RegQueryValueExA.ADVAPI32(?,Install Directory,00000000,00000000,?,?), ref: 00405A49
    • RegCloseKey.ADVAPI32(?), ref: 00405A5A
    • RegCloseKey.ADVAPI32 ref: 00405A78
    • GetCurrentDirectoryA.KERNEL32(00000400,?), ref: 00405A82
    • SetCurrentDirectoryA.KERNEL32(00000000), ref: 00405A9D
    • LoadLibraryA.KERNEL32(nss3.dll), ref: 00405AAC
    • SetCurrentDirectoryA.KERNEL32(?), ref: 00405ABB
    • GetProcAddress.KERNEL32(?,NSS_InitReadWrite), ref: 00405AD9
    • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 00405AE7
    • GetProcAddress.KERNEL32(?,CERT_GetDefaultCertDB), ref: 00405AF5
    • GetProcAddress.KERNEL32(?,CERT_ImportCerts), ref: 00405B03
    • GetProcAddress.KERNEL32(?,CERT_ChangeCertTrust), ref: 00405B11
    • GetProcAddress.KERNEL32(?,CERT_DestroyCertArray), ref: 00405B1F
    • FindFirstFileA.KERNEL32(?,?), ref: 00405B35
    • FreeLibrary.KERNEL32 ref: 00405B47
    • lstrcmpA.KERNEL32(?,0042DDEC,?,CERT_DestroyCertArray,?,CERT_ChangeCertTrust,?,CERT_ImportCerts,?,CERT_GetDefaultCertDB,?,NSS_Shutdown,?,NSS_InitReadWrite), ref: 00405B66
    • lstrcmpA.KERNEL32(?,0042DDF0,?,CERT_DestroyCertArray,?,CERT_ChangeCertTrust,?,CERT_ImportCerts,?,CERT_GetDefaultCertDB,?,NSS_Shutdown,?,NSS_InitReadWrite), ref: 00405B7C
    • lstrcpyA.KERNEL32(?,?), ref: 00405BA1
    • lstrcatA.KERNEL32(?,0042DDF4), ref: 00405BB3
    • lstrcatA.KERNEL32(?,?), ref: 00405BC3
    • FindNextFileA.KERNEL32(?,?), ref: 00405C9D
    • FindClose.KERNEL32(?), ref: 00405CB2
    • FreeLibrary.KERNEL32 ref: 00405CB9
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.337351057.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041F19A, Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 134
    APIs
      • Part of subcall function 00416AE5: EncodePointer.KERNEL32(00000000,0041F1C0,00436808,00000314,?,?,?,?,?,?,0041727F,00436808,Microsoft Visual C++ Runtime Library,00012010), ref: 00416AE7
    • LoadLibraryW.KERNEL32(USER32.DLL), ref: 0041F1D5
    • GetProcAddress.KERNEL32(?,MessageBoxW), ref: 0041F1F1
    • EncodePointer.KERNEL32(?,?,MessageBoxW), ref: 0041F202
    • GetProcAddress.KERNEL32(?,GetActiveWindow), ref: 0041F20F
    • EncodePointer.KERNEL32(?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0041F212
    • GetProcAddress.KERNEL32(?,GetLastActivePopup), ref: 0041F21F
    • EncodePointer.KERNEL32(?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0041F222
    • GetProcAddress.KERNEL32(?,GetUserObjectInformationW), ref: 0041F22F
    • EncodePointer.KERNEL32(?,?,GetUserObjectInformationW,?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0041F232
    • GetProcAddress.KERNEL32(?,GetProcessWindowStation), ref: 0041F243
    • EncodePointer.KERNEL32(?,?,GetProcessWindowStation,?,?,GetUserObjectInformationW,?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0041F246
    • DecodePointer.KERNEL32(?,00436808,00000314), ref: 0041F268
    • DecodePointer.KERNEL32(?,00436808,00000314), ref: 0041F272
    • DecodePointer.KERNEL32(?,00436808,00000314), ref: 0041F2B1
    • DecodePointer.KERNEL32(?), ref: 0041F2CB
    • DecodePointer.KERNEL32(00436808,00000314), ref: 0041F2DF
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.337351057.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00402860, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 236
    APIs
    • lstrlenA.KERNEL32(?), ref: 00402942
    • lstrcpynA.KERNEL32(?,Win32++ Window,000000FF), ref: 00402965
    • GetStockObject.GDI32(00000000), ref: 004029B2
    • LoadCursorA.USER32(00000000,00007F00), ref: 004029C4
      • Part of subcall function 00403100: GetClassInfoA.USER32(?,?,00000000), ref: 0040316A
      • Part of subcall function 00403100: RegisterClassA.USER32(?), ref: 004031B7
      • Part of subcall function 00403100: EnterCriticalSection.KERNEL32(?,?,00000000), ref: 0040320C
      • Part of subcall function 00403100: LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 00403250
    • GetLastError.KERNEL32 ref: 004029F4
    • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,000000FE,00000000), ref: 00402A42
      • Part of subcall function 00401DE0: TlsGetValue.KERNEL32(?,?,00000054), ref: 00401E16
      • Part of subcall function 00401DE0: EnterCriticalSection.KERNEL32(?,?), ref: 00401E6A
      • Part of subcall function 00401DE0: InterlockedDecrement.KERNEL32 ref: 00401E9C
      • Part of subcall function 00401DE0: LeaveCriticalSection.KERNEL32(?), ref: 00401ED1
      • Part of subcall function 00401DE0: TlsSetValue.KERNEL32(?,00000000), ref: 00401EE2
    • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 00402AE3
    • GetClassInfoA.USER32(?,?,?), ref: 00402B30
    • SetWindowLongA.USER32(00000001,000000FC,00403350), ref: 00402B5D
    • SendMessageA.USER32(00000001,00000000,00000000,00000000), ref: 00402B70
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
      • Part of subcall function 00401A50: GetLastError.KERNEL32 ref: 00401A61
      • Part of subcall function 00401A50: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,000000FE,00000000), ref: 00401A9F
      • Part of subcall function 00412DB6: RaiseException.KERNEL32(?,?,00411234,00000020), ref: 00412DF8
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.337351057.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00406690, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 136
    APIs
    • CertOpenSystemStoreA.CRYPT32(00000000,ROOT,?,7C802446,?,00000000,?,?,?,?,?,?,00427973,000000FF,?,00405E2D), ref: 004066C3
    • GetLastError.KERNEL32(?,7C802446,?,00000000,?,?,?,?,?,?,00427973,000000FF,?,00405E2D), ref: 00406729
    • CertCreateCertificateContext.CRYPT32(00010001,?,?,?,7C802446,?,00000000,?,?,?,?,?,?,00427973,000000FF), ref: 0040673F
    • CertCloseStore.CRYPT32(?,00000000,?,?,?,7C802446,?,00000000,?,?,?,?,?,?,00427973,000000FF), ref: 0040674D
    • CreateThread.KERNEL32(00000000,00000000,00406550,00000000), ref: 0040676A
    • CertAddCertificateContextToStore.CRYPT32(?,?,00000001,00000000,?,?,?,7C802446,?,00000000), ref: 00406778
    • GetLastError.KERNEL32(?,?,00000001,00000000,?,?,?,7C802446,?,00000000), ref: 00406788
    • TerminateThread.KERNEL32(?,00000000), ref: 004067F4
    • CertFreeCertificateContext.CRYPT32(?,?,00000000,?,?,00000001,00000000,?,?,?,7C802446,?,00000000), ref: 004067FB
    • CertCloseStore.CRYPT32(?,00000000,?,?,00000000,?,?,00000001,00000000,?,?,?,7C802446,?,00000000), ref: 00406804
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.337351057.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 004060D0, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 199
    APIs
      • Part of subcall function 00411553: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0041155E
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00406122
      • Part of subcall function 0040D2D0: LoadLibraryA.KERNEL32(advapi32), ref: 0040D2F5
      • Part of subcall function 0040D2D0: GetProcAddress.KERNEL32(?,CheckTokenMembership), ref: 0040D308
      • Part of subcall function 0040D2D0: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0040D32B
      • Part of subcall function 0040D2D0: FreeLibrary.KERNEL32 ref: 0040D350
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    • KillTimer.USER32(?,00000001), ref: 00406210
      • Part of subcall function 00406350: SetTimer.USER32(?,00000001,?,00000000), ref: 00406388
    • ShellExecuteA.SHELL32(?,runas,?,?,?,00000005), ref: 00406234
      • Part of subcall function 0040D5D0: CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0040D6DF
      • Part of subcall function 0040D5D0: Process32First.KERNEL32(?,?), ref: 0040D6FF
      • Part of subcall function 0040D5D0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 0040D7B8
      • Part of subcall function 0040D5D0: TerminateProcess.KERNEL32(?,00000009), ref: 0040D7C7
      • Part of subcall function 0040D5D0: CloseHandle.KERNEL32 ref: 0040D7CE
      • Part of subcall function 0040D5D0: Process32Next.KERNEL32(?,00000128), ref: 0040D7DC
      • Part of subcall function 0040D5D0: CloseHandle.KERNEL32(?), ref: 0040D803
    • PostQuitMessage.USER32 ref: 00406249
      • Part of subcall function 0040CC20: GetLocalTime.KERNEL32(?), ref: 0040CC36
      • Part of subcall function 0040CAC0: GetCurrentDirectoryA.KERNEL32(00000104), ref: 0040CAF4
      • Part of subcall function 0040CAC0: lstrcatA.KERNEL32(?,0042DDF4,0000000A), ref: 0040CB68
      • Part of subcall function 0040CAC0: lstrcatA.KERNEL32(?,?,?,0042DDF4,0000000A), ref: 0040CB72
      • Part of subcall function 0040CAC0: FindFirstFileA.KERNEL32(?,?), ref: 0040CB7C
      • Part of subcall function 0040CAC0: FindNextFileA.KERNEL32(?,?), ref: 0040CBF8
      • Part of subcall function 0040CAC0: FindClose.KERNEL32 ref: 0040CC03
      • Part of subcall function 0040C760: RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040C7C1
      • Part of subcall function 0040C760: RegSetValueExA.ADVAPI32(?,MaxCacheTtl,00000000,00000004,?,00000004), ref: 0040C806
      • Part of subcall function 0040C760: RegSetValueExA.ADVAPI32(?,MaxNegativeCacheTtl,?,00000004,00000001,00000004), ref: 0040C82A
      • Part of subcall function 0040C1C0: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?), ref: 0040C2CB
      • Part of subcall function 0040C1C0: RegQueryInfoKeyA.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 0040C371
      • Part of subcall function 0040C1C0: RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 0040C3DA
      • Part of subcall function 0040C1C0: RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040C4E6
      • Part of subcall function 0040C1C0: RegSetValueExA.ADVAPI32(?,DhcpNameServer,00000000,00000001,?,?), ref: 0040C51E
      • Part of subcall function 0040C1C0: RegSetValueExA.ADVAPI32(?,NameServer,00000000,00000001,?,?), ref: 0040C54F
      • Part of subcall function 0040C1C0: RegCloseKey.ADVAPI32(?), ref: 0040C55C
      • Part of subcall function 0040C1C0: RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040C5B8
      • Part of subcall function 0040C1C0: RegSetValueExA.ADVAPI32(?,DhcpNameServer,00000000,00000001,?,?), ref: 0040C5EE
      • Part of subcall function 0040C1C0: RegCloseKey.ADVAPI32(?), ref: 0040C603
      • Part of subcall function 0040C850: RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 0040C922
      • Part of subcall function 0040C850: GetProcessHeap.KERNEL32 ref: 0040C93C
      • Part of subcall function 0040C850: HeapAlloc.KERNEL32(?,?,00000000), ref: 0040C943
      • Part of subcall function 0040C850: RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 0040C966
      • Part of subcall function 0040C850: RasGetEntryPropertiesA.RASAPI32(00000000,?,?,?,00000000,00000000), ref: 0040C9BD
      • Part of subcall function 0040C850: RasSetEntryPropertiesA.RASAPI32(00000000,?,00000B84,00000B84,00000000,00000000), ref: 0040CA62
      • Part of subcall function 0040C850: GetProcessHeap.KERNEL32 ref: 0040CA8F
      • Part of subcall function 0040C850: HeapFree.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040CA96
      • Part of subcall function 0040D210: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 0040D231
      • Part of subcall function 0040D210: SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D243
      • Part of subcall function 0040D210: GetLastError.KERNEL32 ref: 0040D24D
      • Part of subcall function 0040D210: GetTickCount.KERNEL32 ref: 0040D271
      • Part of subcall function 0040D210: DeleteFileA.KERNEL32(?), ref: 0040D287
      • Part of subcall function 0040D210: GetTickCount.KERNEL32 ref: 0040D28D
      • Part of subcall function 0040D210: Sleep.KERNEL32(000000FA), ref: 0040D29B
      • Part of subcall function 0040D210: MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 0040D2AE
      • Part of subcall function 0040D0C0: ExpandEnvironmentStringsA.KERNEL32(%ALLUSERSPROFILE%,?,00000104), ref: 0040D118
      • Part of subcall function 0040D0C0: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 0040D165
    • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000002), ref: 004062E8
    • PostQuitMessage.USER32(00000000), ref: 004062F0
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.337351057.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040D5D0, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 193
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0040D6DF
    • Process32First.KERNEL32(?,?), ref: 0040D6FF
    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0040D7B8
    • TerminateProcess.KERNEL32(?,00000009), ref: 0040D7C7
    • CloseHandle.KERNEL32 ref: 0040D7CE
    • Process32Next.KERNEL32(?,00000128), ref: 0040D7DC
    • CloseHandle.KERNEL32(?), ref: 0040D803
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.337351057.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040D2D0, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62
    APIs
    • LoadLibraryA.KERNEL32(advapi32), ref: 0040D2F5
    • GetProcAddress.KERNEL32(?,CheckTokenMembership), ref: 0040D308
    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0040D32B
    • FreeLibrary.KERNEL32 ref: 0040D350
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.337351057.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040C850, Relevance: 12.2, APIs: 8, Instructions: 186
    APIs
    • RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 0040C922
    • GetProcessHeap.KERNEL32 ref: 0040C93C
    • HeapAlloc.KERNEL32(?,?,00000000), ref: 0040C943
    • RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 0040C966
    • RasGetEntryPropertiesA.RASAPI32(00000000,?,?,?,00000000,00000000), ref: 0040C9BD
    • RasSetEntryPropertiesA.RASAPI32(00000000,?,00000B84,00000B84,00000000,00000000), ref: 0040CA62
    • GetProcessHeap.KERNEL32 ref: 0040CA8F
    • HeapFree.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040CA96
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
    Memory Dump Source
    • Source File: 00000001.00000002.337351057.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041751C, Relevance: 10.7, APIs: 7, Instructions: 195
    APIs
    • GetStartupInfoW.KERNEL32(?), ref: 00417527
      • Part of subcall function 00415A31: Sleep.KERNEL32(00000000), ref: 00415A59
    • GetFileType.KERNEL32 ref: 0041765A
    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 00417690
    • GetStdHandle.KERNEL32 ref: 004176E4
    • GetFileType.KERNEL32 ref: 004176F6
    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 00417724
    • LockResource.KERNEL32 ref: 0041774D
    Memory Dump Source
    • Source File: 00000001.00000002.337351057.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00410A4E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
    APIs
    • IsDebuggerPresent.KERNEL32 ref: 00415E1D
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
    • UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
    • GetCurrentProcess.KERNEL32 ref: 00415E59
    • TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.337351057.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00410A4E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
    APIs
    • IsDebuggerPresent.KERNEL32 ref: 00415E1D
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
    • UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
    • GetCurrentProcess.KERNEL32 ref: 00415E59
    • TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041695A, Relevance: 4.6, APIs: 3, Instructions: 75
    APIs
    • IsDebuggerPresent.KERNEL32 ref: 00416A44
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00000001), ref: 00416A4E
    • UnhandledExceptionFilter.KERNEL32(?,?,00000001), ref: 00416A5B
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Memory Dump Source
    • Source File: 00000001.00000002.337351057.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041695A, Relevance: 4.6, APIs: 3, Instructions: 75
    APIs
    • IsDebuggerPresent.KERNEL32 ref: 00416A44
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00000001), ref: 00416A4E
    • UnhandledExceptionFilter.KERNEL32(?,?,00000001), ref: 00416A5B
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00411553, Relevance: 1.5, APIs: 1, Instructions: 31
    APIs
    • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0041155E
    Memory Dump Source
    • Source File: 00000001.00000002.337351057.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041B1D4, Relevance: 1.5, APIs: 1, Instructions: 4
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(0041B192), ref: 0041B1D9
    Memory Dump Source
    • Source File: 00000001.00000002.337351057.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041B1D4, Relevance: 1.5, APIs: 1, Instructions: 4
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(0041B192), ref: 0041B1D9
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040B6D0, Relevance: 73.9, APIs: 40, Strings: 2, Instructions: 370
    APIs
    • __vbaStrCopy.MSVBVM60(004011D8,?,00000001,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B70A
    • __vbaStr2Vec.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B718
    • __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B726
    • __vbaErrorOverflow.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B790
    • __vbaStrCopy.MSVBVM60(004011D8,?,00000001), ref: 0040B7E3
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76), ref: 0040BDF4
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76), ref: 0040BDFC
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,72A26A76), ref: 0040BE02
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,72A26A76), ref: 0040BE31
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BE46
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,72A26A76), ref: 0040BE57
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,00000000,72A26A76), ref: 0040BE8B
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BEC2
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BED4
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,00000000,72A26A76), ref: 0040BED7
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BEEE
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BEF1
      • Part of subcall function 0040BD90: #697.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF03
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF0E
      • Part of subcall function 0040BD90: __vbaStrCat.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF11
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF1C
      • Part of subcall function 0040BD90: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF2C
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000004,00000002,?,00000002,?,?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF44
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(0040BFB4,?,00000000,72A26A76), ref: 0040BFAC
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,00000000,72A26A76), ref: 0040BFB1
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BFCA
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(72A26C30,?,72A21948), ref: 0040C039
      • Part of subcall function 0040BD90: __vbaAryMove.MSVBVM60(?,?,?,?,72A21948), ref: 0040C059
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,72A21948), ref: 0040C063
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,72A21948), ref: 0040C0DC
      • Part of subcall function 0040BD90: __vbaUbound.MSVBVM60(00000001,?,?,72A21948), ref: 0040C141
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,72A21948), ref: 0040C1B6
      • Part of subcall function 0040BD90: __vbaAryLock.MSVBVM60(?,?,?,?,72A21948), ref: 0040C284
      • Part of subcall function 0040BD90: __vbaAryUnlock.MSVBVM60(?,?,?,00004003,?,?,?,72A21948), ref: 0040C2CB
      • Part of subcall function 0040BD90: __vbaUI1Var.MSVBVM60(?,?,?,?,72A21948), ref: 0040C2E3
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?,72A21948), ref: 0040C2FE
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,0040C358,?,?,72A21948), ref: 0040C344
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,72A21948), ref: 0040C34C
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,72A21948), ref: 0040C351
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,72A21948), ref: 0040C36B
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,00000001,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C40D
      • Part of subcall function 0040BD90: __vbaAryCopy.MSVBVM60(?,?), ref: 0040C41E
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C431
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C447
      • Part of subcall function 0040BD90: __vbaVarForInit.MSVBVM60(?,?,?,?,?,?,00000001,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C50D
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C51F
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C53B
      • Part of subcall function 0040BD90: __vbaVarForNext.MSVBVM60(?,?,?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C563
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,-00000002,00000000,?,?,?,?,00000000,00000000), ref: 0040C588
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?), ref: 0040C5B4
      • Part of subcall function 0040BD90: #631.MSVBVM60(?,?,?), ref: 0040C618
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040C623
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040C63B
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040C644
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0040C650
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000002,?,?,0040C6C7), ref: 0040C69E
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60 ref: 0040C6AA
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6BC
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6C4
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(00000000,?,?,?,?,00000000,00000000), ref: 0040C6DD
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(00000000,?,00000001), ref: 0040C733
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(?,?,00000001), ref: 0040C73C
      • Part of subcall function 0040BD90: __vbaVarXor.MSVBVM60(?,?,?,?,00000001), ref: 0040C743
      • Part of subcall function 0040BD90: __vbaVarMove.MSVBVM60(?,?,?,00000001), ref: 0040C74E
    • __vbaStrMove.MSVBVM60(V:nX@BfX@B,prVh), ref: 0040B7FD
    • __vbaI4Str.MSVBVM60 ref: 0040B804
    • __vbaFreeStr.MSVBVM60 ref: 0040B815
      • Part of subcall function 0040CFC0: #578.MSVBVM60(?,0040B821,?,00000000), ref: 0040CFC7
    • __vbaErrorOverflow.MSVBVM60(?,00000000), ref: 0040B92A
    • __vbaLenBstr.MSVBVM60(?,00000000,00000000,00000000,72A21948), ref: 0040B97D
    • __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000000,00000000,72A21948), ref: 0040B998
    • __vbaLenBstr.MSVBVM60(?,00000000), ref: 0040B9A5
    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B9C0
    • __vbaUbound.MSVBVM60(00000001,?), ref: 0040B9CF
    • #632.MSVBVM60(?,?,?,?), ref: 0040BA16
    • __vbaStrVarVal.MSVBVM60(?,?), ref: 0040BA24
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B766
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B772
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B83A
      • Part of subcall function 0040B6D0: __vbaStrToAnsi.MSVBVM60(?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B853
      • Part of subcall function 0040B6D0: __vbaSetSystemError.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B861
      • Part of subcall function 0040B6D0: __vbaStrToUnicode.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B86F
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B878
      • Part of subcall function 0040B6D0: __vbaAryLock.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B882
      • Part of subcall function 0040B6D0: __vbaUbound.MSVBVM60(00000001,?,?,00000000,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B893
      • Part of subcall function 0040B6D0: __vbaSetSystemError.MSVBVM60(?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8B3
      • Part of subcall function 0040B6D0: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8BD
      • Part of subcall function 0040B6D0: __vbaAryCopy.MSVBVM60(?,?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8CB
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,0040B914,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B904
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B90D
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040BA44
      • Part of subcall function 0040B6D0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0040BA54
      • Part of subcall function 0040B6D0: __vbaUI1I4.MSVBVM60 ref: 0040BA6D
    • __vbaAryCopy.MSVBVM60(?,?), ref: 0040BA94
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BAE7), ref: 0040BADD
    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040BAE4
    • __vbaErrorOverflow.MSVBVM60(?,00000000,00000000,00000000,72A21948), ref: 0040BAFD
      • Part of subcall function 0040C8C0: __vbaChkstk.MSVBVM60(?,00401396,?,?,0040BCC4,?,?,72A26A76), ref: 0040C8DE
      • Part of subcall function 0040C8C0: __vbaOnError.MSVBVM60(000000FF,?,00000000,72A26A76,?,00401396), ref: 0040C90E
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(00403434,S76O), ref: 0040C94B
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?,00000000), ref: 0040C98F
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60 ref: 0040C9CF
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0040C9EB
      • Part of subcall function 0040C8C0: __vbaFreeStr.MSVBVM60 ref: 0040C9F4
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(72A26A76,?,?,00000000), ref: 0040CA39
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,72A26A76), ref: 0040CA6E
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CA95
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CAA9
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,72A26A76), ref: 0040CADE
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CB05
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CB19
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040CB9F
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000,?,?), ref: 0040CBBB
      • Part of subcall function 0040C8C0: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,?,?), ref: 0040CBDE
      • Part of subcall function 0040C8C0: __vbaEnd.MSVBVM60(72A26A76,?,00401396), ref: 0040CBEE
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,0040CC95,?,00401396), ref: 0040CC1F
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC2B
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC37
    • __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,72A26C30,72A26A76), ref: 0040BB4F
    • __vbaUI1I2.MSVBVM60 ref: 0040BB6E
    • _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
    • __vbaFpUI1.MSVBVM60 ref: 0040BBB9
    • __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
    • __vbaStrMove.MSVBVM60 ref: 0040BBE1
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
    • __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040CFD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D00D
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D01F
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D027
      • Part of subcall function 0040CFD0: #644.MSVBVM60(?,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D02D
      • Part of subcall function 0040CFD0: __vbaSetSystemError.MSVBVM60(00000000,?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D03F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(0040D06C,?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D05F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D064
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D069
    • __vbaStrMove.MSVBVM60(?,?,72A26A76), ref: 0040BC71
    • #582.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BC94
    • #585.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BCA4
    • __vbaEnd.MSVBVM60(?,?,72A26A76), ref: 0040BCC4
    • __vbaFreeStr.MSVBVM60(0040BCDA,?,?,72A26A76), ref: 0040BCD3
    • __vbaErrorOverflow.MSVBVM60(?,?,72A26A76), ref: 0040BCF0
    • __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
    • __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
    • __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
    • __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
    • __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    Strings
    Memory Dump Source
    • Source File: 00000001.00000000.194550249.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000000.194539128.00400000.00000002.sdmp
    • Associated: 00000001.00000000.194563501.0040E000.00000008.sdmp
    • Associated: 00000001.00000000.194578074.00411000.00000002.sdmp
    Function 0040C8C0, Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 264
    APIs
      • Part of subcall function 0040B6D0: __vbaStrCopy.MSVBVM60(004011D8,?,00000001), ref: 0040B7E3
      • Part of subcall function 0040B6D0: __vbaStrMove.MSVBVM60(V:nX@BfX@B,prVh), ref: 0040B7FD
      • Part of subcall function 0040B6D0: __vbaI4Str.MSVBVM60 ref: 0040B804
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040B815
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B83A
      • Part of subcall function 0040B6D0: __vbaStrToAnsi.MSVBVM60(?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B853
      • Part of subcall function 0040B6D0: __vbaSetSystemError.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B861
      • Part of subcall function 0040B6D0: __vbaStrToUnicode.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B86F
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B878
      • Part of subcall function 0040B6D0: __vbaAryLock.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B882
      • Part of subcall function 0040B6D0: __vbaUbound.MSVBVM60(00000001,?,?,00000000,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B893
      • Part of subcall function 0040B6D0: __vbaSetSystemError.MSVBVM60(?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8B3
      • Part of subcall function 0040B6D0: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8BD
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60(?,00000000), ref: 0040B92A
      • Part of subcall function 0040B6D0: __vbaLenBstr.MSVBVM60(?,00000000,00000000,00000000,72A21948), ref: 0040B97D
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000000,00000000,72A21948), ref: 0040B998
      • Part of subcall function 0040B6D0: __vbaLenBstr.MSVBVM60(?,00000000), ref: 0040B9A5
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B9C0
      • Part of subcall function 0040B6D0: __vbaUbound.MSVBVM60(00000001,?), ref: 0040B9CF
      • Part of subcall function 0040B6D0: #632.MSVBVM60(?,?,?,?), ref: 0040BA16
      • Part of subcall function 0040B6D0: __vbaStrVarVal.MSVBVM60(?,?), ref: 0040BA24
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040BA44
      • Part of subcall function 0040B6D0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0040BA54
      • Part of subcall function 0040B6D0: __vbaUI1I4.MSVBVM60 ref: 0040BA6D
      • Part of subcall function 0040B6D0: __vbaAryCopy.MSVBVM60(?,?), ref: 0040BA94
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,0040BAE7), ref: 0040BADD
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040BAE4
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60(?,00000000,00000000,00000000,72A21948), ref: 0040BAFD
      • Part of subcall function 0040B6D0: __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,72A26C30,72A26A76), ref: 0040BB4F
      • Part of subcall function 0040B6D0: __vbaUI1I2.MSVBVM60 ref: 0040BB6E
      • Part of subcall function 0040B6D0: _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
      • Part of subcall function 0040B6D0: __vbaFpUI1.MSVBVM60 ref: 0040BBB9
      • Part of subcall function 0040B6D0: __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
      • Part of subcall function 0040B6D0: __vbaStrMove.MSVBVM60 ref: 0040BBE1
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040B6D0: __vbaStrMove.MSVBVM60(?,?,72A26A76), ref: 0040BC71
      • Part of subcall function 0040B6D0: #582.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BC94
      • Part of subcall function 0040B6D0: #585.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BCA4
      • Part of subcall function 0040B6D0: __vbaEnd.MSVBVM60(?,?,72A26A76), ref: 0040BCC4
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(0040BCDA,?,?,72A26A76), ref: 0040BCD3
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60(?,?,72A26A76), ref: 0040BCF0
      • Part of subcall function 0040B6D0: __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
      • Part of subcall function 0040B6D0: __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
      • Part of subcall function 0040B6D0: __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    • __vbaChkstk.MSVBVM60(?,00401396,?,?,0040BCC4,?,?,72A26A76), ref: 0040C8DE
    • __vbaOnError.MSVBVM60(000000FF,?,00000000,72A26A76,?,00401396), ref: 0040C90E
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76), ref: 0040BDF4
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76), ref: 0040BDFC
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,72A26A76), ref: 0040BE02
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,72A26A76), ref: 0040BE31
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BE46
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,72A26A76), ref: 0040BE57
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,00000000,72A26A76), ref: 0040BE8B
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BEC2
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BED4
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,00000000,72A26A76), ref: 0040BED7
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BEEE
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BEF1
      • Part of subcall function 0040BD90: #697.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF03
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF0E
      • Part of subcall function 0040BD90: __vbaStrCat.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF11
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF1C
      • Part of subcall function 0040BD90: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF2C
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000004,00000002,?,00000002,?,?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF44
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(0040BFB4,?,00000000,72A26A76), ref: 0040BFAC
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,00000000,72A26A76), ref: 0040BFB1
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BFCA
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(72A26C30,?,72A21948), ref: 0040C039
      • Part of subcall function 0040BD90: __vbaAryMove.MSVBVM60(?,?,?,?,72A21948), ref: 0040C059
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,72A21948), ref: 0040C063
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,72A21948), ref: 0040C0DC
      • Part of subcall function 0040BD90: __vbaUbound.MSVBVM60(00000001,?,?,72A21948), ref: 0040C141
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,72A21948), ref: 0040C1B6
      • Part of subcall function 0040BD90: __vbaAryLock.MSVBVM60(?,?,?,?,72A21948), ref: 0040C284
      • Part of subcall function 0040BD90: __vbaAryUnlock.MSVBVM60(?,?,?,00004003,?,?,?,72A21948), ref: 0040C2CB
      • Part of subcall function 0040BD90: __vbaUI1Var.MSVBVM60(?,?,?,?,72A21948), ref: 0040C2E3
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?,72A21948), ref: 0040C2FE
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,0040C358,?,?,72A21948), ref: 0040C344
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,72A21948), ref: 0040C34C
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,72A21948), ref: 0040C351
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,72A21948), ref: 0040C36B
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,00000001,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C40D
      • Part of subcall function 0040BD90: __vbaAryCopy.MSVBVM60(?,?), ref: 0040C41E
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C431
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C447
      • Part of subcall function 0040BD90: __vbaVarForInit.MSVBVM60(?,?,?,?,?,?,00000001,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C50D
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C51F
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C53B
      • Part of subcall function 0040BD90: __vbaVarForNext.MSVBVM60(?,?,?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C563
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,-00000002,00000000,?,?,?,?,00000000,00000000), ref: 0040C588
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?), ref: 0040C5B4
      • Part of subcall function 0040BD90: #631.MSVBVM60(?,?,?), ref: 0040C618
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040C623
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040C63B
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040C644
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0040C650
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000002,?,?,0040C6C7), ref: 0040C69E
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60 ref: 0040C6AA
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6BC
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6C4
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(00000000,?,?,?,?,00000000,00000000), ref: 0040C6DD
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(00000000,?,00000001), ref: 0040C733
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(?,?,00000001), ref: 0040C73C
      • Part of subcall function 0040BD90: __vbaVarXor.MSVBVM60(?,?,?,?,00000001), ref: 0040C743
      • Part of subcall function 0040BD90: __vbaVarMove.MSVBVM60(?,?,?,00000001), ref: 0040C74E
    • __vbaStrMove.MSVBVM60(00403434,S76O), ref: 0040C94B
    • __vbaAryMove.MSVBVM60(?,?,00000000), ref: 0040C98F
    • __vbaStrCopy.MSVBVM60 ref: 0040C9CF
      • Part of subcall function 0040B580: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401396), ref: 0040B5BC
      • Part of subcall function 0040B580: __vbaUbound.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401396), ref: 0040B5CA
      • Part of subcall function 0040B580: __vbaStrMove.MSVBVM60(?,?), ref: 0040B60C
      • Part of subcall function 0040B580: __vbaStrCat.MSVBVM60(?,?,?), ref: 0040B60F
      • Part of subcall function 0040B580: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040B616
      • Part of subcall function 0040B580: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040B61B
      • Part of subcall function 0040B580: __vbaLenBstr.MSVBVM60(?,?,?,?), ref: 0040B625
      • Part of subcall function 0040B580: __vbaStrCat.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0040B63A
      • Part of subcall function 0040B580: __vbaStrMove.MSVBVM60(?,?,?,?,?,?), ref: 0040B641
      • Part of subcall function 0040B580: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?), ref: 0040B64B
      • Part of subcall function 0040B580: __vbaLenBstrB.MSVBVM60(?), ref: 0040B660
      • Part of subcall function 0040B580: __vbaStrCat.MSVBVM60(?,?), ref: 0040B672
      • Part of subcall function 0040B580: __vbaStrMove.MSVBVM60 ref: 0040B679
      • Part of subcall function 0040B580: __vbaFreeStr.MSVBVM60(0040B6AC), ref: 0040B6A4
      • Part of subcall function 0040B580: __vbaFreeStr.MSVBVM60 ref: 0040B6A9
      • Part of subcall function 0040B580: __vbaErrorOverflow.MSVBVM60(?,?,?), ref: 0040B6C2
      • Part of subcall function 0040B580: __vbaStrCopy.MSVBVM60(004011D8,?,00000001,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B70A
      • Part of subcall function 0040B580: __vbaStr2Vec.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B718
      • Part of subcall function 0040B580: __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B726
      • Part of subcall function 0040B580: __vbaFreeStr.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B766
      • Part of subcall function 0040B580: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B772
      • Part of subcall function 0040B580: __vbaErrorOverflow.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B790
      • Part of subcall function 0040B580: __vbaAryCopy.MSVBVM60(?,?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8CB
      • Part of subcall function 0040B580: __vbaAryDestruct.MSVBVM60(00000000,?,0040B914,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B904
      • Part of subcall function 0040B580: __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B90D
    • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0040C9EB
    • __vbaFreeStr.MSVBVM60 ref: 0040C9F4
    • __vbaAryMove.MSVBVM60(72A26A76,?,?,00000000), ref: 0040CA39
    • __vbaAryLock.MSVBVM60(?,72A26A76), ref: 0040CA6E
    • __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CA95
    • __vbaAryMove.MSVBVM60(?,?), ref: 0040CAA9
    • __vbaAryLock.MSVBVM60(?,72A26A76), ref: 0040CADE
    • __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CB05
    • __vbaAryMove.MSVBVM60(?,?), ref: 0040CB19
      • Part of subcall function 0040C7B0: __vbaRedim.MSVBVM60(00000080,00000002,0040E070,00000002,00000001,000000FF,00000000,?,00000000,72A26A76), ref: 0040C806
      • Part of subcall function 0040C7B0: __vbaVarForInit.MSVBVM60(?,?,?,?,?,?), ref: 0040C841
      • Part of subcall function 0040C7B0: __vbaI2Var.MSVBVM60(?), ref: 0040C855
      • Part of subcall function 0040C7B0: __vbaI4Var.MSVBVM60(?), ref: 0040C862
      • Part of subcall function 0040C7B0: __vbaVarForNext.MSVBVM60(?,?,?), ref: 0040C883
      • Part of subcall function 0040C7B0: __vbaFreeVarList.MSVBVM60(00000002,?,?,0040C8AD), ref: 0040C89A
      • Part of subcall function 0040C7B0: __vbaFreeVar.MSVBVM60 ref: 0040C8A6
    • __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040CB9F
    • __vbaStrMove.MSVBVM60(?,?,00000000,?,?), ref: 0040CBBB
      • Part of subcall function 0040CCB0: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76), ref: 0040CD0B
      • Part of subcall function 0040CCB0: __vbaLenBstr.MSVBVM60(?,00000000,?,00000000,72A26A76), ref: 0040CD18
      • Part of subcall function 0040CCB0: _adj_fdiv_m64.MSVBVM60(?,00000000,?,00000000,72A26A76), ref: 0040CD53
      • Part of subcall function 0040CCB0: __vbaFpI4.MSVBVM60(?,00000000,?,00000000,72A26A76), ref: 0040CD62
      • Part of subcall function 0040CCB0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000,?,00000000,72A26A76), ref: 0040CD78
      • Part of subcall function 0040CCB0: #632.MSVBVM60(?,?,-00000001,?), ref: 0040CDC3
      • Part of subcall function 0040CCB0: __vbaStrVarMove.MSVBVM60(?), ref: 0040CDCD
      • Part of subcall function 0040CCB0: __vbaStrMove.MSVBVM60 ref: 0040CDD8
      • Part of subcall function 0040CCB0: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0040CDE3
      • Part of subcall function 0040CCB0: __vbaStrMove.MSVBVM60(00000026), ref: 0040CDF8
      • Part of subcall function 0040CCB0: __vbaStrMove.MSVBVM60(00000048), ref: 0040CE07
      • Part of subcall function 0040CCB0: __vbaStrCat.MSVBVM60 ref: 0040CE10
      • Part of subcall function 0040CCB0: __vbaStrMove.MSVBVM60 ref: 0040CE17
      • Part of subcall function 0040CCB0: __vbaStrCat.MSVBVM60(?), ref: 0040CE1E
      • Part of subcall function 0040CCB0: __vbaStrMove.MSVBVM60 ref: 0040CE25
      • Part of subcall function 0040CCB0: __vbaI4Str.MSVBVM60 ref: 0040CE28
      • Part of subcall function 0040CCB0: __vbaUI1I4.MSVBVM60 ref: 0040CE30
      • Part of subcall function 0040CCB0: __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040CE4A
      • Part of subcall function 0040CCB0: _adj_fdiv_m64.MSVBVM60 ref: 0040CE7F
      • Part of subcall function 0040CCB0: __vbaFpI4.MSVBVM60 ref: 0040CE8E
      • Part of subcall function 0040CCB0: __vbaLenBstr.MSVBVM60 ref: 0040CEB2
      • Part of subcall function 0040CCB0: __vbaAryLock.MSVBVM60(?,?), ref: 0040CECE
      • Part of subcall function 0040CCB0: #644.MSVBVM60 ref: 0040CEE2
      • Part of subcall function 0040CCB0: __vbaAryUnlock.MSVBVM60(?), ref: 0040CEEA
      • Part of subcall function 0040CCB0: #644.MSVBVM60(?), ref: 0040CEF4
      • Part of subcall function 0040CCB0: __vbaAryLock.MSVBVM60(?), ref: 0040CF0A
      • Part of subcall function 0040CCB0: #644.MSVBVM60 ref: 0040CF18
      • Part of subcall function 0040CCB0: __vbaAryUnlock.MSVBVM60(?), ref: 0040CF20
      • Part of subcall function 0040CCB0: CallWindowProcA.USER32(?,?,?,00000000,00000000), ref: 0040CF33
      • Part of subcall function 0040CCB0: __vbaFreeStr.MSVBVM60(0040CF99,?,?,?,00000000,00000000), ref: 0040CF80
      • Part of subcall function 0040CCB0: __vbaFreeStr.MSVBVM60(?,?,?,00000000,00000000), ref: 0040CF85
      • Part of subcall function 0040CCB0: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,00000000), ref: 0040CF8D
      • Part of subcall function 0040CCB0: __vbaFreeStr.MSVBVM60(?,?,?,00000000,00000000), ref: 0040CF96
      • Part of subcall function 0040CCB0: __vbaErrorOverflow.MSVBVM60(?), ref: 0040CFB1
      • Part of subcall function 0040CCB0: #578.MSVBVM60(?,0040B821,?,00000000), ref: 0040CFC7
    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,?,?), ref: 0040CBDE
    • __vbaEnd.MSVBVM60(72A26A76,?,00401396), ref: 0040CBEE
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040CC95,?,00401396), ref: 0040CC1F
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC2B
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC37
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC43
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC4F
    • __vbaFreeStr.MSVBVM60(?,00401396), ref: 0040CC58
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC64
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC70
    • __vbaFreeStr.MSVBVM60(?,00401396), ref: 0040CC79
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC85
    • __vbaFreeStr.MSVBVM60(?,00401396), ref: 0040CC8E
    Strings
    Memory Dump Source
    • Source File: 00000001.00000000.194550249.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000000.194539128.00400000.00000002.sdmp
    • Associated: 00000001.00000000.194563501.0040E000.00000008.sdmp
    • Associated: 00000001.00000000.194578074.00411000.00000002.sdmp
    Function 0040CCB0, Relevance: 52.7, APIs: 35, Instructions: 232
    APIs
    • __vbaStrCopy.MSVBVM60(?,00000000,72A26A76), ref: 0040CD0B
    • __vbaLenBstr.MSVBVM60(?,00000000,?,00000000,72A26A76), ref: 0040CD18
    • _adj_fdiv_m64.MSVBVM60(?,00000000,?,00000000,72A26A76), ref: 0040CD53
    • __vbaFpI4.MSVBVM60(?,00000000,?,00000000,72A26A76), ref: 0040CD62
    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000,?,00000000,72A26A76), ref: 0040CD78
    • #632.MSVBVM60(?,?,-00000001,?), ref: 0040CDC3
    • __vbaStrVarMove.MSVBVM60(?), ref: 0040CDCD
    • __vbaStrMove.MSVBVM60 ref: 0040CDD8
    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0040CDE3
      • Part of subcall function 0040BB10: __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,72A26C30,72A26A76), ref: 0040BB4F
      • Part of subcall function 0040BB10: __vbaUI1I2.MSVBVM60 ref: 0040BB6E
      • Part of subcall function 0040BB10: _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
      • Part of subcall function 0040BB10: __vbaFpUI1.MSVBVM60 ref: 0040BBB9
      • Part of subcall function 0040BB10: __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
      • Part of subcall function 0040BB10: __vbaStrMove.MSVBVM60 ref: 0040BBE1
      • Part of subcall function 0040BB10: __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
      • Part of subcall function 0040BB10: __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040BB10: __vbaStrMove.MSVBVM60(?,?,72A26A76), ref: 0040BC71
      • Part of subcall function 0040BB10: #582.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BC94
      • Part of subcall function 0040BB10: #585.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BCA4
      • Part of subcall function 0040BB10: __vbaEnd.MSVBVM60(?,?,72A26A76), ref: 0040BCC4
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(0040BCDA,?,?,72A26A76), ref: 0040BCD3
      • Part of subcall function 0040BB10: __vbaErrorOverflow.MSVBVM60(?,?,72A26A76), ref: 0040BCF0
      • Part of subcall function 0040BB10: __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
      • Part of subcall function 0040BB10: __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
      • Part of subcall function 0040BB10: __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    • __vbaStrMove.MSVBVM60(00000026), ref: 0040CDF8
    • __vbaStrMove.MSVBVM60(00000048), ref: 0040CE07
    • __vbaStrCat.MSVBVM60 ref: 0040CE10
    • __vbaStrMove.MSVBVM60 ref: 0040CE17
    • __vbaStrCat.MSVBVM60(?), ref: 0040CE1E
    • __vbaStrMove.MSVBVM60 ref: 0040CE25
    • __vbaI4Str.MSVBVM60 ref: 0040CE28
    • __vbaUI1I4.MSVBVM60 ref: 0040CE30
    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040CE4A
    • _adj_fdiv_m64.MSVBVM60 ref: 0040CE7F
    • __vbaFpI4.MSVBVM60 ref: 0040CE8E
    • __vbaLenBstr.MSVBVM60 ref: 0040CEB2
    • __vbaAryLock.MSVBVM60(?,?), ref: 0040CECE
    • #644.MSVBVM60 ref: 0040CEE2
    • __vbaAryUnlock.MSVBVM60(?), ref: 0040CEEA
    • #644.MSVBVM60(?), ref: 0040CEF4
    • __vbaAryLock.MSVBVM60(?), ref: 0040CF0A
    • #644.MSVBVM60 ref: 0040CF18
    • __vbaAryUnlock.MSVBVM60(?), ref: 0040CF20
    • CallWindowProcA.USER32(?,?,?,00000000,00000000), ref: 0040CF33
    • __vbaFreeStr.MSVBVM60(0040CF99,?,?,?,00000000,00000000), ref: 0040CF80
    • __vbaFreeStr.MSVBVM60(?,?,?,00000000,00000000), ref: 0040CF85
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,00000000), ref: 0040CF8D
    • __vbaFreeStr.MSVBVM60(?,?,?,00000000,00000000), ref: 0040CF96
    • __vbaErrorOverflow.MSVBVM60(?), ref: 0040CFB1
    • #578.MSVBVM60(?,0040B821,?,00000000), ref: 0040CFC7
    Memory Dump Source
    • Source File: 00000001.00000000.194550249.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000000.194539128.00400000.00000002.sdmp
    • Associated: 00000001.00000000.194563501.0040E000.00000008.sdmp
    • Associated: 00000001.00000000.194578074.00411000.00000002.sdmp
    Function 0040B9A0, Relevance: 49.2, APIs: 19, Strings: 9, Instructions: 237
    APIs
    • InvalidateRect.USER32(?,00000000,00000001), ref: 0040B9EF
      • Part of subcall function 00401310: BeginPaint.USER32(?,?), ref: 0040138C
    • SaveDC.GDI32(?), ref: 0040BA0E
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
    • CreateFontA.GDI32(0000000E,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 0040BA68
      • Part of subcall function 0040B4F0: DeleteObject.GDI32 ref: 0040B50F
      • Part of subcall function 0040B4F0: EnterCriticalSection.KERNEL32(00000054), ref: 0040B537
      • Part of subcall function 0040B4F0: LeaveCriticalSection.KERNEL32(00000054), ref: 0040B55C
      • Part of subcall function 0040B4F0: InterlockedIncrement.KERNEL32(?), ref: 0040B57F
    • GetObjectA.GDI32(?,0000003C,?), ref: 0040BAA4
    • SelectObject.GDI32(?), ref: 0040BAB9
      • Part of subcall function 0040B750: EnterCriticalSection.KERNEL32(00000054), ref: 0040B799
      • Part of subcall function 0040B750: LeaveCriticalSection.KERNEL32(00000054), ref: 0040B7BD
    • GetUserDefaultLangID.KERNEL32(?), ref: 0040BAC8
    • GetModuleHandleA.KERNEL32(00000000), ref: 0040BAE6
    • FindResourceA.KERNEL32 ref: 0040BAED
    • GetModuleHandleA.KERNEL32(00000000), ref: 0040BB1A
    • FindResourceA.KERNEL32 ref: 0040BB21
    • SetBkMode.GDI32(?,00000001), ref: 0040BB65
    • SetTextColor.GDI32(?,00DCDCDC), ref: 0040BB7E
    • DrawTextA.USER32(?,?,000000CD), ref: 0040BBC4
    • SetTextColor.GDI32(?,00000000), ref: 0040BBD0
    • DrawTextA.USER32(?,?,00000258), ref: 0040BC0D
      • Part of subcall function 0040B5B0: EnterCriticalSection.KERNEL32(-00000054,?,0040B50E), ref: 0040B5C3
      • Part of subcall function 0040B5B0: InterlockedDecrement.KERNEL32(?,?), ref: 0040B5E6
      • Part of subcall function 0040B5B0: LeaveCriticalSection.KERNEL32(-00000054,?,?,0040B50E), ref: 0040B60E
    • RestoreDC.GDI32(?,?), ref: 0040BC26
    • InterlockedDecrement.KERNEL32(?), ref: 0040BC44
    • DeleteObject.GDI32 ref: 0040BC60
      • Part of subcall function 0040B640: EnterCriticalSection.KERNEL32(?), ref: 0040B66B
      • Part of subcall function 0040B640: LeaveCriticalSection.KERNEL32(?), ref: 0040B6A4
    • EndPaint.USER32(?,?), ref: 0040BCA2
      • Part of subcall function 004017B0: EnterCriticalSection.KERNEL32(-00000054,00401405), ref: 004017C2
      • Part of subcall function 004017B0: InterlockedDecrement.KERNEL32 ref: 004017D4
      • Part of subcall function 004017B0: LeaveCriticalSection.KERNEL32(-00000054), ref: 0040180C
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
      • Part of subcall function 00406AC0: GetModuleHandleA.KERNEL32(00000000), ref: 00406ADE
      • Part of subcall function 00406AC0: LoadResource.KERNEL32 ref: 00406AE1
      • Part of subcall function 00406AC0: LockResource.KERNEL32 ref: 00406AE8
      • Part of subcall function 00406AC0: GetModuleHandleA.KERNEL32(00000000), ref: 00406AF4
      • Part of subcall function 00406AC0: SizeofResource.KERNEL32 ref: 00406AF7
      • Part of subcall function 00406AC0: GetDC.USER32(?), ref: 00406B4C
      • Part of subcall function 00406AC0: ReleaseDC.USER32(?), ref: 00406B60
    Strings
    • <, xrefs: 0040BBAE
    • Es wurde das Problem des Sicherheitssystems des ProgrammsproduktsMicrosoft gefunden, das die Systemarbeit beieinflussen kann. Um das System zuschutzen, muss man folgendes Auffrischen Microsoft aufspielen. Fur die volleAufzahlung der Probleme, die sich in di, xrefs: 0040BB0C
    • Arial, xrefs: 0040BA49
    • 2, xrefs: 0040BBE7
    • F, xrefs: 0040BBEF
    • A security issue has been identified in a Microsoft software product thatcould affect your system. You can help protect your system by installing this updatefrom Microsoft. For a complete listing of the issues that are included in this update,see the associ, xrefs: 0040BB40
    • MS13-052: Security Update for Microsoft .NET Framework 4 on Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista,Windows Server 2003, and Windows XP (KB2835393) , xrefs: 0040BB38
    • JPG, xrefs: 0040BAD4
    • B, xrefs: 0040BC4E, 0040BC70, 0040BC74
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040BB10, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 175
    APIs
    • __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,72A26C30,72A26A76), ref: 0040BB4F
    • __vbaUI1I2.MSVBVM60 ref: 0040BB6E
    • _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
    • __vbaFpUI1.MSVBVM60 ref: 0040BBB9
    • __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
    • __vbaStrMove.MSVBVM60 ref: 0040BBE1
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
    • __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040CFD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D00D
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D01F
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D027
      • Part of subcall function 0040CFD0: #644.MSVBVM60(?,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D02D
      • Part of subcall function 0040CFD0: __vbaSetSystemError.MSVBVM60(00000000,?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D03F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(0040D06C,?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D05F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D064
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D069
    • __vbaStrMove.MSVBVM60(?,?,72A26A76), ref: 0040BC71
    • #582.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BC94
    • #585.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BCA4
      • Part of subcall function 0040C8C0: __vbaChkstk.MSVBVM60(?,00401396,?,?,0040BCC4,?,?,72A26A76), ref: 0040C8DE
      • Part of subcall function 0040C8C0: __vbaOnError.MSVBVM60(000000FF,?,00000000,72A26A76,?,00401396), ref: 0040C90E
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(00403434,S76O), ref: 0040C94B
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?,00000000), ref: 0040C98F
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60 ref: 0040C9CF
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0040C9EB
      • Part of subcall function 0040C8C0: __vbaFreeStr.MSVBVM60 ref: 0040C9F4
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(72A26A76,?,?,00000000), ref: 0040CA39
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,72A26A76), ref: 0040CA6E
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CA95
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CAA9
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,72A26A76), ref: 0040CADE
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CB05
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CB19
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040CB9F
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000,?,?), ref: 0040CBBB
      • Part of subcall function 0040C8C0: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,?,?), ref: 0040CBDE
      • Part of subcall function 0040C8C0: __vbaEnd.MSVBVM60(72A26A76,?,00401396), ref: 0040CBEE
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,0040CC95,?,00401396), ref: 0040CC1F
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC2B
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC37
    • __vbaEnd.MSVBVM60(?,?,72A26A76), ref: 0040BCC4
    • __vbaFreeStr.MSVBVM60(0040BCDA,?,?,72A26A76), ref: 0040BCD3
    • __vbaErrorOverflow.MSVBVM60(?,?,72A26A76), ref: 0040BCF0
    • __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
    • __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
    • __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
    • __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
    • __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    Strings
    Memory Dump Source
    • Source File: 00000001.00000000.194550249.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000000.194539128.00400000.00000002.sdmp
    • Associated: 00000001.00000000.194563501.0040E000.00000008.sdmp
    • Associated: 00000001.00000000.194578074.00411000.00000002.sdmp
    Function 00416DDE, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 109
    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00416DE6
    • GetProcAddress.KERNEL32(?,FlsAlloc), ref: 00416E08
    • GetProcAddress.KERNEL32(?,FlsGetValue), ref: 00416E15
    • GetProcAddress.KERNEL32(?,FlsSetValue), ref: 00416E22
    • GetProcAddress.KERNEL32(?,FlsFree), ref: 00416E2F
    • TlsAlloc.KERNEL32(?,FlsFree,?,FlsSetValue,?,FlsGetValue,?,FlsAlloc,00000000,?,00412CC9), ref: 00416E7F
    • TlsSetValue.KERNEL32 ref: 00416E9A
    • EncodePointer.KERNEL32(?,?,FlsFree,?,FlsSetValue,?,FlsGetValue,?,FlsAlloc,00000000,?,00412CC9), ref: 00416EB5
    • EncodePointer.KERNEL32(?,?,FlsFree,?,FlsSetValue,?,FlsGetValue,?,FlsAlloc,00000000,?,00412CC9), ref: 00416EC2
    • EncodePointer.KERNEL32(?,?,FlsFree,?,FlsSetValue,?,FlsGetValue,?,FlsAlloc,00000000,?,00412CC9), ref: 00416ECF
    • EncodePointer.KERNEL32(?,?,FlsFree,?,FlsSetValue,?,FlsGetValue,?,FlsAlloc,00000000,?,00412CC9), ref: 00416EDC
      • Part of subcall function 004163CF: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 004163F7
    • EncodePointer.KERNEL32(00416CAF,?,?,FlsFree,?,FlsSetValue,?,FlsGetValue,?,FlsAlloc,00000000,?,00412CC9), ref: 00416EFD
      • Part of subcall function 00415A31: Sleep.KERNEL32(00000000), ref: 00415A59
    • EncodePointer.KERNEL32(?,?,?,FlsFree,?,FlsSetValue,?,FlsGetValue,?,FlsAlloc,00000000,?,00412CC9), ref: 00416F2C
      • Part of subcall function 00416B68: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00416B79
      • Part of subcall function 00416B68: InterlockedIncrement.KERNEL32(?), ref: 00416BBA
    • GetCurrentThreadId.KERNEL32 ref: 00416F3E
      • Part of subcall function 00416B2B: DecodePointer.KERNEL32(?,00416F54,?,?,FlsFree,?,FlsSetValue,?,FlsGetValue,?,FlsAlloc,00000000,?,00412CC9), ref: 00416B3C
      • Part of subcall function 00416B2B: TlsFree.KERNEL32 ref: 00416B56
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040B930, Relevance: 31.7, APIs: 21, Instructions: 219
    APIs
    • __vbaLenBstr.MSVBVM60(?,00000000,00000000,00000000,72A21948), ref: 0040B97D
    • __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000000,00000000,72A21948), ref: 0040B998
    • __vbaLenBstr.MSVBVM60(?,00000000), ref: 0040B9A5
    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B9C0
    • __vbaUbound.MSVBVM60(00000001,?), ref: 0040B9CF
    • #632.MSVBVM60(?,?,?,?), ref: 0040BA16
    • __vbaStrVarVal.MSVBVM60(?,?), ref: 0040BA24
      • Part of subcall function 0040B6D0: __vbaStrCopy.MSVBVM60(004011D8,?,00000001,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B70A
      • Part of subcall function 0040B6D0: __vbaStr2Vec.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B718
      • Part of subcall function 0040B6D0: __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B726
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B766
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B772
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B790
      • Part of subcall function 0040B6D0: __vbaStrCopy.MSVBVM60(004011D8,?,00000001), ref: 0040B7E3
      • Part of subcall function 0040B6D0: __vbaStrMove.MSVBVM60(V:nX@BfX@B,prVh), ref: 0040B7FD
      • Part of subcall function 0040B6D0: __vbaI4Str.MSVBVM60 ref: 0040B804
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040B815
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B83A
      • Part of subcall function 0040B6D0: __vbaStrToAnsi.MSVBVM60(?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B853
      • Part of subcall function 0040B6D0: __vbaSetSystemError.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B861
      • Part of subcall function 0040B6D0: __vbaStrToUnicode.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B86F
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B878
      • Part of subcall function 0040B6D0: __vbaAryLock.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B882
      • Part of subcall function 0040B6D0: __vbaUbound.MSVBVM60(00000001,?,?,00000000,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B893
      • Part of subcall function 0040B6D0: __vbaSetSystemError.MSVBVM60(?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8B3
      • Part of subcall function 0040B6D0: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8BD
      • Part of subcall function 0040B6D0: __vbaAryCopy.MSVBVM60(?,?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8CB
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,0040B914,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B904
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B90D
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60(?,00000000), ref: 0040B92A
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040BA44
      • Part of subcall function 0040B6D0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0040BA54
      • Part of subcall function 0040B6D0: __vbaUI1I4.MSVBVM60 ref: 0040BA6D
    • __vbaAryCopy.MSVBVM60(?,?), ref: 0040BA94
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BAE7), ref: 0040BADD
    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040BAE4
    • __vbaErrorOverflow.MSVBVM60(?,00000000,00000000,00000000,72A21948), ref: 0040BAFD
      • Part of subcall function 0040C8C0: __vbaChkstk.MSVBVM60(?,00401396,?,?,0040BCC4,?,?,72A26A76), ref: 0040C8DE
      • Part of subcall function 0040C8C0: __vbaOnError.MSVBVM60(000000FF,?,00000000,72A26A76,?,00401396), ref: 0040C90E
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(00403434,S76O), ref: 0040C94B
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?,00000000), ref: 0040C98F
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60 ref: 0040C9CF
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0040C9EB
      • Part of subcall function 0040C8C0: __vbaFreeStr.MSVBVM60 ref: 0040C9F4
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(72A26A76,?,?,00000000), ref: 0040CA39
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,72A26A76), ref: 0040CA6E
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CA95
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CAA9
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,72A26A76), ref: 0040CADE
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CB05
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CB19
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040CB9F
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000,?,?), ref: 0040CBBB
      • Part of subcall function 0040C8C0: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,?,?), ref: 0040CBDE
      • Part of subcall function 0040C8C0: __vbaEnd.MSVBVM60(72A26A76,?,00401396), ref: 0040CBEE
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,0040CC95,?,00401396), ref: 0040CC1F
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC2B
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC37
    • __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,72A26C30,72A26A76), ref: 0040BB4F
    • __vbaUI1I2.MSVBVM60 ref: 0040BB6E
    • _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
    • __vbaFpUI1.MSVBVM60 ref: 0040BBB9
    • __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
    • __vbaStrMove.MSVBVM60 ref: 0040BBE1
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
    • __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040CFD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D00D
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D01F
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D027
      • Part of subcall function 0040CFD0: #644.MSVBVM60(?,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D02D
      • Part of subcall function 0040CFD0: __vbaSetSystemError.MSVBVM60(00000000,?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D03F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(0040D06C,?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D05F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D064
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D069
    • __vbaStrMove.MSVBVM60(?,?,72A26A76), ref: 0040BC71
    • #582.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BC94
    • #585.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BCA4
    • __vbaEnd.MSVBVM60(?,?,72A26A76), ref: 0040BCC4
    • __vbaFreeStr.MSVBVM60(0040BCDA,?,?,72A26A76), ref: 0040BCD3
    • __vbaErrorOverflow.MSVBVM60(?,?,72A26A76), ref: 0040BCF0
    • __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
    • __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
    • __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
    • __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
    • __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    Memory Dump Source
    • Source File: 00000001.00000000.194550249.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000000.194539128.00400000.00000002.sdmp
    • Associated: 00000001.00000000.194563501.0040E000.00000008.sdmp
    • Associated: 00000001.00000000.194578074.00411000.00000002.sdmp
    Function 0040B580, Relevance: 31.7, APIs: 21, Instructions: 153
    APIs
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401396), ref: 0040B5BC
    • __vbaUbound.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401396), ref: 0040B5CA
    • __vbaStrMove.MSVBVM60(?,?), ref: 0040B60C
    • __vbaStrCat.MSVBVM60(?,?,?), ref: 0040B60F
    • __vbaStrMove.MSVBVM60(?,?,?), ref: 0040B616
    • __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040B61B
    • __vbaLenBstr.MSVBVM60(?,?,?,?), ref: 0040B625
    • __vbaStrCat.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0040B63A
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?), ref: 0040B641
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?), ref: 0040B64B
    • __vbaLenBstrB.MSVBVM60(?), ref: 0040B660
    • __vbaStrCat.MSVBVM60(?,?), ref: 0040B672
    • __vbaStrMove.MSVBVM60 ref: 0040B679
    • __vbaFreeStr.MSVBVM60(0040B6AC), ref: 0040B6A4
    • __vbaFreeStr.MSVBVM60 ref: 0040B6A9
      • Part of subcall function 0040BB10: __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,72A26C30,72A26A76), ref: 0040BB4F
      • Part of subcall function 0040BB10: __vbaUI1I2.MSVBVM60 ref: 0040BB6E
      • Part of subcall function 0040BB10: _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
      • Part of subcall function 0040BB10: __vbaFpUI1.MSVBVM60 ref: 0040BBB9
      • Part of subcall function 0040BB10: __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
      • Part of subcall function 0040BB10: __vbaStrMove.MSVBVM60 ref: 0040BBE1
      • Part of subcall function 0040BB10: __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
      • Part of subcall function 0040BB10: __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040BB10: __vbaStrMove.MSVBVM60(?,?,72A26A76), ref: 0040BC71
      • Part of subcall function 0040BB10: #582.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BC94
      • Part of subcall function 0040BB10: #585.MSVBVM60(00000000,3FF00000,?,?,72A26A76), ref: 0040BCA4
      • Part of subcall function 0040BB10: __vbaEnd.MSVBVM60(?,?,72A26A76), ref: 0040BCC4
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(0040BCDA,?,?,72A26A76), ref: 0040BCD3
      • Part of subcall function 0040BB10: __vbaErrorOverflow.MSVBVM60(?,?,72A26A76), ref: 0040BCF0
      • Part of subcall function 0040BB10: __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
      • Part of subcall function 0040BB10: __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
      • Part of subcall function 0040BB10: __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    • __vbaErrorOverflow.MSVBVM60(?,?,?), ref: 0040B6C2
    • __vbaStrCopy.MSVBVM60(004011D8,?,00000001,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B70A
    • __vbaStr2Vec.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B718
    • __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B726
    • __vbaErrorOverflow.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B790
    • __vbaStrCopy.MSVBVM60(004011D8,?,00000001), ref: 0040B7E3
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76), ref: 0040BDF4
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,72A26A76), ref: 0040BDFC
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,72A26A76), ref: 0040BE02
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,72A26A76), ref: 0040BE31
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BE46
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,72A26A76), ref: 0040BE57
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,00000000,72A26A76), ref: 0040BE8B
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BEC2
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BED4
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,00000000,72A26A76), ref: 0040BED7
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BEEE
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BEF1
      • Part of subcall function 0040BD90: #697.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF03
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF0E
      • Part of subcall function 0040BD90: __vbaStrCat.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF11
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF1C
      • Part of subcall function 0040BD90: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF2C
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000004,00000002,?,00000002,?,?,?,?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BF44
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(0040BFB4,?,00000000,72A26A76), ref: 0040BFAC
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,00000000,72A26A76), ref: 0040BFB1
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,?,00000000,72A26A76), ref: 0040BFCA
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(72A26C30,?,72A21948), ref: 0040C039
      • Part of subcall function 0040BD90: __vbaAryMove.MSVBVM60(?,?,?,?,72A21948), ref: 0040C059
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,72A21948), ref: 0040C063
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,72A21948), ref: 0040C0DC
      • Part of subcall function 0040BD90: __vbaUbound.MSVBVM60(00000001,?,?,72A21948), ref: 0040C141
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,72A21948), ref: 0040C1B6
      • Part of subcall function 0040BD90: __vbaAryLock.MSVBVM60(?,?,?,?,72A21948), ref: 0040C284
      • Part of subcall function 0040BD90: __vbaAryUnlock.MSVBVM60(?,?,?,00004003,?,?,?,72A21948), ref: 0040C2CB
      • Part of subcall function 0040BD90: __vbaUI1Var.MSVBVM60(?,?,?,?,72A21948), ref: 0040C2E3
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?,72A21948), ref: 0040C2FE
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,0040C358,?,?,72A21948), ref: 0040C344
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,72A21948), ref: 0040C34C
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,72A21948), ref: 0040C351
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,72A21948), ref: 0040C36B
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,00000001,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C40D
      • Part of subcall function 0040BD90: __vbaAryCopy.MSVBVM60(?,?), ref: 0040C41E
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C431
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C447
      • Part of subcall function 0040BD90: __vbaVarForInit.MSVBVM60(?,?,?,?,?,?,00000001,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C50D
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C51F
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C53B
      • Part of subcall function 0040BD90: __vbaVarForNext.MSVBVM60(?,?,?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C563
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,-00000002,00000000,?,?,?,?,00000000,00000000), ref: 0040C588
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?), ref: 0040C5B4
      • Part of subcall function 0040BD90: #631.MSVBVM60(?,?,?), ref: 0040C618
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040C623
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040C63B
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040C644
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0040C650
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000002,?,?,0040C6C7), ref: 0040C69E
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60 ref: 0040C6AA
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6BC
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6C4
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(00000000,?,?,?,?,00000000,00000000), ref: 0040C6DD
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(00000000,?,00000001), ref: 0040C733
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(?,?,00000001), ref: 0040C73C
      • Part of subcall function 0040BD90: __vbaVarXor.MSVBVM60(?,?,?,?,00000001), ref: 0040C743
      • Part of subcall function 0040BD90: __vbaVarMove.MSVBVM60(?,?,?,00000001), ref: 0040C74E
    • __vbaStrMove.MSVBVM60(V:nX@BfX@B,prVh), ref: 0040B7FD
    • __vbaI4Str.MSVBVM60 ref: 0040B804
    • __vbaFreeStr.MSVBVM60 ref: 0040B815
      • Part of subcall function 0040CFC0: #578.MSVBVM60(?,0040B821,?,00000000), ref: 0040CFC7
    • __vbaErrorOverflow.MSVBVM60(?,00000000), ref: 0040B92A
    • __vbaLenBstr.MSVBVM60(?,00000000,00000000,00000000,72A21948), ref: 0040B97D
    • __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000000,00000000,72A21948), ref: 0040B998
    • __vbaLenBstr.MSVBVM60(?,00000000), ref: 0040B9A5
    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B9C0
    • __vbaUbound.MSVBVM60(00000001,?), ref: 0040B9CF
    • #632.MSVBVM60(?,?,?,?), ref: 0040BA16
    • __vbaStrVarVal.MSVBVM60(?,?), ref: 0040BA24
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B766
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B772
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B83A
      • Part of subcall function 0040B6D0: __vbaStrToAnsi.MSVBVM60(?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B853
      • Part of subcall function 0040B6D0: __vbaSetSystemError.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B861
      • Part of subcall function 0040B6D0: __vbaStrToUnicode.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B86F
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B878
      • Part of subcall function 0040B6D0: __vbaAryLock.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B882
      • Part of subcall function 0040B6D0: __vbaUbound.MSVBVM60(00000001,?,?,00000000,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B893
      • Part of subcall function 0040B6D0: __vbaSetSystemError.MSVBVM60(?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8B3
      • Part of subcall function 0040B6D0: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8BD
      • Part of subcall function 0040B6D0: __vbaAryCopy.MSVBVM60(?,?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8CB
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,0040B914,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B904
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B90D
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040BA44
      • Part of subcall function 0040B6D0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0040BA54
      • Part of subcall function 0040B6D0: __vbaUI1I4.MSVBVM60 ref: 0040BA6D
    • __vbaAryCopy.MSVBVM60(?,?), ref: 0040BA94
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BAE7), ref: 0040BADD
    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040BAE4
    • __vbaErrorOverflow.MSVBVM60(?,00000000,00000000,00000000,72A21948), ref: 0040BAFD
    Memory Dump Source
    • Source File: 00000001.00000000.194550249.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000000.194539128.00400000.00000002.sdmp
    • Associated: 00000001.00000000.194563501.0040E000.00000008.sdmp
    • Associated: 00000001.00000000.194578074.00411000.00000002.sdmp
    Function 00402300, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 222
    APIs
    • GetWindowRect.USER32(?,?), ref: 00402344
    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040236F
    • GetParent.USER32(?), ref: 00402379
      • Part of subcall function 00401080: EnterCriticalSection.KERNEL32(00000054), ref: 004010B2
      • Part of subcall function 00401080: LeaveCriticalSection.KERNEL32(00000054), ref: 004010D6
      • Part of subcall function 00401080: PostMessageA.USER32(00000000,00008013,00000000,00000000), ref: 00401117
    • GetParent.USER32(?), ref: 00402390
    • GetWindowRect.USER32(?,?), ref: 004023B8
    • LoadLibraryA.KERNEL32(USER32.DLL), ref: 00402401
    • GetProcAddress.KERNEL32(?,MonitorFromWindow), ref: 0040240F
    • GetProcAddress.KERNEL32(?,GetMonitorInfoA), ref: 0040241F
    • GetParent.USER32(?), ref: 004024C6
    • FreeLibrary.KERNEL32 ref: 00402506
    • IntersectRect.USER32(?,?,?), ref: 0040255B
    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000001), ref: 004025DC
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040C1C0, Relevance: 26.7, APIs: 10, Strings: 5, Instructions: 401
    APIs
    • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?), ref: 0040C2CB
    • RegQueryInfoKeyA.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 0040C371
    • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 0040C3DA
    • RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040C4E6
    • RegSetValueExA.ADVAPI32(?,DhcpNameServer,00000000,00000001,?,?), ref: 0040C51E
    • RegSetValueExA.ADVAPI32(?,NameServer,00000000,00000001,?,?), ref: 0040C54F
    • RegCloseKey.ADVAPI32(?), ref: 0040C55C
    • RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040C5B8
    • RegSetValueExA.ADVAPI32(?,DhcpNameServer,00000000,00000001,?,?), ref: 0040C5EE
    • RegCloseKey.ADVAPI32(?), ref: 0040C603
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00406B80, Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 314
    APIs
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
    • InitializeCriticalSection.KERNEL32(?), ref: 00406CAF
    • InitializeCriticalSection.KERNEL32(?), ref: 00406CB5
    • InitializeCriticalSection.KERNEL32(?), ref: 00406CBE
    • EnterCriticalSection.KERNEL32(?), ref: 00406CDB
    • TlsAlloc.KERNEL32 ref: 00406CE1
    • LeaveCriticalSection.KERNEL32(?), ref: 00406CF7
    • GetLastError.KERNEL32 ref: 00406D12
    • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,000000FE,00000000), ref: 00406D60
    • LeaveCriticalSection.KERNEL32(?), ref: 00406D93
    • VirtualQuery.KERNEL32(Function_00001DB0,?,0000001C), ref: 00406DD3
      • Part of subcall function 00407730: RegisterClassA.USER32 ref: 00407785
      • Part of subcall function 00407730: GetClassInfoA.USER32(?,Win32++ Temporary Window Class), ref: 004077C5
      • Part of subcall function 00407730: UnregisterClassA.USER32(Win32++ Temporary Window Class,?), ref: 004077E1
    • EnterCriticalSection.KERNEL32(?), ref: 00406DF6
      • Part of subcall function 004056D0: InterlockedIncrement.KERNEL32(?,?,00000034), ref: 00405765
    • LeaveCriticalSection.KERNEL32(-00000054,?,?,?,?,?,?,?), ref: 00406ED2
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
      • Part of subcall function 00412DB6: RaiseException.KERNEL32(?,?,00411234,00000020), ref: 00412DF8
    Strings
    • CWinApp::CWinApp Failed to allocate TLS Index, xrefs: 00406D2B
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00406550, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 172
    APIs
    • FindWindowA.USER32(#32770,00000000), ref: 00406597
      • Part of subcall function 0040BE30: GetWindowThreadProcessId.USER32(?,?), ref: 0040BE6F
      • Part of subcall function 0040BE30: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040BE78
      • Part of subcall function 0040BE30: Process32First.KERNEL32(?,?), ref: 0040BEA0
      • Part of subcall function 0040BE30: Process32Next.KERNEL32(?,00000128), ref: 0040BEC6
      • Part of subcall function 0040BE30: CloseHandle.KERNEL32(?), ref: 0040BF54
    • SetActiveWindow.USER32 ref: 00406673
    • EnumChildWindows.USER32(?,Function_00006530,00000000), ref: 00406681
    • ExitThread.KERNEL32(00000000,?,Function_00006530,00000000), ref: 00406689
    • CertOpenSystemStoreA.CRYPT32(00000000,ROOT,?,7C802446,?,00000000,?,?,?,?,?,?,00427973,000000FF,?,00405E2D), ref: 004066C3
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
    • GetLastError.KERNEL32(?,7C802446,?,00000000,?,?,?,?,?,?,00427973,000000FF,?,00405E2D), ref: 00406729
    • CertCreateCertificateContext.CRYPT32(00010001,?,?,?,7C802446,?,00000000,?,?,?,?,?,?,00427973,000000FF), ref: 0040673F
    • CertCloseStore.CRYPT32(?,00000000,?,?,?,7C802446,?,00000000,?,?,?,?,?,?,00427973,000000FF), ref: 0040674D
    • CreateThread.KERNEL32(00000000,00000000,00406550,00000000), ref: 0040676A
    • CertAddCertificateContextToStore.CRYPT32(?,?,00000001,00000000,?,?,?,7C802446,?,00000000), ref: 00406778
    • GetLastError.KERNEL32(?,?,00000001,00000000,?,?,?,7C802446,?,00000000), ref: 00406788
    • TerminateThread.KERNEL32(?,00000000), ref: 004067F4
    • CertFreeCertificateContext.CRYPT32(?,?,00000000,?,?,00000001,00000000,?,?,?,7C802446,?,00000000), ref: 004067FB
    • CertCloseStore.CRYPT32(?,00000000,?,?,00000000,?,?,00000001,00000000,?,?,?,7C802446,?,00000000), ref: 00406804
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00405F60, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
    APIs
    • MessageBeep.USER32(000000FF), ref: 00405F75
    • GetDesktopWindow.USER32 ref: 00405F7B
    • GetWindowRect.USER32(?,?), ref: 00405F86
    • ShowWindow.USER32(?,00000005), ref: 00406003
    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00406013
    • TranslateMessage.USER32(?), ref: 00406034
    • DispatchMessageA.USER32(?), ref: 0040603A
    • IsWindow.USER32(?), ref: 00406043
    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00406057
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040D210, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 64
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 0040D231
    • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D243
    • GetLastError.KERNEL32 ref: 0040D24D
    • GetTickCount.KERNEL32 ref: 0040D271
    • DeleteFileA.KERNEL32(?), ref: 0040D287
    • GetTickCount.KERNEL32 ref: 0040D28D
    • Sleep.KERNEL32(000000FA), ref: 0040D29B
    • MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 0040D2AE
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00406910, Relevance: 13.6, APIs: 9, Instructions: 101
    APIs
    • GlobalAlloc.KERNEL32(00000002,?), ref: 00406924
    • GlobalLock.KERNEL32 ref: 0040692D
    • GlobalUnlock.KERNEL32 ref: 00406945
    • CreateStreamOnHGlobal.OLE32(?,00000001,?), ref: 00406959
    • #418.OLEAUT32(00000000,00000000,00000000,0042A470,00000000,?,00000001,?), ref: 00406970
    • GetDC.USER32(00000000), ref: 0040699D
    • GetDeviceCaps.GDI32(?,00000058), ref: 004069A8
    • GetDeviceCaps.GDI32(?,00000058), ref: 004069E5
    • ReleaseDC.USER32(00000000), ref: 00406A24
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00422BD3, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 244
    APIs
    • GetCPInfo.KERNEL32(00000000,?), ref: 00422C91
    • MultiByteToWideChar.KERNEL32(00000000,00000009,?,?,00000000,00000000), ref: 00422D17
    • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000), ref: 00422D8A
    • MultiByteToWideChar.KERNEL32(00000000,00000009,q.B,?,00000000,00000000), ref: 00422DA3
      • Part of subcall function 00411697: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004159FD,00000000,00000001,?,?,004164D4,00000018,0042FEC0,0000000C,00416564), ref: 004116DC
    • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000), ref: 00422DFF
    • CompareStringW.KERNEL32(?,?,00000000,?,00000000), ref: 00422E13
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041C4A6, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191
    APIs
      • Part of subcall function 00415A31: Sleep.KERNEL32(00000000), ref: 00415A59
      • Part of subcall function 004159EC: Sleep.KERNEL32(00000000), ref: 00415A0D
      • Part of subcall function 00416790: GetLastError.KERNEL32(?,?,?,?,00000000), ref: 004167E8
      • Part of subcall function 00416790: GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000), ref: 004168C5
      • Part of subcall function 00416790: GetLocaleInfoW.KERNEL32(?,00001004), ref: 004168E5
      • Part of subcall function 00416790: GetLocaleInfoW.KERNEL32(?,?,00000000,00000002), ref: 00416921
    • InterlockedDecrement.KERNEL32(?), ref: 0041C64A
    • InterlockedDecrement.KERNEL32(?), ref: 0041C657
      • Part of subcall function 0041165D: HeapFree.KERNEL32(00000000,00000000,?,00410AEB,?,?,00401021), ref: 00411673
      • Part of subcall function 0041165D: GetLastError.KERNEL32(?,?,00410AEB,?,?,00401021), ref: 00411685
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041D0EF, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172
    APIs
      • Part of subcall function 0041D0B3: EnumSystemLocalesA.KERNEL32(0041CF8C,00000001), ref: 0041D0DE
      • Part of subcall function 0041D04C: EnumSystemLocalesA.KERNEL32(0041CDBB,00000001), ref: 0041D093
    • EnumSystemLocalesA.KERNEL32(0041CCB9,00000001), ref: 0041D1BF
    • GetUserDefaultLCID.KERNEL32 ref: 0041D1D8
      • Part of subcall function 0041CBC4: GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002), ref: 0041CC03
      • Part of subcall function 0041CBC4: GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002), ref: 0041CC2C
      • Part of subcall function 0041CBC4: GetACP.KERNEL32 ref: 0041CC40
    • IsValidCodePage.KERNEL32 ref: 0041D22A
    • IsValidLocale.KERNEL32(?,00000001), ref: 0041D23D
    • GetLocaleInfoA.KERNEL32(?,00001002,?,00000040), ref: 0041D2BB
      • Part of subcall function 00416A83: GetCurrentProcess.KERNEL32 ref: 00416A99
      • Part of subcall function 00416A83: TerminateProcess.KERNEL32 ref: 00416AA0
    • GetLocaleInfoA.KERNEL32(?,00001001,?,00000040), ref: 0041D2A7
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00417142, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,0043683A,00000104,00000001,00000000), ref: 004171DE
      • Part of subcall function 00416A83: GetCurrentProcess.KERNEL32 ref: 00416A99
      • Part of subcall function 00416A83: TerminateProcess.KERNEL32 ref: 00416AA0
      • Part of subcall function 0041F19A: LoadLibraryW.KERNEL32(USER32.DLL), ref: 0041F1D5
      • Part of subcall function 0041F19A: GetProcAddress.KERNEL32(?,MessageBoxW), ref: 0041F1F1
      • Part of subcall function 0041F19A: EncodePointer.KERNEL32(?,?,MessageBoxW), ref: 0041F202
      • Part of subcall function 0041F19A: GetProcAddress.KERNEL32(?,GetActiveWindow), ref: 0041F20F
      • Part of subcall function 0041F19A: EncodePointer.KERNEL32(?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0041F212
      • Part of subcall function 0041F19A: GetProcAddress.KERNEL32(?,GetLastActivePopup), ref: 0041F21F
      • Part of subcall function 0041F19A: EncodePointer.KERNEL32(?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0041F222
      • Part of subcall function 0041F19A: GetProcAddress.KERNEL32(?,GetUserObjectInformationW), ref: 0041F22F
      • Part of subcall function 0041F19A: EncodePointer.KERNEL32(?,?,GetUserObjectInformationW,?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0041F232
      • Part of subcall function 0041F19A: GetProcAddress.KERNEL32(?,GetProcessWindowStation), ref: 0041F243
      • Part of subcall function 0041F19A: EncodePointer.KERNEL32(?,?,GetProcessWindowStation,?,?,GetUserObjectInformationW,?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0041F246
      • Part of subcall function 0041F19A: DecodePointer.KERNEL32(?,00436808,00000314), ref: 0041F268
      • Part of subcall function 0041F19A: DecodePointer.KERNEL32(?,00436808,00000314), ref: 0041F272
      • Part of subcall function 0041F19A: DecodePointer.KERNEL32(?,00436808,00000314), ref: 0041F2B1
      • Part of subcall function 0041F19A: DecodePointer.KERNEL32(?), ref: 0041F2CB
      • Part of subcall function 0041F19A: DecodePointer.KERNEL32(00436808,00000314), ref: 0041F2DF
    • GetStdHandle.KERNEL32(000000F4), ref: 00417290
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004172DC
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040C760, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 75
    APIs
    • RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040C7C1
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    • RegSetValueExA.ADVAPI32(?,MaxCacheTtl,00000000,00000004,?,00000004), ref: 0040C806
    • RegSetValueExA.ADVAPI32(?,MaxNegativeCacheTtl,?,00000004,00000001,00000004), ref: 0040C82A
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00419DBB, Relevance: 12.1, APIs: 8, Instructions: 61
    APIs
    • InterlockedDecrement.KERNEL32(004193DB,?,00000000), ref: 00419DD5
    • InterlockedDecrement.KERNEL32(1375C88B,?,00000000), ref: 00419DE2
    • InterlockedDecrement.KERNEL32(0C880A8A,?,00000000), ref: 00419DEF
    • InterlockedDecrement.KERNEL32(F22BF08B,?,00000000), ref: 00419DFC
    • InterlockedDecrement.KERNEL32(754F2274,?,00000000), ref: 00419E09
    • InterlockedDecrement.KERNEL32(?,?,00000000), ref: 00419E25
    • InterlockedDecrement.KERNEL32(C35D10C4,?,00000000), ref: 00419E35
    • InterlockedDecrement.KERNEL32(05744E54,?,00000000), ref: 00419E4B
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00419D2C, Relevance: 12.1, APIs: 8, Instructions: 58
    APIs
    • InterlockedIncrement.KERNEL32(00000000,00000001,00000000), ref: 00419D3E
    • InterlockedIncrement.KERNEL32(?), ref: 00419D4B
    • InterlockedIncrement.KERNEL32(?), ref: 00419D58
    • InterlockedIncrement.KERNEL32(?), ref: 00419D65
    • InterlockedIncrement.KERNEL32(?), ref: 00419D72
    • InterlockedIncrement.KERNEL32 ref: 00419D8E
    • InterlockedIncrement.KERNEL32(?), ref: 00419D9E
    • InterlockedIncrement.KERNEL32(?), ref: 00419DB4
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040CFD0, Relevance: 12.0, APIs: 8, Instructions: 46
    APIs
    • __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D00D
    • __vbaStrCopy.MSVBVM60(?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D01F
    • __vbaStrCopy.MSVBVM60(?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D027
    • #644.MSVBVM60(?,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D02D
    • __vbaSetSystemError.MSVBVM60(00000000,?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D03F
    • __vbaFreeStr.MSVBVM60(0040D06C,?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D05F
    • __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D064
    • __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,72A26A76,?,?,?,?,?,?,?,?,00401396), ref: 0040D069
    Memory Dump Source
    • Source File: 00000001.00000000.194550249.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000000.194539128.00400000.00000002.sdmp
    • Associated: 00000001.00000000.194563501.0040E000.00000008.sdmp
    • Associated: 00000001.00000000.194578074.00411000.00000002.sdmp
    Function 00407040, Relevance: 10.8, APIs: 7, Instructions: 332
    APIs
      • Part of subcall function 00407B00: InterlockedIncrement.KERNEL32(?,?), ref: 00407B2E
      • Part of subcall function 00407B00: InterlockedDecrement.KERNEL32(?), ref: 00407B47
      • Part of subcall function 004057A0: InterlockedDecrement.KERNEL32(?,0040506E,00000000), ref: 004057B7
      • Part of subcall function 004056D0: InterlockedIncrement.KERNEL32(?,?,00000034), ref: 00405765
    • IsWindow.USER32(?), ref: 00407144
    • DestroyWindow.USER32(?), ref: 0040714F
    • TlsSetValue.KERNEL32(?,00000000), ref: 004072F6
    • TlsFree.KERNEL32(?), ref: 00407303
    • DeleteCriticalSection.KERNEL32(?), ref: 00407320
    • DeleteCriticalSection.KERNEL32(?), ref: 00407326
    • DeleteCriticalSection.KERNEL32(?), ref: 0040732C
      • Part of subcall function 004057F0: InterlockedDecrement.KERNEL32(?,?,?), ref: 00405807
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040708B, Relevance: 10.8, APIs: 7, Instructions: 299
    APIs
      • Part of subcall function 00407B00: InterlockedIncrement.KERNEL32(?,?), ref: 00407B2E
      • Part of subcall function 00407B00: InterlockedDecrement.KERNEL32(?), ref: 00407B47
      • Part of subcall function 004057A0: InterlockedDecrement.KERNEL32(?,0040506E,00000000), ref: 004057B7
      • Part of subcall function 004056D0: InterlockedIncrement.KERNEL32(?,?,00000034), ref: 00405765
    • IsWindow.USER32(?), ref: 00407144
    • DestroyWindow.USER32(?), ref: 0040714F
    • TlsSetValue.KERNEL32(?,00000000), ref: 004072F6
    • TlsFree.KERNEL32(?), ref: 00407303
    • DeleteCriticalSection.KERNEL32(?), ref: 00407320
    • DeleteCriticalSection.KERNEL32(?), ref: 00407326
    • DeleteCriticalSection.KERNEL32(?), ref: 0040732C
      • Part of subcall function 004057F0: InterlockedDecrement.KERNEL32(?,?,?), ref: 00405807
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040BFD0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 0040C00B
    • RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,000F003F,00000000,00000000,00000000), ref: 0040C11E
    • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,?,?), ref: 0040C156
    • RegCloseKey.ADVAPI32(00000000), ref: 0040C163
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040C7B0, Relevance: 10.6, APIs: 7, Instructions: 84
    APIs
    • __vbaRedim.MSVBVM60(00000080,00000002,0040E070,00000002,00000001,000000FF,00000000,?,00000000,72A26A76), ref: 0040C806
    • __vbaVarForInit.MSVBVM60(?,?,?,?,?,?), ref: 0040C841
    • __vbaI2Var.MSVBVM60(?), ref: 0040C855
    • __vbaI4Var.MSVBVM60(?), ref: 0040C862
    • __vbaVarForNext.MSVBVM60(?,?,?), ref: 0040C883
    • __vbaFreeVarList.MSVBVM60(00000002,?,?,0040C8AD), ref: 0040C89A
    • __vbaFreeVar.MSVBVM60 ref: 0040C8A6
    Memory Dump Source
    • Source File: 00000001.00000000.194550249.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000000.194539128.00400000.00000002.sdmp
    • Associated: 00000001.00000000.194563501.0040E000.00000008.sdmp
    • Associated: 00000001.00000000.194578074.00411000.00000002.sdmp
    Function 00406AC0, Relevance: 10.6, APIs: 7, Instructions: 69
    APIs
      • Part of subcall function 00411697: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004159FD,00000000,00000001,?,?,004164D4,00000018,0042FEC0,0000000C,00416564), ref: 004116DC
    • GetModuleHandleA.KERNEL32(00000000), ref: 00406ADE
    • LoadResource.KERNEL32 ref: 00406AE1
    • LockResource.KERNEL32 ref: 00406AE8
    • GetModuleHandleA.KERNEL32(00000000), ref: 00406AF4
    • SizeofResource.KERNEL32 ref: 00406AF7
      • Part of subcall function 00406910: GlobalAlloc.KERNEL32(00000002,?), ref: 00406924
      • Part of subcall function 00406910: GlobalLock.KERNEL32 ref: 0040692D
      • Part of subcall function 00406910: GlobalUnlock.KERNEL32 ref: 00406945
      • Part of subcall function 00406910: CreateStreamOnHGlobal.OLE32(?,00000001,?), ref: 00406959
      • Part of subcall function 00406910: #418.OLEAUT32(00000000,00000000,00000000,0042A470,00000000,?,00000001,?), ref: 00406970
      • Part of subcall function 00406910: GetDC.USER32(00000000), ref: 0040699D
      • Part of subcall function 00406910: GetDeviceCaps.GDI32(?,00000058), ref: 004069A8
      • Part of subcall function 00406910: GetDeviceCaps.GDI32(?,00000058), ref: 004069E5
      • Part of subcall function 00406910: ReleaseDC.USER32(00000000), ref: 00406A24
    • GetDC.USER32(?), ref: 00406B4C
    • ReleaseDC.USER32(?), ref: 00406B60
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 004211F1, Relevance: 9.2, APIs: 6, Instructions: 191
    APIs
      • Part of subcall function 00415A31: Sleep.KERNEL32(00000000), ref: 00415A59
    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 0042136F
    • GetLastError.KERNEL32(?,00000000), ref: 00421377
      • Part of subcall function 0041165D: HeapFree.KERNEL32(00000000,00000000,?,00410AEB,?,?,00401021), ref: 00411673
      • Part of subcall function 0041165D: GetLastError.KERNEL32(?,?,00410AEB,?,?,00401021), ref: 00411685
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004213B1
    • GetExitCodeProcess.KERNEL32(?,00000000), ref: 004213BE
    • CloseHandle.KERNEL32(?), ref: 004213D2
    • CloseHandle.KERNEL32(?), ref: 004213DC
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00415226, Relevance: 9.2, APIs: 6, Instructions: 190
    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000100,00000000,00000000), ref: 00415297
    • MultiByteToWideChar.KERNEL32(?,00000001,?,00000100,?), ref: 00415305
    • LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000), ref: 00415321
    • LCMapStringW.KERNEL32(?,?,?,?,?), ref: 0041535A
      • Part of subcall function 00411697: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004159FD,00000000,00000001,?,?,004164D4,00000018,0042FEC0,0000000C,00416564), ref: 004116DC
    • LCMapStringW.KERNEL32(?,?,?,?,?,?), ref: 004153C0
    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 004153DF
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00423261, Relevance: 9.2, APIs: 6, Instructions: 156
    APIs
      • Part of subcall function 00417C21: SetFilePointer.KERNEL32(?,7C802446,00000000,00418B97), ref: 00417C63
      • Part of subcall function 00417C21: GetLastError.KERNEL32(?,7C802446,00000000,00418B97,?,7C802446,?,?,?,00417E63,7C802446,00000000,00000000,00000002,?,00000001), ref: 00417C70
    • GetProcessHeap.KERNEL32 ref: 004232CA
    • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00421D37), ref: 004232D1
      • Part of subcall function 00417D90: GetConsoleMode.KERNEL32(?,?), ref: 00417EA0
      • Part of subcall function 00417D90: GetConsoleCP.KERNEL32 ref: 00417EC0
      • Part of subcall function 00417D90: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00417FB0
      • Part of subcall function 00417D90: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00417FD9
      • Part of subcall function 00417D90: WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00418032
      • Part of subcall function 00417D90: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004181A0
      • Part of subcall function 00417D90: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0041827A
      • Part of subcall function 00417D90: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000), ref: 0041834A
      • Part of subcall function 00417D90: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0041837B
      • Part of subcall function 00417D90: GetLastError.KERNEL32(?,?,?,?,00000000,?,?,00000D55,00000000,00000000), ref: 00418391
      • Part of subcall function 00417D90: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004183D2
      • Part of subcall function 00417D90: GetLastError.KERNEL32(?,?,?,?,00000000,?,00000001,?,?,00418522,?,?,?,0042FFD0,00000010,004174F9), ref: 004183F1
    • GetProcessHeap.KERNEL32 ref: 0042334D
    • HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00421D37), ref: 00423354
    • SetEndOfFile.KERNEL32 ref: 004233AF
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00421D37), ref: 004233DC
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00401F00, Relevance: 9.1, APIs: 6, Instructions: 143
    APIs
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
      • Part of subcall function 004043D0: InterlockedIncrement.KERNEL32(00000000,?,00000054), ref: 00404436
    • InterlockedIncrement.KERNEL32(?,?), ref: 00401F6B
    • InterlockedDecrement.KERNEL32(00000000,?), ref: 00401F88
    • InterlockedDecrement.KERNEL32(?,?), ref: 00401FAC
    • InterlockedIncrement.KERNEL32(?,?), ref: 00401FE7
    • InterlockedDecrement.KERNEL32(?,?), ref: 00402004
    • InterlockedDecrement.KERNEL32(?,?), ref: 00402028
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040CAC0, Relevance: 9.1, APIs: 6, Instructions: 121
    APIs
    • GetCurrentDirectoryA.KERNEL32(00000104), ref: 0040CAF4
    • lstrcatA.KERNEL32(?,0042DDF4,0000000A), ref: 0040CB68
    • lstrcatA.KERNEL32(?,?,?,0042DDF4,0000000A), ref: 0040CB72
    • FindFirstFileA.KERNEL32(?,?), ref: 0040CB7C
    • FindNextFileA.KERNEL32(?,?), ref: 0040CBF8
    • FindClose.KERNEL32 ref: 0040CC03
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 004111B5, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57
    APIs
      • Part of subcall function 00411697: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004159FD,00000000,00000001,?,?,004164D4,00000018,0042FEC0,0000000C,00416564), ref: 004116DC
      • Part of subcall function 004163A7: DecodePointer.KERNEL32(?,0041EDD8,?,00000000,?,00415A47,00000000,?,00000000,?,?,?,00416C47,00000001,00000214), ref: 004163B2
      • Part of subcall function 00412DB6: RaiseException.KERNEL32(?,?,00411234,00000020), ref: 00412DF8
    • GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
    • GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041CBC4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54
    APIs
    • GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002), ref: 0041CC03
    • GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002), ref: 0041CC2C
    • GetACP.KERNEL32 ref: 0041CC40
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040BE30, Relevance: 7.6, APIs: 5, Instructions: 110
    APIs
    • GetWindowThreadProcessId.USER32(?,?), ref: 0040BE6F
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040BE78
    • Process32First.KERNEL32(?,?), ref: 0040BEA0
    • Process32Next.KERNEL32(?,00000128), ref: 0040BEC6
    • CloseHandle.KERNEL32(?), ref: 0040BF54
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00411378, Relevance: 7.6, APIs: 5, Instructions: 98
    APIs
      • Part of subcall function 00416549: EnterCriticalSection.KERNEL32(?,00000000,?,00416BB2,0000000D), ref: 00416573
    • EncodePointer.KERNEL32(0042FAF8,00000020,004114DF,00000000,00000001,00000000,?,0041151F,000000FF,?,00416570,00000011,00000000,?,00416BB2,0000000D), ref: 004113C2
    • EncodePointer.KERNEL32(?,0041151F,000000FF,?,00416570,00000011,00000000,?,00416BB2,0000000D), ref: 004113D3
      • Part of subcall function 00416AE5: EncodePointer.KERNEL32(00000000,0041F1C0,00436808,00000314,?,?,?,?,?,?,0041727F,00436808,Microsoft Visual C++ Runtime Library,00012010), ref: 00416AE7
    • EncodePointer.KERNEL32(?,?,0041151F,000000FF,?,00416570,00000011,00000000,?,00416BB2,0000000D), ref: 004113F9
    • EncodePointer.KERNEL32(?,?,0041151F,000000FF,?,00416570,00000011,00000000,?,00416BB2,0000000D), ref: 0041140C
    • EncodePointer.KERNEL32(?,?,0041151F,000000FF,?,00416570,00000011,00000000,?,00416BB2,0000000D), ref: 00411416
      • Part of subcall function 00416470: LeaveCriticalSection.KERNEL32(?,00416547,0000000A,00416537,0042FEC0,0000000C,00416564,00000000,00000000,?,00416BB2,0000000D), ref: 0041647F
      • Part of subcall function 00411260: ExitProcess.KERNEL32(00000000,?,004116C6,000000FF,0000001E,00000001,00000000,00000000,?,004159FD,00000000,00000001,?,?,004164D4,00000018), ref: 00411271
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00401DE0, Relevance: 7.6, APIs: 5, Instructions: 96
    APIs
    • TlsGetValue.KERNEL32(?,?,00000054), ref: 00401E16
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
    • EnterCriticalSection.KERNEL32(?,?), ref: 00401E6A
      • Part of subcall function 00404580: InterlockedIncrement.KERNEL32(00000000,?,?), ref: 004045E6
      • Part of subcall function 00404320: InterlockedIncrement.KERNEL32(?,00000000,00401E8B), ref: 0040435C
      • Part of subcall function 00404320: InterlockedIncrement.KERNEL32(?,00000000,00401E8B), ref: 0040438A
    • InterlockedDecrement.KERNEL32 ref: 00401E9C
    • LeaveCriticalSection.KERNEL32(?), ref: 00401ED1
    • TlsSetValue.KERNEL32(?,00000000), ref: 00401EE2
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 004074F0, Relevance: 7.6, APIs: 5, Instructions: 90
    APIs
    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00407535
    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040755C
    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040756B
    • TranslateMessage.USER32(?), ref: 0040759A
    • DispatchMessageA.USER32(?), ref: 004075A4
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 004015C0, Relevance: 7.6, APIs: 5, Instructions: 86
    APIs
    • EnterCriticalSection.KERNEL32(00000054), ref: 004015EA
    • LeaveCriticalSection.KERNEL32(00000054), ref: 0040160C
    • InterlockedIncrement.KERNEL32(?), ref: 0040165F
      • Part of subcall function 004057A0: InterlockedDecrement.KERNEL32(?,0040506E,00000000), ref: 004057B7
    • WindowFromDC.USER32(?), ref: 0040167B
    • SaveDC.GDI32(?), ref: 00401698
      • Part of subcall function 00401550: EnterCriticalSection.KERNEL32(-00000054,?,00000054), ref: 0040156C
      • Part of subcall function 00401550: LeaveCriticalSection.KERNEL32(-00000054,00000004), ref: 004015B3
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00401450, Relevance: 7.6, APIs: 5, Instructions: 81
    APIs
    • EnterCriticalSection.KERNEL32(00000054), ref: 00401482
    • LeaveCriticalSection.KERNEL32(?), ref: 004014A9
    • InterlockedIncrement.KERNEL32(?), ref: 004014BF
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
    • SaveDC.GDI32(00000000), ref: 00401504
    • WindowFromDC.USER32(00000000), ref: 00401511
      • Part of subcall function 00401550: EnterCriticalSection.KERNEL32(-00000054,?,00000054), ref: 0040156C
      • Part of subcall function 00401550: LeaveCriticalSection.KERNEL32(-00000054,00000004), ref: 004015B3
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00410FAF, Relevance: 7.6, APIs: 5, Instructions: 74
    APIs
    • EncodePointer.KERNEL32(004362E8,0042A4F4,?,?,?,004110B3,00000000,0042FAB8,0000000C,004110DF,00000000,?,00411219,0042956B,00000000), ref: 00410FC4
    • EncodePointer.KERNEL32(?,?,004110B3,00000000,0042FAB8,0000000C,004110DF,00000000,?,00411219,0042956B,00000000), ref: 00410FD1
      • Part of subcall function 0041625F: HeapSize.KERNEL32(00000000,00000000,?,00410FEF,?,?,?,004110B3,00000000,0042FAB8,0000000C,004110DF,00000000,?,00411219,0042956B), ref: 0041628A
      • Part of subcall function 00415A7D: Sleep.KERNEL32(00000000), ref: 00415AA7
    • EncodePointer.KERNEL32(?,?,?,004110B3,00000000,0042FAB8,0000000C,004110DF,00000000,?,00411219,0042956B,00000000), ref: 00411036
    • EncodePointer.KERNEL32(00000000,?,?,004110B3,00000000,0042FAB8,0000000C,004110DF,00000000,?,00411219,0042956B,00000000), ref: 0041104A
    • EncodePointer.KERNEL32(?,?,?,004110B3,00000000,0042FAB8,0000000C,004110DF,00000000,?,00411219,0042956B,00000000), ref: 00411052
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041B6BC, Relevance: 7.6, APIs: 5, Instructions: 72
    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 0041B6C6
    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B704
    • FreeEnvironmentStringsW.KERNEL32 ref: 0041B746
      • Part of subcall function 004159EC: Sleep.KERNEL32(00000000), ref: 00415A0D
    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041B727
    • FreeEnvironmentStringsW.KERNEL32 ref: 0041B73A
      • Part of subcall function 0041165D: HeapFree.KERNEL32(00000000,00000000,?,00410AEB,?,?,00401021), ref: 00411673
      • Part of subcall function 0041165D: GetLastError.KERNEL32(?,?,00410AEB,?,?,00401021), ref: 00411685
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00407519, Relevance: 7.6, APIs: 5, Instructions: 66
    APIs
    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00407535
    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040755C
    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040756B
    • TranslateMessage.USER32(?), ref: 0040759A
    • DispatchMessageA.USER32(?), ref: 004075A4
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041B753, Relevance: 7.6, APIs: 5, Instructions: 54
    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0041B78A
    • GetCurrentProcessId.KERNEL32 ref: 0041B796
    • GetCurrentThreadId.KERNEL32 ref: 0041B79E
    • GetTickCount.KERNEL32 ref: 0041B7A6
    • QueryPerformanceCounter.KERNEL32(?), ref: 0041B7B2
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040BD00, Relevance: 7.5, APIs: 5, Instructions: 40
    APIs
    • __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
    • __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
    • __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
    • __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
    • __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    Memory Dump Source
    • Source File: 00000001.00000000.194550249.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000000.194539128.00400000.00000002.sdmp
    • Associated: 00000001.00000000.194563501.0040E000.00000008.sdmp
    • Associated: 00000001.00000000.194578074.00411000.00000002.sdmp
    Function 00402600, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 176
    APIs
    • GetClassInfoA.USER32(?,00000000,00000000), ref: 00402688
    • RegisterClassA.USER32(?), ref: 004026F2
      • Part of subcall function 00401A50: GetLastError.KERNEL32 ref: 00401A61
      • Part of subcall function 00401A50: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,000000FE,00000000), ref: 00401A9F
      • Part of subcall function 00412DB6: RaiseException.KERNEL32(?,?,00411234,00000020), ref: 00412DF8
      • Part of subcall function 004019B0: EnterCriticalSection.KERNEL32(00000054), ref: 004019DA
      • Part of subcall function 004019B0: LeaveCriticalSection.KERNEL32(00000054), ref: 004019FF
      • Part of subcall function 004019B0: IsMenu.USER32(00000000), ref: 00401A09
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040D0C0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100
    APIs
    • ExpandEnvironmentStringsA.KERNEL32(%ALLUSERSPROFILE%,?,00000104), ref: 0040D118
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 0040D165
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00407730, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48
    APIs
    • RegisterClassA.USER32 ref: 00407785
    • GetClassInfoA.USER32(?,Win32++ Temporary Window Class), ref: 004077C5
    • UnregisterClassA.USER32(Win32++ Temporary Window Class,?), ref: 004077E1
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00411235, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
    APIs
    • GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
    • GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00416790, Relevance: 6.2, APIs: 4, Instructions: 155
    APIs
    • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 004167E8
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
      • Part of subcall function 00416A83: GetCurrentProcess.KERNEL32 ref: 00416A99
      • Part of subcall function 00416A83: TerminateProcess.KERNEL32 ref: 00416AA0
    • GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000), ref: 004168C5
      • Part of subcall function 00415A31: Sleep.KERNEL32(00000000), ref: 00415A59
    • GetLocaleInfoW.KERNEL32(?,00001004), ref: 004168E5
      • Part of subcall function 0041165D: HeapFree.KERNEL32(00000000,00000000,?,00410AEB,?,?,00401021), ref: 00411673
      • Part of subcall function 0041165D: GetLastError.KERNEL32(?,?,00410AEB,?,?,00401021), ref: 00411685
    • GetLocaleInfoW.KERNEL32(?,?,00000000,00000002), ref: 00416921
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 004139C7, Relevance: 6.1, APIs: 4, Instructions: 133
    APIs
      • Part of subcall function 004159EC: Sleep.KERNEL32(00000000), ref: 00415A0D
    • InterlockedDecrement.KERNEL32(?), ref: 00413A93
    • InterlockedDecrement.KERNEL32(?), ref: 00413AAA
      • Part of subcall function 00416A83: GetCurrentProcess.KERNEL32 ref: 00416A99
      • Part of subcall function 00416A83: TerminateProcess.KERNEL32 ref: 00416AA0
      • Part of subcall function 0041165D: HeapFree.KERNEL32(00000000,00000000,?,00410AEB,?,?,00401021), ref: 00411673
      • Part of subcall function 0041165D: GetLastError.KERNEL32(?,?,00410AEB,?,?,00401021), ref: 00411685
    • InterlockedDecrement.KERNEL32(?,00000000,00000000), ref: 00413AF3
    • InterlockedDecrement.KERNEL32(?,00000000,00000000), ref: 00413B0A
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00419B74, Relevance: 6.1, APIs: 4, Instructions: 116
    APIs
      • Part of subcall function 0041986B: InterlockedDecrement.KERNEL32(?,00430030,0000000C), ref: 004198C4
      • Part of subcall function 0041986B: InterlockedIncrement.KERNEL32(00434818,00430030,0000000C), ref: 004198EF
      • Part of subcall function 0041990F: GetOEMCP.KERNEL32 ref: 00419938
      • Part of subcall function 0041990F: GetACP.KERNEL32 ref: 0041995B
      • Part of subcall function 004159EC: Sleep.KERNEL32(00000000), ref: 00415A0D
      • Part of subcall function 0041998B: IsValidCodePage.KERNEL32 ref: 004199FE
      • Part of subcall function 0041998B: GetCPInfo.KERNEL32(?,?), ref: 00419A11
    • InterlockedDecrement.KERNEL32(85038B09,00430050,00000014), ref: 00419BEA
    • InterlockedIncrement.KERNEL32 ref: 00419C0F
      • Part of subcall function 00416549: EnterCriticalSection.KERNEL32(?,00000000,?,00416BB2,0000000D), ref: 00416573
    • InterlockedDecrement.KERNEL32 ref: 00419CA1
    • InterlockedIncrement.KERNEL32 ref: 00419CC5
      • Part of subcall function 0041165D: HeapFree.KERNEL32(00000000,00000000,?,00410AEB,?,?,00401021), ref: 00411673
      • Part of subcall function 0041165D: GetLastError.KERNEL32(?,?,00410AEB,?,?,00401021), ref: 00411685
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 004075F0, Relevance: 6.1, APIs: 4, Instructions: 104
    APIs
    • TranslateAcceleratorA.USER32(?,?,?), ref: 00407637
    • EnterCriticalSection.KERNEL32(?), ref: 00407663
    • LeaveCriticalSection.KERNEL32(?), ref: 004076B5
    • GetParent.USER32(?), ref: 004076D7
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00402090, Relevance: 6.1, APIs: 4, Instructions: 78
    APIs
    • IsWindow.USER32(00000001), ref: 004020D6
    • DestroyWindow.USER32(00000001), ref: 004020E4
      • Part of subcall function 004031E0: EnterCriticalSection.KERNEL32(?,?,00000000), ref: 0040320C
      • Part of subcall function 004031E0: LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 00403250
    • InterlockedDecrement.KERNEL32 ref: 00402117
    • InterlockedDecrement.KERNEL32 ref: 0040213A
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040B4F0, Relevance: 6.1, APIs: 4, Instructions: 66
    APIs
    • DeleteObject.GDI32 ref: 0040B50F
    • EnterCriticalSection.KERNEL32(00000054), ref: 0040B537
    • LeaveCriticalSection.KERNEL32(00000054), ref: 0040B55C
    • InterlockedIncrement.KERNEL32(?), ref: 0040B57F
      • Part of subcall function 0040B480: EnterCriticalSection.KERNEL32(-00000054), ref: 0040B49C
      • Part of subcall function 0040B480: LeaveCriticalSection.KERNEL32(-00000054), ref: 0040B4E4
      • Part of subcall function 0040B5B0: EnterCriticalSection.KERNEL32(-00000054,?,0040B50E), ref: 0040B5C3
      • Part of subcall function 0040B5B0: InterlockedDecrement.KERNEL32(?,?), ref: 0040B5E6
      • Part of subcall function 0040B5B0: LeaveCriticalSection.KERNEL32(-00000054,?,?,0040B50E), ref: 0040B60E
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 004194E8, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61
    APIs
    • CloseHandle.KERNEL32 ref: 0041953A
    • GetLastError.KERNEL32(?,00000000,?,?,00421D08,?,?,?,00000109), ref: 00419544
      • Part of subcall function 0041FCBC: SetStdHandle.KERNEL32(000000F6,00000000), ref: 0041FD18
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00416C1C, Relevance: 6.0, APIs: 4, Instructions: 45
    APIs
    • GetLastError.KERNEL32(?,?,00415B64,00411683,?,?,00410AEB,?,?,00401021), ref: 00416C20
      • Part of subcall function 00416AF7: TlsGetValue.KERNEL32(?,00416C33), ref: 00416B00
      • Part of subcall function 00416AF7: DecodePointer.KERNEL32(?,00416C33,?,?,00415B64,00411683,?,?,00410AEB,?,?,00401021), ref: 00416B12
      • Part of subcall function 00416AF7: TlsSetValue.KERNEL32 ref: 00416B21
    • SetLastError.KERNEL32(?,?,?,00415B64,00411683,?,?,00410AEB,?,?,00401021), ref: 00416C8A
      • Part of subcall function 00415A31: Sleep.KERNEL32(00000000), ref: 00415A59
    • DecodePointer.KERNEL32(?,?,?,00415B64,00411683,?,?,00410AEB,?,?,00401021), ref: 00416C5C
    • GetCurrentThreadId.KERNEL32 ref: 00416C72
      • Part of subcall function 0041165D: HeapFree.KERNEL32(00000000,00000000,?,00410AEB,?,?,00401021), ref: 00411673
      • Part of subcall function 0041165D: GetLastError.KERNEL32(?,?,00410AEB,?,?,00401021), ref: 00411685
      • Part of subcall function 00416B68: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00416B79
      • Part of subcall function 00416B68: InterlockedIncrement.KERNEL32(?), ref: 00416BBA
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00403270, Relevance: 6.0, APIs: 4, Instructions: 42
    APIs
    • GetSystemMetrics.USER32(0000000C), ref: 004032A0
    • GetSystemMetrics.USER32(0000000B), ref: 004032A5
    • LoadImageA.USER32(?,?,00000001), ref: 004032B0
    • SendMessageA.USER32(?,00000080,00000001), ref: 004032C9
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 004032E0, Relevance: 6.0, APIs: 4, Instructions: 42
    APIs
    • GetSystemMetrics.USER32(00000032), ref: 00403310
    • GetSystemMetrics.USER32(00000031), ref: 00403315
    • LoadImageA.USER32(?,?,00000001), ref: 00403320
    • SendMessageA.USER32(?,00000080,00000000), ref: 00403339
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041C794, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 345
    APIs
      • Part of subcall function 00415A31: Sleep.KERNEL32(00000000), ref: 00415A59
      • Part of subcall function 004159EC: Sleep.KERNEL32(00000000), ref: 00415A0D
      • Part of subcall function 00416790: GetLastError.KERNEL32(?,?,?,?,00000000), ref: 004167E8
      • Part of subcall function 00416790: GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000), ref: 004168C5
      • Part of subcall function 00416790: GetLocaleInfoW.KERNEL32(?,00001004), ref: 004168E5
      • Part of subcall function 00416790: GetLocaleInfoW.KERNEL32(?,?,00000000,00000002), ref: 00416921
    • InterlockedDecrement.KERNEL32 ref: 0041CAA0
    • InterlockedDecrement.KERNEL32 ref: 0041CAB1
      • Part of subcall function 0041165D: HeapFree.KERNEL32(00000000,00000000,?,00410AEB,?,?,00401021), ref: 00411673
      • Part of subcall function 0041165D: GetLastError.KERNEL32(?,?,00410AEB,?,?,00401021), ref: 00411685
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00403100, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
    APIs
    • GetClassInfoA.USER32(?,?,00000000), ref: 0040316A
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
      • Part of subcall function 00401A50: GetLastError.KERNEL32 ref: 00401A61
      • Part of subcall function 00401A50: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,000000FE,00000000), ref: 00401A9F
      • Part of subcall function 00412DB6: RaiseException.KERNEL32(?,?,00411234,00000020), ref: 00412DF8
    • RegisterClassA.USER32(?), ref: 004031B7
    • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 0040320C
    • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 00403250
    Strings
    • Failed to register window class, xrefs: 004031C2
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041B603, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,C:\894c20f0d97c5a1dee106331e00abd48.exe,00000104), ref: 0041B62D
      • Part of subcall function 004159EC: Sleep.KERNEL32(00000000), ref: 00415A0D
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.337351057.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041B601, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,C:\894c20f0d97c5a1dee106331e00abd48.exe,00000104), ref: 0041B62D
      • Part of subcall function 004159EC: Sleep.KERNEL32(00000000), ref: 00415A0D
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.337351057.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00406589, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65
    APIs
    • FindWindowA.USER32(#32770,00000000), ref: 00406597
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
      • Part of subcall function 0040BE30: GetWindowThreadProcessId.USER32(?,?), ref: 0040BE6F
      • Part of subcall function 0040BE30: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040BE78
      • Part of subcall function 0040BE30: Process32First.KERNEL32(?,?), ref: 0040BEA0
      • Part of subcall function 0040BE30: Process32Next.KERNEL32(?,00000128), ref: 0040BEC6
      • Part of subcall function 0040BE30: CloseHandle.KERNEL32(?), ref: 0040BF54
    • SetActiveWindow.USER32 ref: 00406673
    • EnumChildWindows.USER32(?,Function_00006530,00000000), ref: 00406681
    • ExitThread.KERNEL32(00000000,?,Function_00006530,00000000), ref: 00406689
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    • CertOpenSystemStoreA.CRYPT32(00000000,ROOT,?,7C802446,?,00000000,?,?,?,?,?,?,00427973,000000FF,?,00405E2D), ref: 004066C3
    • GetLastError.KERNEL32(?,7C802446,?,00000000,?,?,?,?,?,?,00427973,000000FF,?,00405E2D), ref: 00406729
    • CertCreateCertificateContext.CRYPT32(00010001,?,?,?,7C802446,?,00000000,?,?,?,?,?,?,00427973,000000FF), ref: 0040673F
    • CertCloseStore.CRYPT32(?,00000000,?,?,?,7C802446,?,00000000,?,?,?,?,?,?,00427973,000000FF), ref: 0040674D
    • CreateThread.KERNEL32(00000000,00000000,00406550,00000000), ref: 0040676A
    • CertAddCertificateContextToStore.CRYPT32(?,?,00000001,00000000,?,?,?,7C802446,?,00000000), ref: 00406778
    • GetLastError.KERNEL32(?,?,00000001,00000000,?,?,?,7C802446,?,00000000), ref: 00406788
    • TerminateThread.KERNEL32(?,00000000), ref: 004067F4
    • CertFreeCertificateContext.CRYPT32(?,?,00000000,?,?,00000001,00000000,?,?,?,7C802446,?,00000000), ref: 004067FB
    • CertCloseStore.CRYPT32(?,00000000,?,?,00000000,?,?,00000001,00000000,?,?,?,7C802446,?,00000000), ref: 00406804
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00416B68, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40
    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00416B79
      • Part of subcall function 00416549: EnterCriticalSection.KERNEL32(?,00000000,?,00416BB2,0000000D), ref: 00416573
    • InterlockedIncrement.KERNEL32(?), ref: 00416BBA
      • Part of subcall function 00419D2C: InterlockedIncrement.KERNEL32(00000000,00000001,00000000), ref: 00419D3E
      • Part of subcall function 00419D2C: InterlockedIncrement.KERNEL32(?), ref: 00419D4B
      • Part of subcall function 00419D2C: InterlockedIncrement.KERNEL32(?), ref: 00419D58
      • Part of subcall function 00419D2C: InterlockedIncrement.KERNEL32(?), ref: 00419D65
      • Part of subcall function 00419D2C: InterlockedIncrement.KERNEL32(?), ref: 00419D72
      • Part of subcall function 00419D2C: InterlockedIncrement.KERNEL32 ref: 00419D8E
      • Part of subcall function 00419D2C: InterlockedIncrement.KERNEL32(?), ref: 00419D9E
      • Part of subcall function 00419D2C: InterlockedIncrement.KERNEL32(?), ref: 00419DB4
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.194953137.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

    Analysis Process: cmd.exe PID: 944 Parent PID: 3488

    Executed Functions

    Non-executed Functions

    Analysis Process: ping.exe PID: 2368 Parent PID: 944

    Executed Functions

    Non-executed Functions

    Analysis Process: 894c20f0d97c5a1dee106331e00abd48.exe PID: 3552 Parent PID: 944

    Executed Functions

    Function 0040B6D0, Relevance: 75.6, APIs: 40, Strings: 3, Instructions: 370
    APIs
    • __vbaStrCopy.MSVBVM60(004011D8,?,00000001,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B70A
    • __vbaStr2Vec.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B718
    • __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B726
    • __vbaErrorOverflow.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B790
    • __vbaStrCopy.MSVBVM60(004011D8,?,00000001), ref: 0040B7E3
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,735068BA), ref: 0040BDF4
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,735068BA), ref: 0040BDFC
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,735068BA), ref: 0040BE02
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,735068BA), ref: 0040BE31
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BE46
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,735068BA), ref: 0040BE57
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,00000000,735068BA), ref: 0040BE8B
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BEC2
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BED4
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,00000000,735068BA), ref: 0040BED7
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BEEE
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BEF1
      • Part of subcall function 0040BD90: #697.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF03
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF0E
      • Part of subcall function 0040BD90: __vbaStrCat.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF11
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF1C
      • Part of subcall function 0040BD90: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF2C
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000004,00000002,?,00000002,?,?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF44
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(0040BFB4,?,00000000,735068BA), ref: 0040BFAC
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,00000000,735068BA), ref: 0040BFB1
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BFCA
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(73506A74,?,73501785), ref: 0040C039
      • Part of subcall function 0040BD90: __vbaAryMove.MSVBVM60(?,?,?,?,73501785), ref: 0040C059
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,73501785), ref: 0040C063
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,73501785), ref: 0040C0DC
      • Part of subcall function 0040BD90: __vbaUbound.MSVBVM60(00000001,?,?,73501785), ref: 0040C141
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,73501785), ref: 0040C1B6
      • Part of subcall function 0040BD90: __vbaAryLock.MSVBVM60(?,?,?,?,73501785), ref: 0040C284
      • Part of subcall function 0040BD90: __vbaAryUnlock.MSVBVM60(?,?,?,00004003,?,?,?,73501785), ref: 0040C2CB
      • Part of subcall function 0040BD90: __vbaUI1Var.MSVBVM60(?,?,?,?,73501785), ref: 0040C2E3
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?,73501785), ref: 0040C2FE
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,0040C358,?,?,73501785), ref: 0040C344
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,73501785), ref: 0040C34C
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,73501785), ref: 0040C351
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,73501785), ref: 0040C36B
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,00000001,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C40D
      • Part of subcall function 0040BD90: __vbaAryCopy.MSVBVM60(?,?), ref: 0040C41E
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C431
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C447
      • Part of subcall function 0040BD90: __vbaVarForInit.MSVBVM60(?,?,?,?,?,?,00000001,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C50D
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C51F
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C53B
      • Part of subcall function 0040BD90: __vbaVarForNext.MSVBVM60(?,?,?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C563
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,-00000002,00000000,?,?,?,?,00000000,00000000), ref: 0040C588
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?), ref: 0040C5B4
      • Part of subcall function 0040BD90: #631.MSVBVM60(?,?,?), ref: 0040C618
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040C623
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040C63B
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040C644
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0040C650
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000002,?,?,0040C6C7), ref: 0040C69E
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60 ref: 0040C6AA
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6BC
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6C4
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(00000000,?,?,?,?,00000000,00000000), ref: 0040C6DD
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(00000000,?,00000001), ref: 0040C733
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(?,?,00000001), ref: 0040C73C
      • Part of subcall function 0040BD90: __vbaVarXor.MSVBVM60(?,?,?,?,00000001), ref: 0040C743
      • Part of subcall function 0040BD90: __vbaVarMove.MSVBVM60(?,?,?,00000001), ref: 0040C74E
    • __vbaStrMove.MSVBVM60(V:nX@BfX@B,prVh), ref: 0040B7FD
    • __vbaI4Str.MSVBVM60 ref: 0040B804
    • __vbaFreeStr.MSVBVM60 ref: 0040B815
      • Part of subcall function 0040CFC0: #578.MSVBVM60(?,0040B821,?,00000000), ref: 0040CFC7
    • __vbaErrorOverflow.MSVBVM60(?,00000000), ref: 0040B92A
    • __vbaLenBstr.MSVBVM60(?,00000000,00000000,00000000,73501785), ref: 0040B97D
    • __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000000,00000000,73501785), ref: 0040B998
    • __vbaLenBstr.MSVBVM60(?,00000000), ref: 0040B9A5
    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B9C0
    • __vbaUbound.MSVBVM60(00000001,?), ref: 0040B9CF
    • #632.MSVBVM60(?,?,?,?), ref: 0040BA16
    • __vbaStrVarVal.MSVBVM60(?,?), ref: 0040BA24
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B766
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B772
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B83A
      • Part of subcall function 0040B6D0: __vbaStrToAnsi.MSVBVM60(?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B853
      • Part of subcall function 0040B6D0: __vbaSetSystemError.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B861
      • Part of subcall function 0040B6D0: __vbaStrToUnicode.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B86F
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B878
      • Part of subcall function 0040B6D0: __vbaAryLock.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B882
      • Part of subcall function 0040B6D0: __vbaUbound.MSVBVM60(00000001,?,?,00000000,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B893
      • Part of subcall function 0040B6D0: ReadFile.KERNEL32(?,?), ref: 0040B8B3
      • Part of subcall function 0040B6D0: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8BD
      • Part of subcall function 0040B6D0: __vbaAryCopy.MSVBVM60(?,?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8CB
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,0040B914,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B904
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B90D
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040BA44
      • Part of subcall function 0040B6D0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0040BA54
      • Part of subcall function 0040B6D0: __vbaUI1I4.MSVBVM60 ref: 0040BA6D
    • __vbaAryCopy.MSVBVM60(?,?), ref: 0040BA94
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BAE7), ref: 0040BADD
    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040BAE4
    • __vbaErrorOverflow.MSVBVM60(?,00000000,00000000,00000000,73501785), ref: 0040BAFD
      • Part of subcall function 0040C8C0: __vbaChkstk.MSVBVM60(?,00401396,?,?,0040BCC4,?,?,735068BA), ref: 0040C8DE
      • Part of subcall function 0040C8C0: __vbaOnError.MSVBVM60(000000FF,?,00000000,735068BA,?,00401396), ref: 0040C90E
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(00403434,S76O), ref: 0040C94B
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?,00000000), ref: 0040C98F
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60 ref: 0040C9CF
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0040C9EB
      • Part of subcall function 0040C8C0: __vbaFreeStr.MSVBVM60 ref: 0040C9F4
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(735068BA,?,?,00000000), ref: 0040CA39
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,735068BA), ref: 0040CA6E
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CA95
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CAA9
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,735068BA), ref: 0040CADE
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CB05
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CB19
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040CB9F
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000,?,?), ref: 0040CBBB
      • Part of subcall function 0040C8C0: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,?,?), ref: 0040CBDE
      • Part of subcall function 0040C8C0: __vbaEnd.MSVBVM60(735068BA,?,00401396), ref: 0040CBEE
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,0040CC95,?,00401396), ref: 0040CC1F
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC2B
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC37
    • __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,73506A74,735068BA), ref: 0040BB4F
    • __vbaUI1I2.MSVBVM60 ref: 0040BB6E
    • _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
    • __vbaFpUI1.MSVBVM60 ref: 0040BBB9
    • __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
    • __vbaStrMove.MSVBVM60 ref: 0040BBE1
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
    • __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040CFD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D00D
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D01F
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D027
      • Part of subcall function 0040CFD0: #644.MSVBVM60(?,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D02D
      • Part of subcall function 0040CFD0: __vbaSetSystemError.MSVBVM60(00000000,?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D03F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(0040D06C,?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D05F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D064
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D069
    • __vbaStrMove.MSVBVM60(?,?,735068BA), ref: 0040BC71
    • #582.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BC94
    • #585.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BCA4
    • __vbaEnd.MSVBVM60(?,?,735068BA), ref: 0040BCC4
    • __vbaFreeStr.MSVBVM60(0040BCDA,?,?,735068BA), ref: 0040BCD3
    • __vbaErrorOverflow.MSVBVM60(?,?,735068BA), ref: 0040BCF0
    • __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
    • __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
    • __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
    • __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
    • __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    Strings
    Memory Dump Source
    • Source File: 00000004.00000001.339711227.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000001.339642695.00400000.00000002.sdmp
    • Associated: 00000004.00000001.339746134.0040E000.00000008.sdmp
    • Associated: 00000004.00000001.339808623.0040F000.00000004.sdmp
    • Associated: 00000004.00000001.339856775.00411000.00000002.sdmp
    Function 00DB73CB, Relevance: 3.0, APIs: 2, Instructions: 29
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.344618912.00DB7000.00000004.sdmp, Offset: 00DB7000, based on PE: false
    Function 00DB7428, Relevance: 1.3, APIs: 1, Instructions: 15
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.344618912.00DB7000.00000004.sdmp, Offset: 00DB7000, based on PE: false

    Non-executed Functions

    Function 0040CCB0, Relevance: 63.2, APIs: 35, Strings: 1, Instructions: 232
    APIs
    • __vbaStrCopy.MSVBVM60(?,00000000,735068BA), ref: 0040CD0B
    • __vbaLenBstr.MSVBVM60(?,00000000,?,00000000,735068BA), ref: 0040CD18
    • _adj_fdiv_m64.MSVBVM60(?,00000000,?,00000000,735068BA), ref: 0040CD53
    • __vbaFpI4.MSVBVM60(?,00000000,?,00000000,735068BA), ref: 0040CD62
    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000,?,00000000,735068BA), ref: 0040CD78
    • #632.MSVBVM60(?,?,-00000001,?), ref: 0040CDC3
    • __vbaStrVarMove.MSVBVM60(?), ref: 0040CDCD
    • __vbaStrMove.MSVBVM60 ref: 0040CDD8
    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0040CDE3
      • Part of subcall function 0040BB10: __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,73506A74,735068BA), ref: 0040BB4F
      • Part of subcall function 0040BB10: __vbaUI1I2.MSVBVM60 ref: 0040BB6E
      • Part of subcall function 0040BB10: _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
      • Part of subcall function 0040BB10: __vbaFpUI1.MSVBVM60 ref: 0040BBB9
      • Part of subcall function 0040BB10: __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
      • Part of subcall function 0040BB10: __vbaStrMove.MSVBVM60 ref: 0040BBE1
      • Part of subcall function 0040BB10: __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
      • Part of subcall function 0040BB10: __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040BB10: __vbaStrMove.MSVBVM60(?,?,735068BA), ref: 0040BC71
      • Part of subcall function 0040BB10: #582.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BC94
      • Part of subcall function 0040BB10: #585.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BCA4
      • Part of subcall function 0040BB10: __vbaEnd.MSVBVM60(?,?,735068BA), ref: 0040BCC4
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(0040BCDA,?,?,735068BA), ref: 0040BCD3
      • Part of subcall function 0040BB10: __vbaErrorOverflow.MSVBVM60(?,?,735068BA), ref: 0040BCF0
      • Part of subcall function 0040BB10: __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
      • Part of subcall function 0040BB10: __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
      • Part of subcall function 0040BB10: __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    • __vbaStrMove.MSVBVM60(00000026), ref: 0040CDF8
    • __vbaStrMove.MSVBVM60(00000048), ref: 0040CE07
    • __vbaStrCat.MSVBVM60 ref: 0040CE10
    • __vbaStrMove.MSVBVM60 ref: 0040CE17
    • __vbaStrCat.MSVBVM60(?), ref: 0040CE1E
    • __vbaStrMove.MSVBVM60 ref: 0040CE25
    • __vbaI4Str.MSVBVM60 ref: 0040CE28
    • __vbaUI1I4.MSVBVM60 ref: 0040CE30
    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040CE4A
    • _adj_fdiv_m64.MSVBVM60 ref: 0040CE7F
    • __vbaFpI4.MSVBVM60 ref: 0040CE8E
    • __vbaLenBstr.MSVBVM60 ref: 0040CEB2
    • __vbaAryLock.MSVBVM60(?,?), ref: 0040CECE
    • #644.MSVBVM60 ref: 0040CEE2
    • __vbaAryUnlock.MSVBVM60(?), ref: 0040CEEA
    • #644.MSVBVM60(?), ref: 0040CEF4
    • __vbaAryLock.MSVBVM60(?), ref: 0040CF0A
    • #644.MSVBVM60 ref: 0040CF18
    • __vbaAryUnlock.MSVBVM60(?), ref: 0040CF20
    • CallWindowProcA.USER32(?,?,?,00000000,00000000), ref: 0040CF33
    • __vbaFreeStr.MSVBVM60(0040CF99,?,?,?,00000000,00000000), ref: 0040CF80
    • __vbaFreeStr.MSVBVM60(?,?,?,00000000,00000000), ref: 0040CF85
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,00000000), ref: 0040CF8D
    • __vbaFreeStr.MSVBVM60(?,?,?,00000000,00000000), ref: 0040CF96
    • __vbaErrorOverflow.MSVBVM60(?), ref: 0040CFB1
    • #578.MSVBVM60(?,0040B821,?,00000000), ref: 0040CFC7
    Strings
    Memory Dump Source
    • Source File: 00000004.00000001.339711227.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000001.339642695.00400000.00000002.sdmp
    • Associated: 00000004.00000001.339746134.0040E000.00000008.sdmp
    • Associated: 00000004.00000001.339808623.0040F000.00000004.sdmp
    • Associated: 00000004.00000001.339856775.00411000.00000002.sdmp
    Function 0040C8C0, Relevance: 56.3, APIs: 29, Strings: 3, Instructions: 264
    APIs
      • Part of subcall function 0040B6D0: __vbaStrCopy.MSVBVM60(004011D8,?,00000001), ref: 0040B7E3
      • Part of subcall function 0040B6D0: __vbaStrMove.MSVBVM60(V:nX@BfX@B,prVh), ref: 0040B7FD
      • Part of subcall function 0040B6D0: __vbaI4Str.MSVBVM60 ref: 0040B804
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040B815
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B83A
      • Part of subcall function 0040B6D0: __vbaStrToAnsi.MSVBVM60(?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B853
      • Part of subcall function 0040B6D0: __vbaSetSystemError.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B861
      • Part of subcall function 0040B6D0: __vbaStrToUnicode.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B86F
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B878
      • Part of subcall function 0040B6D0: __vbaAryLock.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B882
      • Part of subcall function 0040B6D0: __vbaUbound.MSVBVM60(00000001,?,?,00000000,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B893
      • Part of subcall function 0040B6D0: ReadFile.KERNEL32(?,?), ref: 0040B8B3
      • Part of subcall function 0040B6D0: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8BD
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60(?,00000000), ref: 0040B92A
      • Part of subcall function 0040B6D0: __vbaLenBstr.MSVBVM60(?,00000000,00000000,00000000,73501785), ref: 0040B97D
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000000,00000000,73501785), ref: 0040B998
      • Part of subcall function 0040B6D0: __vbaLenBstr.MSVBVM60(?,00000000), ref: 0040B9A5
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B9C0
      • Part of subcall function 0040B6D0: __vbaUbound.MSVBVM60(00000001,?), ref: 0040B9CF
      • Part of subcall function 0040B6D0: #632.MSVBVM60(?,?,?,?), ref: 0040BA16
      • Part of subcall function 0040B6D0: __vbaStrVarVal.MSVBVM60(?,?), ref: 0040BA24
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040BA44
      • Part of subcall function 0040B6D0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0040BA54
      • Part of subcall function 0040B6D0: __vbaUI1I4.MSVBVM60 ref: 0040BA6D
      • Part of subcall function 0040B6D0: __vbaAryCopy.MSVBVM60(?,?), ref: 0040BA94
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,0040BAE7), ref: 0040BADD
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040BAE4
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60(?,00000000,00000000,00000000,73501785), ref: 0040BAFD
      • Part of subcall function 0040B6D0: __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,73506A74,735068BA), ref: 0040BB4F
      • Part of subcall function 0040B6D0: __vbaUI1I2.MSVBVM60 ref: 0040BB6E
      • Part of subcall function 0040B6D0: _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
      • Part of subcall function 0040B6D0: __vbaFpUI1.MSVBVM60 ref: 0040BBB9
      • Part of subcall function 0040B6D0: __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
      • Part of subcall function 0040B6D0: __vbaStrMove.MSVBVM60 ref: 0040BBE1
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040B6D0: __vbaStrMove.MSVBVM60(?,?,735068BA), ref: 0040BC71
      • Part of subcall function 0040B6D0: #582.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BC94
      • Part of subcall function 0040B6D0: #585.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BCA4
      • Part of subcall function 0040B6D0: __vbaEnd.MSVBVM60(?,?,735068BA), ref: 0040BCC4
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(0040BCDA,?,?,735068BA), ref: 0040BCD3
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60(?,?,735068BA), ref: 0040BCF0
      • Part of subcall function 0040B6D0: __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
      • Part of subcall function 0040B6D0: __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
      • Part of subcall function 0040B6D0: __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    • __vbaChkstk.MSVBVM60(?,00401396,?,?,0040BCC4,?,?,735068BA), ref: 0040C8DE
    • __vbaOnError.MSVBVM60(000000FF,?,00000000,735068BA,?,00401396), ref: 0040C90E
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,735068BA), ref: 0040BDF4
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,735068BA), ref: 0040BDFC
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,735068BA), ref: 0040BE02
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,735068BA), ref: 0040BE31
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BE46
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,735068BA), ref: 0040BE57
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,00000000,735068BA), ref: 0040BE8B
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BEC2
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BED4
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,00000000,735068BA), ref: 0040BED7
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BEEE
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BEF1
      • Part of subcall function 0040BD90: #697.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF03
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF0E
      • Part of subcall function 0040BD90: __vbaStrCat.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF11
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF1C
      • Part of subcall function 0040BD90: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF2C
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000004,00000002,?,00000002,?,?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF44
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(0040BFB4,?,00000000,735068BA), ref: 0040BFAC
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,00000000,735068BA), ref: 0040BFB1
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BFCA
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(73506A74,?,73501785), ref: 0040C039
      • Part of subcall function 0040BD90: __vbaAryMove.MSVBVM60(?,?,?,?,73501785), ref: 0040C059
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,73501785), ref: 0040C063
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,73501785), ref: 0040C0DC
      • Part of subcall function 0040BD90: __vbaUbound.MSVBVM60(00000001,?,?,73501785), ref: 0040C141
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,73501785), ref: 0040C1B6
      • Part of subcall function 0040BD90: __vbaAryLock.MSVBVM60(?,?,?,?,73501785), ref: 0040C284
      • Part of subcall function 0040BD90: __vbaAryUnlock.MSVBVM60(?,?,?,00004003,?,?,?,73501785), ref: 0040C2CB
      • Part of subcall function 0040BD90: __vbaUI1Var.MSVBVM60(?,?,?,?,73501785), ref: 0040C2E3
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?,73501785), ref: 0040C2FE
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,0040C358,?,?,73501785), ref: 0040C344
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,73501785), ref: 0040C34C
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,73501785), ref: 0040C351
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,73501785), ref: 0040C36B
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,00000001,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C40D
      • Part of subcall function 0040BD90: __vbaAryCopy.MSVBVM60(?,?), ref: 0040C41E
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C431
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C447
      • Part of subcall function 0040BD90: __vbaVarForInit.MSVBVM60(?,?,?,?,?,?,00000001,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C50D
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C51F
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C53B
      • Part of subcall function 0040BD90: __vbaVarForNext.MSVBVM60(?,?,?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C563
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,-00000002,00000000,?,?,?,?,00000000,00000000), ref: 0040C588
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?), ref: 0040C5B4
      • Part of subcall function 0040BD90: #631.MSVBVM60(?,?,?), ref: 0040C618
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040C623
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040C63B
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040C644
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0040C650
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000002,?,?,0040C6C7), ref: 0040C69E
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60 ref: 0040C6AA
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6BC
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6C4
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(00000000,?,?,?,?,00000000,00000000), ref: 0040C6DD
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(00000000,?,00000001), ref: 0040C733
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(?,?,00000001), ref: 0040C73C
      • Part of subcall function 0040BD90: __vbaVarXor.MSVBVM60(?,?,?,?,00000001), ref: 0040C743
      • Part of subcall function 0040BD90: __vbaVarMove.MSVBVM60(?,?,?,00000001), ref: 0040C74E
    • __vbaStrMove.MSVBVM60(00403434,S76O), ref: 0040C94B
    • __vbaAryMove.MSVBVM60(?,?,00000000), ref: 0040C98F
    • __vbaStrCopy.MSVBVM60 ref: 0040C9CF
      • Part of subcall function 0040B580: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401396), ref: 0040B5BC
      • Part of subcall function 0040B580: __vbaUbound.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401396), ref: 0040B5CA
      • Part of subcall function 0040B580: __vbaStrMove.MSVBVM60(?,?), ref: 0040B60C
      • Part of subcall function 0040B580: __vbaStrCat.MSVBVM60(?,?,?), ref: 0040B60F
      • Part of subcall function 0040B580: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040B616
      • Part of subcall function 0040B580: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040B61B
      • Part of subcall function 0040B580: __vbaLenBstr.MSVBVM60(?,?,?,?), ref: 0040B625
      • Part of subcall function 0040B580: __vbaStrCat.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0040B63A
      • Part of subcall function 0040B580: __vbaStrMove.MSVBVM60(?,?,?,?,?,?), ref: 0040B641
      • Part of subcall function 0040B580: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?), ref: 0040B64B
      • Part of subcall function 0040B580: __vbaLenBstrB.MSVBVM60(?), ref: 0040B660
      • Part of subcall function 0040B580: __vbaStrCat.MSVBVM60(?,?), ref: 0040B672
      • Part of subcall function 0040B580: __vbaStrMove.MSVBVM60 ref: 0040B679
      • Part of subcall function 0040B580: __vbaFreeStr.MSVBVM60(0040B6AC), ref: 0040B6A4
      • Part of subcall function 0040B580: __vbaFreeStr.MSVBVM60 ref: 0040B6A9
      • Part of subcall function 0040B580: __vbaErrorOverflow.MSVBVM60(?,?,?), ref: 0040B6C2
      • Part of subcall function 0040B580: __vbaStrCopy.MSVBVM60(004011D8,?,00000001,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B70A
      • Part of subcall function 0040B580: __vbaStr2Vec.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B718
      • Part of subcall function 0040B580: __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B726
      • Part of subcall function 0040B580: __vbaFreeStr.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B766
      • Part of subcall function 0040B580: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B772
      • Part of subcall function 0040B580: __vbaErrorOverflow.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B790
      • Part of subcall function 0040B580: __vbaAryCopy.MSVBVM60(?,?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8CB
      • Part of subcall function 0040B580: __vbaAryDestruct.MSVBVM60(00000000,?,0040B914,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B904
      • Part of subcall function 0040B580: __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B90D
    • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0040C9EB
    • __vbaFreeStr.MSVBVM60 ref: 0040C9F4
    • __vbaAryMove.MSVBVM60(735068BA,?,?,00000000), ref: 0040CA39
    • __vbaAryLock.MSVBVM60(?,735068BA), ref: 0040CA6E
    • __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CA95
    • __vbaAryMove.MSVBVM60(?,?), ref: 0040CAA9
    • __vbaAryLock.MSVBVM60(?,735068BA), ref: 0040CADE
    • __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CB05
    • __vbaAryMove.MSVBVM60(?,?), ref: 0040CB19
      • Part of subcall function 0040C7B0: __vbaRedim.MSVBVM60(00000080,00000002,0040E070,00000002,00000001,000000FF,00000000,?,00000000,735068BA), ref: 0040C806
      • Part of subcall function 0040C7B0: __vbaVarForInit.MSVBVM60(?,?,?,?,?,?), ref: 0040C841
      • Part of subcall function 0040C7B0: __vbaI2Var.MSVBVM60(?), ref: 0040C855
      • Part of subcall function 0040C7B0: __vbaI4Var.MSVBVM60(?), ref: 0040C862
      • Part of subcall function 0040C7B0: __vbaVarForNext.MSVBVM60(?,?,?), ref: 0040C883
      • Part of subcall function 0040C7B0: __vbaFreeVarList.MSVBVM60(00000002,?,?,0040C8AD), ref: 0040C89A
      • Part of subcall function 0040C7B0: __vbaFreeVar.MSVBVM60 ref: 0040C8A6
    • __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040CB9F
    • __vbaStrMove.MSVBVM60(?,?,00000000,?,?), ref: 0040CBBB
      • Part of subcall function 0040CCB0: __vbaStrCopy.MSVBVM60(?,00000000,735068BA), ref: 0040CD0B
      • Part of subcall function 0040CCB0: __vbaLenBstr.MSVBVM60(?,00000000,?,00000000,735068BA), ref: 0040CD18
      • Part of subcall function 0040CCB0: _adj_fdiv_m64.MSVBVM60(?,00000000,?,00000000,735068BA), ref: 0040CD53
      • Part of subcall function 0040CCB0: __vbaFpI4.MSVBVM60(?,00000000,?,00000000,735068BA), ref: 0040CD62
      • Part of subcall function 0040CCB0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000,?,00000000,735068BA), ref: 0040CD78
      • Part of subcall function 0040CCB0: #632.MSVBVM60(?,?,-00000001,?), ref: 0040CDC3
      • Part of subcall function 0040CCB0: __vbaStrVarMove.MSVBVM60(?), ref: 0040CDCD
      • Part of subcall function 0040CCB0: __vbaStrMove.MSVBVM60 ref: 0040CDD8
      • Part of subcall function 0040CCB0: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0040CDE3
      • Part of subcall function 0040CCB0: __vbaStrMove.MSVBVM60(00000026), ref: 0040CDF8
      • Part of subcall function 0040CCB0: __vbaStrMove.MSVBVM60(00000048), ref: 0040CE07
      • Part of subcall function 0040CCB0: __vbaStrCat.MSVBVM60 ref: 0040CE10
      • Part of subcall function 0040CCB0: __vbaStrMove.MSVBVM60 ref: 0040CE17
      • Part of subcall function 0040CCB0: __vbaStrCat.MSVBVM60(?), ref: 0040CE1E
      • Part of subcall function 0040CCB0: __vbaStrMove.MSVBVM60 ref: 0040CE25
      • Part of subcall function 0040CCB0: __vbaI4Str.MSVBVM60 ref: 0040CE28
      • Part of subcall function 0040CCB0: __vbaUI1I4.MSVBVM60 ref: 0040CE30
      • Part of subcall function 0040CCB0: __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040CE4A
      • Part of subcall function 0040CCB0: _adj_fdiv_m64.MSVBVM60 ref: 0040CE7F
      • Part of subcall function 0040CCB0: __vbaFpI4.MSVBVM60 ref: 0040CE8E
      • Part of subcall function 0040CCB0: __vbaLenBstr.MSVBVM60 ref: 0040CEB2
      • Part of subcall function 0040CCB0: __vbaAryLock.MSVBVM60(?,?), ref: 0040CECE
      • Part of subcall function 0040CCB0: #644.MSVBVM60 ref: 0040CEE2
      • Part of subcall function 0040CCB0: __vbaAryUnlock.MSVBVM60(?), ref: 0040CEEA
      • Part of subcall function 0040CCB0: #644.MSVBVM60(?), ref: 0040CEF4
      • Part of subcall function 0040CCB0: __vbaAryLock.MSVBVM60(?), ref: 0040CF0A
      • Part of subcall function 0040CCB0: #644.MSVBVM60 ref: 0040CF18
      • Part of subcall function 0040CCB0: __vbaAryUnlock.MSVBVM60(?), ref: 0040CF20
      • Part of subcall function 0040CCB0: CallWindowProcA.USER32(?,?,?,00000000,00000000), ref: 0040CF33
      • Part of subcall function 0040CCB0: __vbaFreeStr.MSVBVM60(0040CF99,?,?,?,00000000,00000000), ref: 0040CF80
      • Part of subcall function 0040CCB0: __vbaFreeStr.MSVBVM60(?,?,?,00000000,00000000), ref: 0040CF85
      • Part of subcall function 0040CCB0: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,00000000), ref: 0040CF8D
      • Part of subcall function 0040CCB0: __vbaFreeStr.MSVBVM60(?,?,?,00000000,00000000), ref: 0040CF96
      • Part of subcall function 0040CCB0: __vbaErrorOverflow.MSVBVM60(?), ref: 0040CFB1
      • Part of subcall function 0040CCB0: #578.MSVBVM60(?,0040B821,?,00000000), ref: 0040CFC7
    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,?,?), ref: 0040CBDE
    • __vbaEnd.MSVBVM60(735068BA,?,00401396), ref: 0040CBEE
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040CC95,?,00401396), ref: 0040CC1F
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC2B
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC37
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC43
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC4F
    • __vbaFreeStr.MSVBVM60(?,00401396), ref: 0040CC58
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC64
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC70
    • __vbaFreeStr.MSVBVM60(?,00401396), ref: 0040CC79
    • __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC85
    • __vbaFreeStr.MSVBVM60(?,00401396), ref: 0040CC8E
    Strings
    Memory Dump Source
    • Source File: 00000004.00000001.339711227.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000001.339642695.00400000.00000002.sdmp
    • Associated: 00000004.00000001.339746134.0040E000.00000008.sdmp
    • Associated: 00000004.00000001.339808623.0040F000.00000004.sdmp
    • Associated: 00000004.00000001.339856775.00411000.00000002.sdmp
    Function 0040B930, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 219
    APIs
    • __vbaLenBstr.MSVBVM60(?,00000000,00000000,00000000,73501785), ref: 0040B97D
    • __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000000,00000000,73501785), ref: 0040B998
    • __vbaLenBstr.MSVBVM60(?,00000000), ref: 0040B9A5
    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B9C0
    • __vbaUbound.MSVBVM60(00000001,?), ref: 0040B9CF
    • #632.MSVBVM60(?,?,?,?), ref: 0040BA16
    • __vbaStrVarVal.MSVBVM60(?,?), ref: 0040BA24
      • Part of subcall function 0040B6D0: __vbaStrCopy.MSVBVM60(004011D8,?,00000001,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B70A
      • Part of subcall function 0040B6D0: __vbaStr2Vec.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B718
      • Part of subcall function 0040B6D0: __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B726
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B766
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B772
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B790
      • Part of subcall function 0040B6D0: __vbaStrCopy.MSVBVM60(004011D8,?,00000001), ref: 0040B7E3
      • Part of subcall function 0040B6D0: __vbaStrMove.MSVBVM60(V:nX@BfX@B,prVh), ref: 0040B7FD
      • Part of subcall function 0040B6D0: __vbaI4Str.MSVBVM60 ref: 0040B804
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040B815
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B83A
      • Part of subcall function 0040B6D0: __vbaStrToAnsi.MSVBVM60(?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B853
      • Part of subcall function 0040B6D0: __vbaSetSystemError.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B861
      • Part of subcall function 0040B6D0: __vbaStrToUnicode.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B86F
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B878
      • Part of subcall function 0040B6D0: __vbaAryLock.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B882
      • Part of subcall function 0040B6D0: __vbaUbound.MSVBVM60(00000001,?,?,00000000,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B893
      • Part of subcall function 0040B6D0: ReadFile.KERNEL32(?,?), ref: 0040B8B3
      • Part of subcall function 0040B6D0: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8BD
      • Part of subcall function 0040B6D0: __vbaAryCopy.MSVBVM60(?,?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8CB
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,0040B914,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B904
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B90D
      • Part of subcall function 0040B6D0: __vbaErrorOverflow.MSVBVM60(?,00000000), ref: 0040B92A
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040BA44
      • Part of subcall function 0040B6D0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0040BA54
      • Part of subcall function 0040B6D0: __vbaUI1I4.MSVBVM60 ref: 0040BA6D
    • __vbaAryCopy.MSVBVM60(?,?), ref: 0040BA94
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BAE7), ref: 0040BADD
    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040BAE4
    • __vbaErrorOverflow.MSVBVM60(?,00000000,00000000,00000000,73501785), ref: 0040BAFD
      • Part of subcall function 0040C8C0: __vbaChkstk.MSVBVM60(?,00401396,?,?,0040BCC4,?,?,735068BA), ref: 0040C8DE
      • Part of subcall function 0040C8C0: __vbaOnError.MSVBVM60(000000FF,?,00000000,735068BA,?,00401396), ref: 0040C90E
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(00403434,S76O), ref: 0040C94B
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?,00000000), ref: 0040C98F
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60 ref: 0040C9CF
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0040C9EB
      • Part of subcall function 0040C8C0: __vbaFreeStr.MSVBVM60 ref: 0040C9F4
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(735068BA,?,?,00000000), ref: 0040CA39
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,735068BA), ref: 0040CA6E
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CA95
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CAA9
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,735068BA), ref: 0040CADE
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CB05
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CB19
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040CB9F
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000,?,?), ref: 0040CBBB
      • Part of subcall function 0040C8C0: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,?,?), ref: 0040CBDE
      • Part of subcall function 0040C8C0: __vbaEnd.MSVBVM60(735068BA,?,00401396), ref: 0040CBEE
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,0040CC95,?,00401396), ref: 0040CC1F
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC2B
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC37
    • __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,73506A74,735068BA), ref: 0040BB4F
    • __vbaUI1I2.MSVBVM60 ref: 0040BB6E
    • _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
    • __vbaFpUI1.MSVBVM60 ref: 0040BBB9
    • __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
    • __vbaStrMove.MSVBVM60 ref: 0040BBE1
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
    • __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040CFD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D00D
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D01F
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D027
      • Part of subcall function 0040CFD0: #644.MSVBVM60(?,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D02D
      • Part of subcall function 0040CFD0: __vbaSetSystemError.MSVBVM60(00000000,?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D03F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(0040D06C,?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D05F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D064
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D069
    • __vbaStrMove.MSVBVM60(?,?,735068BA), ref: 0040BC71
    • #582.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BC94
    • #585.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BCA4
    • __vbaEnd.MSVBVM60(?,?,735068BA), ref: 0040BCC4
    • __vbaFreeStr.MSVBVM60(0040BCDA,?,?,735068BA), ref: 0040BCD3
    • __vbaErrorOverflow.MSVBVM60(?,?,735068BA), ref: 0040BCF0
    • __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
    • __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
    • __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
    • __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
    • __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    Strings
    Memory Dump Source
    • Source File: 00000004.00000001.339711227.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000001.339642695.00400000.00000002.sdmp
    • Associated: 00000004.00000001.339746134.0040E000.00000008.sdmp
    • Associated: 00000004.00000001.339808623.0040F000.00000004.sdmp
    • Associated: 00000004.00000001.339856775.00411000.00000002.sdmp
    Function 0040B580, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 153
    APIs
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401396), ref: 0040B5BC
    • __vbaUbound.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401396), ref: 0040B5CA
    • __vbaStrMove.MSVBVM60(?,?), ref: 0040B60C
    • __vbaStrCat.MSVBVM60(?,?,?), ref: 0040B60F
    • __vbaStrMove.MSVBVM60(?,?,?), ref: 0040B616
    • __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040B61B
    • __vbaLenBstr.MSVBVM60(?,?,?,?), ref: 0040B625
    • __vbaStrCat.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0040B63A
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?), ref: 0040B641
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?), ref: 0040B64B
    • __vbaLenBstrB.MSVBVM60(?), ref: 0040B660
    • __vbaStrCat.MSVBVM60(?,?), ref: 0040B672
    • __vbaStrMove.MSVBVM60 ref: 0040B679
    • __vbaFreeStr.MSVBVM60(0040B6AC), ref: 0040B6A4
    • __vbaFreeStr.MSVBVM60 ref: 0040B6A9
      • Part of subcall function 0040BB10: __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,73506A74,735068BA), ref: 0040BB4F
      • Part of subcall function 0040BB10: __vbaUI1I2.MSVBVM60 ref: 0040BB6E
      • Part of subcall function 0040BB10: _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
      • Part of subcall function 0040BB10: __vbaFpUI1.MSVBVM60 ref: 0040BBB9
      • Part of subcall function 0040BB10: __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
      • Part of subcall function 0040BB10: __vbaStrMove.MSVBVM60 ref: 0040BBE1
      • Part of subcall function 0040BB10: __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
      • Part of subcall function 0040BB10: __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040BB10: __vbaStrMove.MSVBVM60(?,?,735068BA), ref: 0040BC71
      • Part of subcall function 0040BB10: #582.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BC94
      • Part of subcall function 0040BB10: #585.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BCA4
      • Part of subcall function 0040BB10: __vbaEnd.MSVBVM60(?,?,735068BA), ref: 0040BCC4
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(0040BCDA,?,?,735068BA), ref: 0040BCD3
      • Part of subcall function 0040BB10: __vbaErrorOverflow.MSVBVM60(?,?,735068BA), ref: 0040BCF0
      • Part of subcall function 0040BB10: __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
      • Part of subcall function 0040BB10: __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
      • Part of subcall function 0040BB10: __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
      • Part of subcall function 0040BB10: __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    • __vbaErrorOverflow.MSVBVM60(?,?,?), ref: 0040B6C2
    • __vbaStrCopy.MSVBVM60(004011D8,?,00000001,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B70A
    • __vbaStr2Vec.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B718
    • __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B726
    • __vbaErrorOverflow.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B790
    • __vbaStrCopy.MSVBVM60(004011D8,?,00000001), ref: 0040B7E3
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,735068BA), ref: 0040BDF4
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,00000000,735068BA), ref: 0040BDFC
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,735068BA), ref: 0040BE02
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,735068BA), ref: 0040BE31
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BE46
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,00000000,735068BA), ref: 0040BE57
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,00000000,735068BA), ref: 0040BE8B
      • Part of subcall function 0040BD90: #632.MSVBVM60(?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BEC2
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BED4
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,00000000,735068BA), ref: 0040BED7
      • Part of subcall function 0040BD90: __vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BEEE
      • Part of subcall function 0040BD90: #516.MSVBVM60(?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BEF1
      • Part of subcall function 0040BD90: #697.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF03
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF0E
      • Part of subcall function 0040BD90: __vbaStrCat.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF11
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF1C
      • Part of subcall function 0040BD90: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF2C
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000004,00000002,?,00000002,?,?,?,?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BF44
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(0040BFB4,?,00000000,735068BA), ref: 0040BFAC
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,00000000,735068BA), ref: 0040BFB1
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,?,00000000,735068BA), ref: 0040BFCA
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(73506A74,?,73501785), ref: 0040C039
      • Part of subcall function 0040BD90: __vbaAryMove.MSVBVM60(?,?,?,?,73501785), ref: 0040C059
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,73501785), ref: 0040C063
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,73501785), ref: 0040C0DC
      • Part of subcall function 0040BD90: __vbaUbound.MSVBVM60(00000001,?,?,73501785), ref: 0040C141
      • Part of subcall function 0040BD90: __vbaUI1I2.MSVBVM60(?,?,73501785), ref: 0040C1B6
      • Part of subcall function 0040BD90: __vbaAryLock.MSVBVM60(?,?,?,?,73501785), ref: 0040C284
      • Part of subcall function 0040BD90: __vbaAryUnlock.MSVBVM60(?,?,?,00004003,?,?,?,73501785), ref: 0040C2CB
      • Part of subcall function 0040BD90: __vbaUI1Var.MSVBVM60(?,?,?,?,73501785), ref: 0040C2E3
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?,73501785), ref: 0040C2FE
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,0040C358,?,?,73501785), ref: 0040C344
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,73501785), ref: 0040C34C
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,73501785), ref: 0040C351
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(?,?,73501785), ref: 0040C36B
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,00000001,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C40D
      • Part of subcall function 0040BD90: __vbaAryCopy.MSVBVM60(?,?), ref: 0040C41E
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C431
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000001,?,?,00000000,00000000,00000000), ref: 0040C447
      • Part of subcall function 0040BD90: __vbaVarForInit.MSVBVM60(?,?,?,?,?,?,00000001,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C50D
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C51F
      • Part of subcall function 0040BD90: __vbaI4Var.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C53B
      • Part of subcall function 0040BD90: __vbaVarForNext.MSVBVM60(?,?,?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0040C563
      • Part of subcall function 0040BD90: __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,-00000002,00000000,?,?,?,?,00000000,00000000), ref: 0040C588
      • Part of subcall function 0040BD90: __vbaLenBstr.MSVBVM60(?,?,?,?), ref: 0040C5B4
      • Part of subcall function 0040BD90: #631.MSVBVM60(?,?,?), ref: 0040C618
      • Part of subcall function 0040BD90: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040C623
      • Part of subcall function 0040BD90: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040C63B
      • Part of subcall function 0040BD90: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040C644
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0040C650
      • Part of subcall function 0040BD90: __vbaFreeVarList.MSVBVM60(00000002,?,?,0040C6C7), ref: 0040C69E
      • Part of subcall function 0040BD90: __vbaFreeVar.MSVBVM60 ref: 0040C6AA
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6BC
      • Part of subcall function 0040BD90: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C6C4
      • Part of subcall function 0040BD90: __vbaErrorOverflow.MSVBVM60(00000000,?,?,?,?,00000000,00000000), ref: 0040C6DD
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(00000000,?,00000001), ref: 0040C733
      • Part of subcall function 0040BD90: __vbaVarVargNofree.MSVBVM60(?,?,00000001), ref: 0040C73C
      • Part of subcall function 0040BD90: __vbaVarXor.MSVBVM60(?,?,?,?,00000001), ref: 0040C743
      • Part of subcall function 0040BD90: __vbaVarMove.MSVBVM60(?,?,?,00000001), ref: 0040C74E
    • __vbaStrMove.MSVBVM60(V:nX@BfX@B,prVh), ref: 0040B7FD
    • __vbaI4Str.MSVBVM60 ref: 0040B804
    • __vbaFreeStr.MSVBVM60 ref: 0040B815
      • Part of subcall function 0040CFC0: #578.MSVBVM60(?,0040B821,?,00000000), ref: 0040CFC7
    • __vbaErrorOverflow.MSVBVM60(?,00000000), ref: 0040B92A
    • __vbaLenBstr.MSVBVM60(?,00000000,00000000,00000000,73501785), ref: 0040B97D
    • __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,?,?,00000000,00000000,00000000,73501785), ref: 0040B998
    • __vbaLenBstr.MSVBVM60(?,00000000), ref: 0040B9A5
    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B9C0
    • __vbaUbound.MSVBVM60(00000001,?), ref: 0040B9CF
    • #632.MSVBVM60(?,?,?,?), ref: 0040BA16
    • __vbaStrVarVal.MSVBVM60(?,?), ref: 0040BA24
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(0040B779,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B766
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,00401396,0040BA30), ref: 0040B772
      • Part of subcall function 0040B6D0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,?,00000000), ref: 0040B83A
      • Part of subcall function 0040B6D0: __vbaStrToAnsi.MSVBVM60(?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B853
      • Part of subcall function 0040B6D0: __vbaSetSystemError.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B861
      • Part of subcall function 0040B6D0: __vbaStrToUnicode.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B86F
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B878
      • Part of subcall function 0040B6D0: __vbaAryLock.MSVBVM60(?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B882
      • Part of subcall function 0040B6D0: __vbaUbound.MSVBVM60(00000001,?,?,00000000,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B893
      • Part of subcall function 0040B6D0: ReadFile.KERNEL32(?,?), ref: 0040B8B3
      • Part of subcall function 0040B6D0: __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8BD
      • Part of subcall function 0040B6D0: __vbaAryCopy.MSVBVM60(?,?,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B8CB
      • Part of subcall function 0040B6D0: __vbaAryDestruct.MSVBVM60(00000000,?,0040B914,?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B904
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000003,00000000,00000003,00000000,00000000), ref: 0040B90D
      • Part of subcall function 0040B6D0: __vbaFreeStr.MSVBVM60 ref: 0040BA44
      • Part of subcall function 0040B6D0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0040BA54
      • Part of subcall function 0040B6D0: __vbaUI1I4.MSVBVM60 ref: 0040BA6D
    • __vbaAryCopy.MSVBVM60(?,?), ref: 0040BA94
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BAE7), ref: 0040BADD
    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040BAE4
    • __vbaErrorOverflow.MSVBVM60(?,00000000,00000000,00000000,73501785), ref: 0040BAFD
    Strings
    Memory Dump Source
    • Source File: 00000004.00000001.339711227.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000001.339642695.00400000.00000002.sdmp
    • Associated: 00000004.00000001.339746134.0040E000.00000008.sdmp
    • Associated: 00000004.00000001.339808623.0040F000.00000004.sdmp
    • Associated: 00000004.00000001.339856775.00411000.00000002.sdmp
    Function 0040BB10, Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 175
    APIs
    • __vbaAryConstruct2.MSVBVM60(?,00402E80,00000011,?,73506A74,735068BA), ref: 0040BB4F
    • __vbaUI1I2.MSVBVM60 ref: 0040BB6E
    • _adj_fdiv_m64.MSVBVM60 ref: 0040BBAE
    • __vbaFpUI1.MSVBVM60 ref: 0040BBB9
    • __vbaStrVarCopy.MSVBVM60(?), ref: 0040BBD6
    • __vbaStrMove.MSVBVM60 ref: 0040BBE1
    • __vbaAryDestruct.MSVBVM60(00000000,?,0040BC0C), ref: 0040BC05
    • __vbaErrorOverflow.MSVBVM60 ref: 0040BC27
      • Part of subcall function 0040CFD0: __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D00D
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D01F
      • Part of subcall function 0040CFD0: __vbaStrCopy.MSVBVM60(?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D027
      • Part of subcall function 0040CFD0: #644.MSVBVM60(?,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D02D
      • Part of subcall function 0040CFD0: __vbaSetSystemError.MSVBVM60(00000000,?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D03F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(0040D06C,?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D05F
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D064
      • Part of subcall function 0040CFD0: __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D069
    • __vbaStrMove.MSVBVM60(?,?,735068BA), ref: 0040BC71
    • #582.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BC94
    • #585.MSVBVM60(00000000,3FF00000,?,?,735068BA), ref: 0040BCA4
      • Part of subcall function 0040C8C0: __vbaChkstk.MSVBVM60(?,00401396,?,?,0040BCC4,?,?,735068BA), ref: 0040C8DE
      • Part of subcall function 0040C8C0: __vbaOnError.MSVBVM60(000000FF,?,00000000,735068BA,?,00401396), ref: 0040C90E
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(00403434,S76O), ref: 0040C94B
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?,00000000), ref: 0040C98F
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60 ref: 0040C9CF
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0040C9EB
      • Part of subcall function 0040C8C0: __vbaFreeStr.MSVBVM60 ref: 0040C9F4
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(735068BA,?,?,00000000), ref: 0040CA39
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,735068BA), ref: 0040CA6E
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CA95
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CAA9
      • Part of subcall function 0040C8C0: __vbaAryLock.MSVBVM60(?,735068BA), ref: 0040CADE
      • Part of subcall function 0040C8C0: __vbaAryUnlock.MSVBVM60(?,?), ref: 0040CB05
      • Part of subcall function 0040C8C0: __vbaAryMove.MSVBVM60(?,?), ref: 0040CB19
      • Part of subcall function 0040C8C0: __vbaStrCopy.MSVBVM60(?,?,?), ref: 0040CB9F
      • Part of subcall function 0040C8C0: __vbaStrMove.MSVBVM60(?,?,00000000,?,?), ref: 0040CBBB
      • Part of subcall function 0040C8C0: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,?,?), ref: 0040CBDE
      • Part of subcall function 0040C8C0: __vbaEnd.MSVBVM60(735068BA,?,00401396), ref: 0040CBEE
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,0040CC95,?,00401396), ref: 0040CC1F
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC2B
      • Part of subcall function 0040C8C0: __vbaAryDestruct.MSVBVM60(00000000,?,?,00401396), ref: 0040CC37
    • __vbaEnd.MSVBVM60(?,?,735068BA), ref: 0040BCC4
    • __vbaFreeStr.MSVBVM60(0040BCDA,?,?,735068BA), ref: 0040BCD3
    • __vbaErrorOverflow.MSVBVM60(?,?,735068BA), ref: 0040BCF0
    • __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
    • __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
    • __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
    • __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
    • __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    Strings
    Memory Dump Source
    • Source File: 00000004.00000001.339711227.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000001.339642695.00400000.00000002.sdmp
    • Associated: 00000004.00000001.339746134.0040E000.00000008.sdmp
    • Associated: 00000004.00000001.339808623.0040F000.00000004.sdmp
    • Associated: 00000004.00000001.339856775.00411000.00000002.sdmp
    Function 0040CFD0, Relevance: 12.0, APIs: 8, Instructions: 46
    APIs
    • __vbaFixstrConstruct.MSVBVM60(00000100,?,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D00D
    • __vbaStrCopy.MSVBVM60(?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D01F
    • __vbaStrCopy.MSVBVM60(?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D027
    • #644.MSVBVM60(?,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D02D
    • __vbaSetSystemError.MSVBVM60(00000000,?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D03F
    • __vbaFreeStr.MSVBVM60(0040D06C,?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D05F
    • __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D064
    • __vbaFreeStr.MSVBVM60(?,00000104,?,00000000,735068BA,?,?,?,?,?,?,?,?,00401396), ref: 0040D069
    Memory Dump Source
    • Source File: 00000004.00000001.339711227.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000001.339642695.00400000.00000002.sdmp
    • Associated: 00000004.00000001.339746134.0040E000.00000008.sdmp
    • Associated: 00000004.00000001.339808623.0040F000.00000004.sdmp
    • Associated: 00000004.00000001.339856775.00411000.00000002.sdmp
    Function 0040C7B0, Relevance: 10.6, APIs: 7, Instructions: 84
    APIs
    • __vbaRedim.MSVBVM60(00000080,00000002,0040E070,00000002,00000001,000000FF,00000000,?,00000000,735068BA), ref: 0040C806
    • __vbaVarForInit.MSVBVM60(?,?,?,?,?,?), ref: 0040C841
    • __vbaI2Var.MSVBVM60(?), ref: 0040C855
    • __vbaI4Var.MSVBVM60(?), ref: 0040C862
    • __vbaVarForNext.MSVBVM60(?,?,?), ref: 0040C883
    • __vbaFreeVarList.MSVBVM60(00000002,?,?,0040C8AD), ref: 0040C89A
    • __vbaFreeVar.MSVBVM60 ref: 0040C8A6
    Memory Dump Source
    • Source File: 00000004.00000001.339711227.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000001.339642695.00400000.00000002.sdmp
    • Associated: 00000004.00000001.339746134.0040E000.00000008.sdmp
    • Associated: 00000004.00000001.339808623.0040F000.00000004.sdmp
    • Associated: 00000004.00000001.339856775.00411000.00000002.sdmp
    Function 0040BD00, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
    APIs
    • __vbaStrCopy.MSVBVM60(00000000,00000000,00401250,?,?,?,?,00401396,00000000), ref: 0040BD3D
    • __vbaStrCopy.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD45
    • __vbaInStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00401396,00000000), ref: 0040BD57
    • __vbaFreeStr.MSVBVM60(0040BD76,?,?,?,?,00401396,00000000), ref: 0040BD6E
    • __vbaFreeStr.MSVBVM60(?,?,?,?,00401396,00000000), ref: 0040BD73
    Strings
    Memory Dump Source
    • Source File: 00000004.00000001.339711227.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000001.339642695.00400000.00000002.sdmp
    • Associated: 00000004.00000001.339746134.0040E000.00000008.sdmp
    • Associated: 00000004.00000001.339808623.0040F000.00000004.sdmp
    • Associated: 00000004.00000001.339856775.00411000.00000002.sdmp
    Function 0040BF64, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24
    APIs
    • __vbaFreeStr.MSVBVM60 ref: 0040BF6D
    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0040BF81
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0040BF99
    Strings
    Memory Dump Source
    • Source File: 00000004.00000001.339711227.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000001.339642695.00400000.00000002.sdmp
    • Associated: 00000004.00000001.339746134.0040E000.00000008.sdmp
    • Associated: 00000004.00000001.339808623.0040F000.00000004.sdmp
    • Associated: 00000004.00000001.339856775.00411000.00000002.sdmp
    Function 0040BAA1, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
    APIs
    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040BAAD
    • __vbaFreeStr.MSVBVM60 ref: 0040BAB6
    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0040BAC6
    Strings
    Memory Dump Source
    • Source File: 00000004.00000001.339711227.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000001.339642695.00400000.00000002.sdmp
    • Associated: 00000004.00000001.339746134.0040E000.00000008.sdmp
    • Associated: 00000004.00000001.339808623.0040F000.00000004.sdmp
    • Associated: 00000004.00000001.339856775.00411000.00000002.sdmp
    Function 0040B8D8, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 12
    APIs
    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040B8E4
    • __vbaAryUnlock.MSVBVM60(?), ref: 0040B8EE
    • __vbaFreeStr.MSVBVM60 ref: 0040B8F7
    Strings
    Memory Dump Source
    • Source File: 00000004.00000001.339711227.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000001.339642695.00400000.00000002.sdmp
    • Associated: 00000004.00000001.339746134.0040E000.00000008.sdmp
    • Associated: 00000004.00000001.339808623.0040F000.00000004.sdmp
    • Associated: 00000004.00000001.339856775.00411000.00000002.sdmp
    Function 0040C666, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 11
    APIs
    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040C672
    • __vbaFreeStr.MSVBVM60 ref: 0040C67B
    • __vbaFreeVar.MSVBVM60 ref: 0040C687
    Strings
    Memory Dump Source
    • Source File: 00000004.00000001.339711227.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000001.339642695.00400000.00000002.sdmp
    • Associated: 00000004.00000001.339746134.0040E000.00000008.sdmp
    • Associated: 00000004.00000001.339808623.0040F000.00000004.sdmp
    • Associated: 00000004.00000001.339856775.00411000.00000002.sdmp
    Function 0040B682, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000001.339711227.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000001.339642695.00400000.00000002.sdmp
    • Associated: 00000004.00000001.339746134.0040E000.00000008.sdmp
    • Associated: 00000004.00000001.339808623.0040F000.00000004.sdmp
    • Associated: 00000004.00000001.339856775.00411000.00000002.sdmp

    Analysis Process: 894c20f0d97c5a1dee106331e00abd48.exe PID: 1708 Parent PID: 3552

    Executed Functions

    Function 00406550, Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 229
    APIs
    • FindWindowA.USER32(#32770,00000000), ref: 00406597
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
      • Part of subcall function 0040BE30: GetWindowThreadProcessId.USER32(?,?), ref: 0040BE6F
      • Part of subcall function 0040BE30: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040BE78
      • Part of subcall function 0040BE30: Process32First.KERNEL32(?,?), ref: 0040BEA0
      • Part of subcall function 0040BE30: Process32Next.KERNEL32(?,00000128), ref: 0040BEC6
      • Part of subcall function 0040BE30: CloseHandle.KERNEL32(?), ref: 0040BF54
    • SetActiveWindow.USER32 ref: 00406673
    • EnumChildWindows.USER32(?,00406530,00000000), ref: 00406681
    • ExitThread.KERNEL32(00000000,?,00406530,00000000), ref: 00406689
    • CertOpenSystemStoreA.CRYPT32(00000000,ROOT,?,?,?,00000000), ref: 004066C3
    • GetLastError.KERNEL32(?,?,?,00000000), ref: 00406729
    • CertCreateCertificateContext.CRYPT32(00010001,?,?,?,?,?,00000000), ref: 0040673F
    • CertCloseStore.CRYPT32(?,00000000,?,?,?,?,?,00000000), ref: 0040674D
    • CreateThread.KERNEL32(00000000,00000000,00406550,00000000), ref: 0040676A
    • CertAddCertificateContextToStore.CRYPT32(?,?,00000001,00000000,?,?,?,?,?,00000000), ref: 00406778
    • GetLastError.KERNEL32(?,?,00000001,00000000,?,?,?,?,?,00000000), ref: 00406788
    • TerminateThread.KERNEL32(?,00000000), ref: 004067F4
    • CertFreeCertificateContext.CRYPT32(?,?,00000000,00000000,?,?,00000001,00000000,?,?,?,?,?,00000000), ref: 004067FB
    • CertCloseStore.CRYPT32(?,00000000,?,?,00000000,00000000,?,?,00000001,00000000,?,?,?,?,?,00000000), ref: 00406804
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00402860, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 236
    APIs
    • lstrlenA.KERNEL32(?), ref: 00402942
    • lstrcpynA.KERNEL32(?,Win32++ Window,000000FF), ref: 00402965
    • GetStockObject.GDI32(00000000), ref: 004029B2
    • LoadCursorA.USER32(00000000,00007F00), ref: 004029C4
      • Part of subcall function 00403100: GetClassInfoA.USER32(?,?,00000000), ref: 0040316A
      • Part of subcall function 00403100: RegisterClassA.USER32(?), ref: 004031B7
      • Part of subcall function 00403100: EnterCriticalSection.KERNEL32(?,?,00000000), ref: 0040320C
      • Part of subcall function 00403100: LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 00403250
    • GetLastError.KERNEL32 ref: 004029F4
    • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,000000FE,00000000), ref: 00402A42
      • Part of subcall function 00401DE0: TlsGetValue.KERNEL32(?,?,0012FED0), ref: 00401E16
      • Part of subcall function 00401DE0: EnterCriticalSection.KERNEL32(?,?), ref: 00401E6A
      • Part of subcall function 00401DE0: InterlockedDecrement.KERNEL32 ref: 00401E9C
      • Part of subcall function 00401DE0: LeaveCriticalSection.KERNEL32(?), ref: 00401ED1
      • Part of subcall function 00401DE0: TlsSetValue.KERNEL32(?,00000000), ref: 00401EE2
    • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 00402AE3
    • GetClassInfoA.USER32(?,?,?), ref: 00402B30
    • SetWindowLongA.USER32(00000001,000000FC,00403350), ref: 00402B5D
    • SendMessageA.USER32(00000001,00000000,00000000,00000000), ref: 00402B70
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
      • Part of subcall function 00401A50: GetLastError.KERNEL32 ref: 00401A61
      • Part of subcall function 00401A50: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,000000FE,00000000), ref: 00401A9F
      • Part of subcall function 00412DB6: RaiseException.KERNEL32(?,?,00411234,?), ref: 00412DF8
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040C850, Relevance: 12.2, APIs: 8, Instructions: 186
    APIs
    • RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 0040C922
    • GetProcessHeap.KERNEL32 ref: 0040C93C
    • HeapAlloc.KERNEL32(?,?,00000000), ref: 0040C943
    • RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 0040C966
    • RasGetEntryPropertiesA.RASAPI32(00000000,?,?,?,00000000,00000000), ref: 0040C9BD
    • RasSetEntryPropertiesA.RASAPI32(00000000,?,00000B84,00000B84,00000000,00000000), ref: 0040CA62
    • GetProcessHeap.KERNEL32 ref: 0040CA8F
    • HeapFree.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040CA96
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00408541, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 129
    APIs
      • Part of subcall function 00411553: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0041155E
    • Sleep.KERNEL32 ref: 004085A9
      • Part of subcall function 004086F0: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00408759
      • Part of subcall function 004086F0: ExpandEnvironmentStringsA.KERNEL32(%ALLUSERSPROFILE%,?,00000104), ref: 004087AC
      • Part of subcall function 004086F0: GetFileAttributesA.KERNEL32(?), ref: 004087FC
      • Part of subcall function 004086F0: SetFileAttributesA.KERNEL32(?,00000080), ref: 0040881B
      • Part of subcall function 004086F0: Sleep.KERNEL32 ref: 00408885
      • Part of subcall function 004086F0: Sleep.KERNEL32 ref: 00408973
      • Part of subcall function 004086F0: ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000002), ref: 00408980
      • Part of subcall function 004086F0: PostQuitMessage.USER32(00000000), ref: 00408987
    • Sleep.KERNEL32 ref: 004085E8
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
    • Sleep.KERNEL32 ref: 00408687
    • SetTimer.USER32(?,00000001,?,00000000), ref: 004086BE
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
      • Part of subcall function 00405D30: Sleep.KERNEL32 ref: 00405DEB
      • Part of subcall function 00405D30: Sleep.KERNEL32 ref: 00405E1E
      • Part of subcall function 00405D30: Sleep.KERNEL32 ref: 00405E65
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040BFD0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 0040C00B
    • RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,000F003F,00000000,00000000,00000000), ref: 0040C11E
    • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,?,?), ref: 0040C156
    • RegCloseKey.ADVAPI32(00000000), ref: 0040C163
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040BE30, Relevance: 7.6, APIs: 5, Instructions: 110
    APIs
    • GetWindowThreadProcessId.USER32(?,?), ref: 0040BE6F
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040BE78
    • Process32First.KERNEL32(?,?), ref: 0040BEA0
    • Process32Next.KERNEL32(?,00000128), ref: 0040BEC6
    • CloseHandle.KERNEL32(?), ref: 0040BF54
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 004074F0, Relevance: 7.6, APIs: 5, Instructions: 90
    APIs
    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00407535
    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040755C
    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040756B
    • TranslateMessage.USER32(?), ref: 0040759A
    • DispatchMessageA.USER32(?), ref: 004075A4
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00405D30, Relevance: 3.9, APIs: 3, Instructions: 108
    APIs
      • Part of subcall function 00401F00: InterlockedIncrement.KERNEL32(?,?), ref: 00401F6B
      • Part of subcall function 00401F00: InterlockedDecrement.KERNEL32(00000000,?), ref: 00401F88
      • Part of subcall function 00401F00: InterlockedDecrement.KERNEL32(?,?), ref: 00401FAC
      • Part of subcall function 00401F00: InterlockedIncrement.KERNEL32(?,?), ref: 00401FE7
      • Part of subcall function 00401F00: InterlockedDecrement.KERNEL32(?,?), ref: 00402004
      • Part of subcall function 00401F00: InterlockedDecrement.KERNEL32(?,?), ref: 00402028
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
      • Part of subcall function 00411553: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0041155E
    • Sleep.KERNEL32 ref: 00405DEB
      • Part of subcall function 0040BFD0: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 0040C00B
      • Part of subcall function 0040BFD0: RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,000F003F,00000000,00000000,00000000), ref: 0040C11E
      • Part of subcall function 0040BFD0: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,?,?), ref: 0040C156
      • Part of subcall function 0040BFD0: RegCloseKey.ADVAPI32(00000000), ref: 0040C163
    • Sleep.KERNEL32 ref: 00405E1E
    • Sleep.KERNEL32 ref: 00405E65
      • Part of subcall function 0040C850: RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 0040C922
      • Part of subcall function 0040C850: GetProcessHeap.KERNEL32 ref: 0040C93C
      • Part of subcall function 0040C850: HeapAlloc.KERNEL32(?,?,00000000), ref: 0040C943
      • Part of subcall function 0040C850: RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 0040C966
      • Part of subcall function 0040C850: RasGetEntryPropertiesA.RASAPI32(00000000,?,?,?,00000000,00000000), ref: 0040C9BD
      • Part of subcall function 0040C850: RasSetEntryPropertiesA.RASAPI32(00000000,?,00000B84,00000B84,00000000,00000000), ref: 0040CA62
      • Part of subcall function 0040C850: GetProcessHeap.KERNEL32 ref: 0040CA8F
      • Part of subcall function 0040C850: HeapFree.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040CA96
      • Part of subcall function 00406550: CertOpenSystemStoreA.CRYPT32(00000000,ROOT,?,?,?,00000000), ref: 004066C3
      • Part of subcall function 00406550: GetLastError.KERNEL32(?,?,?,00000000), ref: 00406729
      • Part of subcall function 00406550: CertCreateCertificateContext.CRYPT32(00010001,?,?,?,?,?,00000000), ref: 0040673F
      • Part of subcall function 00406550: CertCloseStore.CRYPT32(?,00000000,?,?,?,?,?,00000000), ref: 0040674D
      • Part of subcall function 00406550: CreateThread.KERNEL32(00000000,00000000,00406550,00000000), ref: 0040676A
      • Part of subcall function 00406550: CertAddCertificateContextToStore.CRYPT32(?,?,00000001,00000000,?,?,?,?,?,00000000), ref: 00406778
      • Part of subcall function 00406550: GetLastError.KERNEL32(?,?,00000001,00000000,?,?,?,?,?,00000000), ref: 00406788
      • Part of subcall function 00406550: TerminateThread.KERNEL32(?,00000000), ref: 004067F4
      • Part of subcall function 00406550: CertFreeCertificateContext.CRYPT32(?,?,00000000,00000000,?,?,00000001,00000000,?,?,?,?,?,00000000), ref: 004067FB
      • Part of subcall function 00406550: CertCloseStore.CRYPT32(?,00000000,?,?,00000000,00000000,?,?,00000001,00000000,?,?,?,?,?,00000000), ref: 00406804
      • Part of subcall function 00405880: GetEnvironmentVariableA.KERNEL32(APPDATA,?,00000400), ref: 00405938
      • Part of subcall function 00405880: lstrcatA.KERNEL32(?,\Mozilla\Firefox\Profiles,?,?,?,?,?,00426E2E,000000FF), ref: 00405958
      • Part of subcall function 00405880: lstrcpyA.KERNEL32(?,?,?,?,?,?,?,00426E2E,000000FF), ref: 00405968
      • Part of subcall function 00405880: lstrcatA.KERNEL32(?,\*.*,?,?,?,?,?,00426E2E,000000FF), ref: 0040597A
      • Part of subcall function 00405880: RegOpenKeyExA.ADVAPI32(80000002,Software\Mozilla\Mozilla Firefox,00000000,00020019,?), ref: 0040599A
      • Part of subcall function 00405880: RegEnumKeyExA.ADVAPI32(?,?,?,?), ref: 004059BA
      • Part of subcall function 00405880: RegCloseKey.ADVAPI32(?), ref: 004059CB
      • Part of subcall function 00405880: lstrcatA.KERNEL32(?,\Main,?,?,?,?,?,?,?,?,?,?,?,?,00426E2E,000000FF), ref: 004059E4
      • Part of subcall function 00405880: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00405A02
      • Part of subcall function 00405880: RegCloseKey.ADVAPI32(?), ref: 00405A0F
      • Part of subcall function 00405880: RegCloseKey.ADVAPI32(?), ref: 00405A29
      • Part of subcall function 00405880: RegQueryValueExA.ADVAPI32(?,Install Directory,00000000,00000000,?,?), ref: 00405A49
      • Part of subcall function 00405880: RegCloseKey.ADVAPI32(?), ref: 00405A5A
      • Part of subcall function 00405880: RegCloseKey.ADVAPI32 ref: 00405A78
      • Part of subcall function 00405880: GetCurrentDirectoryA.KERNEL32(00000400,?), ref: 00405A82
      • Part of subcall function 00405880: SetCurrentDirectoryA.KERNEL32(00000000), ref: 00405A9D
      • Part of subcall function 00405880: LoadLibraryA.KERNEL32(nss3.dll), ref: 00405AAC
      • Part of subcall function 00405880: SetCurrentDirectoryA.KERNEL32(?), ref: 00405ABB
      • Part of subcall function 00405880: GetProcAddress.KERNEL32(?,NSS_InitReadWrite), ref: 00405AD9
      • Part of subcall function 00405880: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 00405AE7
      • Part of subcall function 00405880: GetProcAddress.KERNEL32(?,CERT_GetDefaultCertDB), ref: 00405AF5
      • Part of subcall function 00405880: GetProcAddress.KERNEL32(?,CERT_ImportCerts), ref: 00405B03
      • Part of subcall function 00405880: GetProcAddress.KERNEL32(?,CERT_ChangeCertTrust), ref: 00405B11
      • Part of subcall function 00405880: GetProcAddress.KERNEL32(?,CERT_DestroyCertArray), ref: 00405B1F
      • Part of subcall function 00405880: FindFirstFileA.KERNEL32(?,?), ref: 00405B35
      • Part of subcall function 00405880: FreeLibrary.KERNEL32 ref: 00405B47
      • Part of subcall function 00405880: lstrcmpA.KERNEL32(?,0042DDEC,?,CERT_DestroyCertArray,?,CERT_ChangeCertTrust,?,CERT_ImportCerts,?,CERT_GetDefaultCertDB,?,NSS_Shutdown,?,NSS_InitReadWrite), ref: 00405B66
      • Part of subcall function 00405880: lstrcmpA.KERNEL32(?,0042DDF0,?,CERT_DestroyCertArray,?,CERT_ChangeCertTrust,?,CERT_ImportCerts,?,CERT_GetDefaultCertDB,?,NSS_Shutdown,?,NSS_InitReadWrite), ref: 00405B7C
      • Part of subcall function 00405880: lstrcpyA.KERNEL32(?,?), ref: 00405BA1
      • Part of subcall function 00405880: lstrcatA.KERNEL32(?,0042DDF4), ref: 00405BB3
      • Part of subcall function 00405880: lstrcatA.KERNEL32(?,?), ref: 00405BC3
      • Part of subcall function 00405880: FindNextFileA.KERNEL32(?,?), ref: 00405C9D
      • Part of subcall function 00405880: FindClose.KERNEL32(?), ref: 00405CB2
      • Part of subcall function 00405880: FreeLibrary.KERNEL32 ref: 00405CB9
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 004077F0, Relevance: 3.0, APIs: 2, Instructions: 42
    APIs
      • Part of subcall function 00411553: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0041155E
    • Sleep.KERNEL32 ref: 00407823
      • Part of subcall function 00406B80: InitializeCriticalSection.KERNEL32(?), ref: 00406CAF
      • Part of subcall function 00406B80: InitializeCriticalSection.KERNEL32(?), ref: 00406CB5
    • PostQuitMessage.USER32(000000FF), ref: 00407874
      • Part of subcall function 00407040: IsWindow.USER32(?), ref: 00407144
      • Part of subcall function 00407040: DestroyWindow.USER32(?), ref: 0040714F
      • Part of subcall function 00407040: TlsSetValue.KERNEL32(?,00000000), ref: 004072F6
      • Part of subcall function 00407040: TlsFree.KERNEL32(?), ref: 00407303
      • Part of subcall function 00407040: DeleteCriticalSection.KERNEL32(?), ref: 00407320
      • Part of subcall function 00407040: DeleteCriticalSection.KERNEL32(?), ref: 00407326
      • Part of subcall function 00407040: DeleteCriticalSection.KERNEL32(?), ref: 0040732C
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00402CA0, Relevance: 1.5, APIs: 1, Instructions: 13
    APIs
    • DefWindowProcA.USER32(?,?,?,?), ref: 00402CB3
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00406530, Relevance: 1.5, APIs: 1, Instructions: 11
    APIs
    • SendMessageA.USER32(?,000000F5,00000000,00000000), ref: 00406540
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00417398, Relevance: 1.5, APIs: 1, Instructions: 10
    APIs
    • HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 004173A1
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

    Non-executed Functions

    Function 00410A4E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
    APIs
    • IsDebuggerPresent.KERNEL32 ref: 00415E1D
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
    • UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
    • GetCurrentProcess.KERNEL32 ref: 00415E59
    • TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041695A, Relevance: 4.6, APIs: 3, Instructions: 75
    APIs
    • IsDebuggerPresent.KERNEL32 ref: 00416A44
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00000001,00000000), ref: 00416A4E
    • UnhandledExceptionFilter.KERNEL32(?,?,00000001,00000000), ref: 00416A5B
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041B1D4, Relevance: 1.5, APIs: 1, Instructions: 4
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(0041B192), ref: 0041B1D9
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00405880, Relevance: 82.6, APIs: 34, Strings: 13, Instructions: 312
    APIs
    • GetEnvironmentVariableA.KERNEL32(APPDATA,?,00000400), ref: 00405938
    • lstrcatA.KERNEL32(?,\Mozilla\Firefox\Profiles,?,?,?,?,?,00426E2E,000000FF), ref: 00405958
    • lstrcpyA.KERNEL32(?,?,?,?,?,?,?,00426E2E,000000FF), ref: 00405968
    • lstrcatA.KERNEL32(?,\*.*,?,?,?,?,?,00426E2E,000000FF), ref: 0040597A
    • RegOpenKeyExA.ADVAPI32(80000002,Software\Mozilla\Mozilla Firefox,00000000,00020019,?), ref: 0040599A
    • RegEnumKeyExA.ADVAPI32(?,?,?,?), ref: 004059BA
    • RegCloseKey.ADVAPI32(?), ref: 004059CB
    • lstrcatA.KERNEL32(?,\Main,?,?,?,?,?,?,?,?,?,?,?,?,00426E2E,000000FF), ref: 004059E4
    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00405A02
    • RegCloseKey.ADVAPI32(?), ref: 00405A0F
    • RegCloseKey.ADVAPI32(?), ref: 00405A29
    • RegQueryValueExA.ADVAPI32(?,Install Directory,00000000,00000000,?,?), ref: 00405A49
    • RegCloseKey.ADVAPI32(?), ref: 00405A5A
    • RegCloseKey.ADVAPI32 ref: 00405A78
    • GetCurrentDirectoryA.KERNEL32(00000400,?), ref: 00405A82
    • SetCurrentDirectoryA.KERNEL32(00000000), ref: 00405A9D
    • LoadLibraryA.KERNEL32(nss3.dll), ref: 00405AAC
    • SetCurrentDirectoryA.KERNEL32(?), ref: 00405ABB
    • GetProcAddress.KERNEL32(?,NSS_InitReadWrite), ref: 00405AD9
    • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 00405AE7
    • GetProcAddress.KERNEL32(?,CERT_GetDefaultCertDB), ref: 00405AF5
    • GetProcAddress.KERNEL32(?,CERT_ImportCerts), ref: 00405B03
    • GetProcAddress.KERNEL32(?,CERT_ChangeCertTrust), ref: 00405B11
    • GetProcAddress.KERNEL32(?,CERT_DestroyCertArray), ref: 00405B1F
    • FindFirstFileA.KERNEL32(?,?), ref: 00405B35
    • FreeLibrary.KERNEL32 ref: 00405B47
    • lstrcmpA.KERNEL32(?,0042DDEC,?,CERT_DestroyCertArray,?,CERT_ChangeCertTrust,?,CERT_ImportCerts,?,CERT_GetDefaultCertDB,?,NSS_Shutdown,?,NSS_InitReadWrite), ref: 00405B66
    • lstrcmpA.KERNEL32(?,0042DDF0,?,CERT_DestroyCertArray,?,CERT_ChangeCertTrust,?,CERT_ImportCerts,?,CERT_GetDefaultCertDB,?,NSS_Shutdown,?,NSS_InitReadWrite), ref: 00405B7C
    • lstrcpyA.KERNEL32(?,?), ref: 00405BA1
    • lstrcatA.KERNEL32(?,0042DDF4), ref: 00405BB3
    • lstrcatA.KERNEL32(?,?), ref: 00405BC3
    • FindNextFileA.KERNEL32(?,?), ref: 00405C9D
    • FindClose.KERNEL32(?), ref: 00405CB2
    • FreeLibrary.KERNEL32 ref: 00405CB9
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040B9A0, Relevance: 49.2, APIs: 19, Strings: 9, Instructions: 237
    APIs
    • InvalidateRect.USER32(?,00000000,00000001), ref: 0040B9EF
      • Part of subcall function 00401310: BeginPaint.USER32(?,?), ref: 0040138C
    • SaveDC.GDI32(?), ref: 0040BA0E
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
    • CreateFontA.GDI32(0000000E,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 0040BA68
      • Part of subcall function 0040B4F0: DeleteObject.GDI32 ref: 0040B50F
      • Part of subcall function 0040B4F0: EnterCriticalSection.KERNEL32(0012FED0), ref: 0040B537
      • Part of subcall function 0040B4F0: LeaveCriticalSection.KERNEL32(0012FED0), ref: 0040B55C
      • Part of subcall function 0040B4F0: InterlockedIncrement.KERNEL32(?), ref: 0040B57F
    • GetObjectA.GDI32(?,0000003C,?), ref: 0040BAA4
    • SelectObject.GDI32(?), ref: 0040BAB9
      • Part of subcall function 0040B750: EnterCriticalSection.KERNEL32(0012FED0), ref: 0040B799
      • Part of subcall function 0040B750: LeaveCriticalSection.KERNEL32(0012FED0), ref: 0040B7BD
    • GetUserDefaultLangID.KERNEL32(?), ref: 0040BAC8
    • GetModuleHandleA.KERNEL32(00000000), ref: 0040BAE6
    • FindResourceA.KERNEL32 ref: 0040BAED
    • GetModuleHandleA.KERNEL32(00000000), ref: 0040BB1A
    • FindResourceA.KERNEL32 ref: 0040BB21
    • SetBkMode.GDI32(?,00000001), ref: 0040BB65
    • SetTextColor.GDI32(?,00DCDCDC), ref: 0040BB7E
    • DrawTextA.USER32(?,?,000000CD), ref: 0040BBC4
    • SetTextColor.GDI32(?,00000000), ref: 0040BBD0
    • DrawTextA.USER32(?,?,00000258), ref: 0040BC0D
      • Part of subcall function 0040B5B0: EnterCriticalSection.KERNEL32(0012FE28,?,0040B50E), ref: 0040B5C3
      • Part of subcall function 0040B5B0: InterlockedDecrement.KERNEL32(?,?), ref: 0040B5E6
      • Part of subcall function 0040B5B0: LeaveCriticalSection.KERNEL32(0012FE28,?,?,0040B50E), ref: 0040B60E
    • RestoreDC.GDI32(?,?), ref: 0040BC26
    • InterlockedDecrement.KERNEL32(?), ref: 0040BC44
    • DeleteObject.GDI32 ref: 0040BC60
      • Part of subcall function 0040B640: EnterCriticalSection.KERNEL32(?), ref: 0040B66B
      • Part of subcall function 0040B640: LeaveCriticalSection.KERNEL32(?), ref: 0040B6A4
    • EndPaint.USER32(?,?), ref: 0040BCA2
      • Part of subcall function 004017B0: EnterCriticalSection.KERNEL32(0012FE28,00401405), ref: 004017C2
      • Part of subcall function 004017B0: InterlockedDecrement.KERNEL32 ref: 004017D4
      • Part of subcall function 004017B0: LeaveCriticalSection.KERNEL32(0012FE28), ref: 0040180C
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
      • Part of subcall function 00406AC0: GetModuleHandleA.KERNEL32(00000000), ref: 00406ADE
      • Part of subcall function 00406AC0: LoadResource.KERNEL32 ref: 00406AE1
      • Part of subcall function 00406AC0: LockResource.KERNEL32 ref: 00406AE8
      • Part of subcall function 00406AC0: GetModuleHandleA.KERNEL32(00000000), ref: 00406AF4
      • Part of subcall function 00406AC0: SizeofResource.KERNEL32 ref: 00406AF7
      • Part of subcall function 00406AC0: GetDC.USER32(?), ref: 00406B4C
      • Part of subcall function 00406AC0: ReleaseDC.USER32(?), ref: 00406B60
    Strings
    • MS13-052: Security Update for Microsoft .NET Framework 4 on Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista,Windows Server 2003, and Windows XP (KB2835393) , xrefs: 0040BB38
    • JPG, xrefs: 0040BAD4
    • A security issue has been identified in a Microsoft software product thatcould affect your system. You can help protect your system by installing this updatefrom Microsoft. For a complete listing of the issues that are included in this update,see the associ, xrefs: 0040BB40
    • <, xrefs: 0040BBAE
    • F, xrefs: 0040BBEF
    • Arial, xrefs: 0040BA49
    • 2, xrefs: 0040BBE7
    • B, xrefs: 0040BC4E, 0040BC70, 0040BC74
    • Es wurde das Problem des Sicherheitssystems des ProgrammsproduktsMicrosoft gefunden, das die Systemarbeit beieinflussen kann. Um das System zuschutzen, muss man folgendes Auffrischen Microsoft aufspielen. Fur die volleAufzahlung der Probleme, die sich in di, xrefs: 0040BB0C
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041F19A, Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 134
    APIs
      • Part of subcall function 00416AE5: EncodePointer.KERNEL32(00000000,0041F1C0,00436808,00000314,?,?,?,?,?,?,0041727F,00436808,Microsoft Visual C++ Runtime Library,00012010), ref: 00416AE7
    • LoadLibraryW.KERNEL32(USER32.DLL), ref: 0041F1D5
    • GetProcAddress.KERNEL32(?,MessageBoxW), ref: 0041F1F1
    • EncodePointer.KERNEL32(?,?,MessageBoxW), ref: 0041F202
    • GetProcAddress.KERNEL32(?,GetActiveWindow), ref: 0041F20F
    • EncodePointer.KERNEL32(?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0041F212
    • GetProcAddress.KERNEL32(?,GetLastActivePopup), ref: 0041F21F
    • EncodePointer.KERNEL32(?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0041F222
    • GetProcAddress.KERNEL32(?,GetUserObjectInformationW), ref: 0041F22F
    • EncodePointer.KERNEL32(?,?,GetUserObjectInformationW,?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0041F232
    • GetProcAddress.KERNEL32(?,GetProcessWindowStation), ref: 0041F243
    • EncodePointer.KERNEL32(?,?,GetProcessWindowStation,?,?,GetUserObjectInformationW,?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0041F246
    • DecodePointer.KERNEL32(?,00436808,00000314), ref: 0041F268
    • DecodePointer.KERNEL32(?,00436808,00000314), ref: 0041F272
    • DecodePointer.KERNEL32(?,00436808,00000314), ref: 0041F2B1
    • DecodePointer.KERNEL32(?), ref: 0041F2CB
    • DecodePointer.KERNEL32(00436808,00000314), ref: 0041F2DF
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00416DDE, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 109
    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00416DE6
    • GetProcAddress.KERNEL32(?,FlsAlloc), ref: 00416E08
    • GetProcAddress.KERNEL32(?,FlsGetValue), ref: 00416E15
    • GetProcAddress.KERNEL32(?,FlsSetValue), ref: 00416E22
    • GetProcAddress.KERNEL32(?,FlsFree), ref: 00416E2F
    • TlsAlloc.KERNEL32(?,FlsFree,?,FlsSetValue,?,FlsGetValue,?,FlsAlloc,00000000,?,00412CC9), ref: 00416E7F
    • TlsSetValue.KERNEL32 ref: 00416E9A
    • EncodePointer.KERNEL32(?,?,FlsFree,?,FlsSetValue,?,FlsGetValue,?,FlsAlloc,00000000,?,00412CC9), ref: 00416EB5
    • EncodePointer.KERNEL32(?,?,FlsFree,?,FlsSetValue,?,FlsGetValue,?,FlsAlloc,00000000,?,00412CC9), ref: 00416EC2
    • EncodePointer.KERNEL32(?,?,FlsFree,?,FlsSetValue,?,FlsGetValue,?,FlsAlloc,00000000,?,00412CC9), ref: 00416ECF
    • EncodePointer.KERNEL32(?,?,FlsFree,?,FlsSetValue,?,FlsGetValue,?,FlsAlloc,00000000,?,00412CC9), ref: 00416EDC
      • Part of subcall function 004163CF: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 004163F7
    • EncodePointer.KERNEL32(00416CAF,?,?,FlsFree,?,FlsSetValue,?,FlsGetValue,?,FlsAlloc,00000000,?,00412CC9), ref: 00416EFD
      • Part of subcall function 00415A31: Sleep.KERNEL32(00000000), ref: 00415A59
    • EncodePointer.KERNEL32(?,?,?,FlsFree,?,FlsSetValue,?,FlsGetValue,?,FlsAlloc,00000000,?,00412CC9), ref: 00416F2C
      • Part of subcall function 00416B68: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00416B79
      • Part of subcall function 00416B68: InterlockedIncrement.KERNEL32(FF0042A7), ref: 00416BBA
    • GetCurrentThreadId.KERNEL32 ref: 00416F3E
      • Part of subcall function 00416B2B: DecodePointer.KERNEL32(?,00416F54,?,?,FlsFree,?,FlsSetValue,?,FlsGetValue,?,FlsAlloc,00000000,?,00412CC9), ref: 00416B3C
      • Part of subcall function 00416B2B: TlsFree.KERNEL32 ref: 00416B56
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00402300, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 222
    APIs
    • GetWindowRect.USER32(?,?), ref: 00402344
    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040236F
    • GetParent.USER32(?), ref: 00402379
      • Part of subcall function 00401080: EnterCriticalSection.KERNEL32(0012FED0), ref: 004010B2
      • Part of subcall function 00401080: LeaveCriticalSection.KERNEL32(0012FED0), ref: 004010D6
      • Part of subcall function 00401080: PostMessageA.USER32(00000000,00008013,00000000,00000000), ref: 00401117
    • GetParent.USER32(?), ref: 00402390
    • GetWindowRect.USER32(?,?), ref: 004023B8
    • LoadLibraryA.KERNEL32(USER32.DLL), ref: 00402401
    • GetProcAddress.KERNEL32(?,MonitorFromWindow), ref: 0040240F
    • GetProcAddress.KERNEL32(?,GetMonitorInfoA), ref: 0040241F
    • GetParent.USER32(?), ref: 004024C6
    • FreeLibrary.KERNEL32 ref: 00402506
    • IntersectRect.USER32(?,?,?), ref: 0040255B
    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000001), ref: 004025DC
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040C1C0, Relevance: 26.7, APIs: 10, Strings: 5, Instructions: 401
    APIs
    • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?), ref: 0040C2CB
    • RegQueryInfoKeyA.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 0040C371
    • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 0040C3DA
    • RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040C4E6
    • RegSetValueExA.ADVAPI32(?,DhcpNameServer,00000000,00000001,?,?), ref: 0040C51E
    • RegSetValueExA.ADVAPI32(?,NameServer,00000000,00000001,?,?), ref: 0040C54F
    • RegCloseKey.ADVAPI32(?), ref: 0040C55C
    • RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040C5B8
    • RegSetValueExA.ADVAPI32(?,DhcpNameServer,00000000,00000001,?,?), ref: 0040C5EE
    • RegCloseKey.ADVAPI32(?), ref: 0040C603
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00406B80, Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 314
    APIs
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
    • InitializeCriticalSection.KERNEL32(?), ref: 00406CAF
    • InitializeCriticalSection.KERNEL32(?), ref: 00406CB5
    • InitializeCriticalSection.KERNEL32(?), ref: 00406CBE
    • EnterCriticalSection.KERNEL32(?), ref: 00406CDB
    • TlsAlloc.KERNEL32 ref: 00406CE1
    • LeaveCriticalSection.KERNEL32(?), ref: 00406CF7
    • GetLastError.KERNEL32 ref: 00406D12
    • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,000000FE,00000000), ref: 00406D60
    • LeaveCriticalSection.KERNEL32(?), ref: 00406D93
    • VirtualQuery.KERNEL32(Function_00001DB0,?,0000001C), ref: 00406DD3
      • Part of subcall function 00407730: RegisterClassA.USER32 ref: 00407785
      • Part of subcall function 00407730: GetClassInfoA.USER32(?,Win32++ Temporary Window Class), ref: 004077C5
      • Part of subcall function 00407730: UnregisterClassA.USER32(Win32++ Temporary Window Class,?), ref: 004077E1
    • EnterCriticalSection.KERNEL32(?), ref: 00406DF6
      • Part of subcall function 004056D0: InterlockedIncrement.KERNEL32(?,?,0012FEB0), ref: 00405765
    • LeaveCriticalSection.KERNEL32(0012FE28,?,?,?,?,?,?,?), ref: 00406ED2
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
      • Part of subcall function 00412DB6: RaiseException.KERNEL32(?,?,00411234,?), ref: 00412DF8
    Strings
    • CWinApp::CWinApp Failed to allocate TLS Index, xrefs: 00406D2B
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00417D90, Relevance: 18.5, APIs: 12, Instructions: 494
    APIs
    • GetConsoleMode.KERNEL32(?,?), ref: 00417EA0
    • GetConsoleCP.KERNEL32 ref: 00417EC0
    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00417FB0
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00417FD9
    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00418032
      • Part of subcall function 0042000A: WriteConsoleW.KERNEL32(?,7C802446,00000001,00000000,00000000), ref: 0042003C
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004181A0
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0041827A
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000), ref: 0041834A
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0041837B
    • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,00000D55,00000000,00000000), ref: 00418391
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004183D2
    • GetLastError.KERNEL32(?,?,?,?,00000000,?,00000001,?,?,00418522,?,?,?,0042FFD0,00000010,004174F9), ref: 004183F1
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
      • Part of subcall function 00417C21: SetFilePointer.KERNEL32(?,7C802446,00000000,00418B97), ref: 00417C63
      • Part of subcall function 00417C21: GetLastError.KERNEL32(?,7C802446,00000000,00418B97,?,7C802446,?,?,?,00417E63,7C802446,00000000,00000000,00000002,?,00000001), ref: 00417C70
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 004086F0, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 217
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00408759
    • ExpandEnvironmentStringsA.KERNEL32(%ALLUSERSPROFILE%,?,00000104), ref: 004087AC
    • GetFileAttributesA.KERNEL32(?), ref: 004087FC
    • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040881B
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
      • Part of subcall function 00411553: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0041155E
    • Sleep.KERNEL32 ref: 00408885
      • Part of subcall function 0040D0C0: ExpandEnvironmentStringsA.KERNEL32(%ALLUSERSPROFILE%,?,00000104), ref: 0040D118
      • Part of subcall function 0040D0C0: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 0040D165
      • Part of subcall function 004084B0: lstrlenA.KERNEL32(.bat,?,.bat,00000004), ref: 004084DC
      • Part of subcall function 004084B0: lstrlenA.KERNEL32(0042DCF0,?,00000000,?,.bat,00000004), ref: 004084ED
    • Sleep.KERNEL32 ref: 00408973
    • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000002), ref: 00408980
    • PostQuitMessage.USER32(00000000), ref: 00408987
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 004060D0, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 199
    APIs
      • Part of subcall function 00411553: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0041155E
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00406122
      • Part of subcall function 0040D2D0: LoadLibraryA.KERNEL32(advapi32), ref: 0040D2F5
      • Part of subcall function 0040D2D0: GetProcAddress.KERNEL32(?,CheckTokenMembership), ref: 0040D308
      • Part of subcall function 0040D2D0: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0040D32B
      • Part of subcall function 0040D2D0: DuplicateToken.ADVAPI32 ref: 0040D342
      • Part of subcall function 0040D2D0: FreeLibrary.KERNEL32 ref: 0040D350
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    • KillTimer.USER32(?,00000001), ref: 00406210
      • Part of subcall function 00406350: SetTimer.USER32(?,00000001,?,00000000), ref: 00406388
    • ShellExecuteA.SHELL32(?,runas,?,?,?,00000005), ref: 00406234
      • Part of subcall function 0040D5D0: CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0040D6DF
      • Part of subcall function 0040D5D0: Process32First.KERNEL32(?,?), ref: 0040D6FF
      • Part of subcall function 0040D5D0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 0040D7B8
      • Part of subcall function 0040D5D0: TerminateProcess.KERNEL32(?,00000009), ref: 0040D7C7
      • Part of subcall function 0040D5D0: CloseHandle.KERNEL32 ref: 0040D7CE
      • Part of subcall function 0040D5D0: Process32Next.KERNEL32(?,00000128), ref: 0040D7DC
      • Part of subcall function 0040D5D0: CloseHandle.KERNEL32(?), ref: 0040D803
    • PostQuitMessage.USER32 ref: 00406249
      • Part of subcall function 0040CC20: GetLocalTime.KERNEL32(?), ref: 0040CC36
      • Part of subcall function 0040CAC0: GetCurrentDirectoryA.KERNEL32(00000104), ref: 0040CAF4
      • Part of subcall function 0040CAC0: lstrcatA.KERNEL32(?,0042DDF4,0000000A), ref: 0040CB68
      • Part of subcall function 0040CAC0: lstrcatA.KERNEL32(?,?,?,0042DDF4,0000000A), ref: 0040CB72
      • Part of subcall function 0040CAC0: FindFirstFileA.KERNEL32(?,?), ref: 0040CB7C
      • Part of subcall function 0040CAC0: FindNextFileA.KERNEL32(?,?), ref: 0040CBF8
      • Part of subcall function 0040CAC0: FindClose.KERNEL32 ref: 0040CC03
      • Part of subcall function 0040C760: RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040C7C1
      • Part of subcall function 0040C760: RegSetValueExA.ADVAPI32(?,MaxCacheTtl,00000000,00000004,?,00000004), ref: 0040C806
      • Part of subcall function 0040C760: RegSetValueExA.ADVAPI32(?,MaxNegativeCacheTtl,?,00000004,00000001,00000004), ref: 0040C82A
      • Part of subcall function 0040C1C0: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?), ref: 0040C2CB
      • Part of subcall function 0040C1C0: RegQueryInfoKeyA.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 0040C371
      • Part of subcall function 0040C1C0: RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 0040C3DA
      • Part of subcall function 0040C1C0: RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040C4E6
      • Part of subcall function 0040C1C0: RegSetValueExA.ADVAPI32(?,DhcpNameServer,00000000,00000001,?,?), ref: 0040C51E
      • Part of subcall function 0040C1C0: RegSetValueExA.ADVAPI32(?,NameServer,00000000,00000001,?,?), ref: 0040C54F
      • Part of subcall function 0040C1C0: RegCloseKey.ADVAPI32(?), ref: 0040C55C
      • Part of subcall function 0040C1C0: RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040C5B8
      • Part of subcall function 0040C1C0: RegSetValueExA.ADVAPI32(?,DhcpNameServer,00000000,00000001,?,?), ref: 0040C5EE
      • Part of subcall function 0040C1C0: RegCloseKey.ADVAPI32(?), ref: 0040C603
      • Part of subcall function 0040C850: RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 0040C922
      • Part of subcall function 0040C850: GetProcessHeap.KERNEL32 ref: 0040C93C
      • Part of subcall function 0040C850: HeapAlloc.KERNEL32(?,?,00000000), ref: 0040C943
      • Part of subcall function 0040C850: RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 0040C966
      • Part of subcall function 0040C850: RasGetEntryPropertiesA.RASAPI32(00000000,?,?,?,00000000,00000000), ref: 0040C9BD
      • Part of subcall function 0040C850: RasSetEntryPropertiesA.RASAPI32(00000000,?,00000B84,00000B84,00000000,00000000), ref: 0040CA62
      • Part of subcall function 0040C850: GetProcessHeap.KERNEL32 ref: 0040CA8F
      • Part of subcall function 0040C850: HeapFree.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040CA96
      • Part of subcall function 0040D210: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 0040D231
      • Part of subcall function 0040D210: SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D243
      • Part of subcall function 0040D210: GetLastError.KERNEL32 ref: 0040D24D
      • Part of subcall function 0040D210: GetTickCount.KERNEL32 ref: 0040D271
      • Part of subcall function 0040D210: DeleteFileA.KERNEL32(?), ref: 0040D287
      • Part of subcall function 0040D210: GetTickCount.KERNEL32 ref: 0040D28D
      • Part of subcall function 0040D210: Sleep.KERNEL32(000000FA), ref: 0040D29B
      • Part of subcall function 0040D210: MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 0040D2AE
      • Part of subcall function 0040D0C0: ExpandEnvironmentStringsA.KERNEL32(%ALLUSERSPROFILE%,?,00000104), ref: 0040D118
      • Part of subcall function 0040D0C0: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 0040D165
    • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000002), ref: 004062E8
    • PostQuitMessage.USER32(00000000), ref: 004062F0
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040D5D0, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 193
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0040D6DF
    • Process32First.KERNEL32(?,?), ref: 0040D6FF
    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0040D7B8
    • TerminateProcess.KERNEL32(?,00000009), ref: 0040D7C7
    • CloseHandle.KERNEL32 ref: 0040D7CE
    • Process32Next.KERNEL32(?,00000128), ref: 0040D7DC
    • CloseHandle.KERNEL32(?), ref: 0040D803
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00405F60, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
    APIs
    • MessageBeep.USER32(000000FF), ref: 00405F75
    • GetDesktopWindow.USER32 ref: 00405F7B
    • GetWindowRect.USER32(?,?), ref: 00405F86
    • ShowWindow.USER32(?,00000005), ref: 00406003
    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00406013
    • TranslateMessage.USER32(?), ref: 00406034
    • DispatchMessageA.USER32(?), ref: 0040603A
    • IsWindow.USER32(?), ref: 00406043
    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00406057
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040D210, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 64
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 0040D231
    • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D243
    • GetLastError.KERNEL32 ref: 0040D24D
    • GetTickCount.KERNEL32 ref: 0040D271
    • DeleteFileA.KERNEL32(?), ref: 0040D287
    • GetTickCount.KERNEL32 ref: 0040D28D
    • Sleep.KERNEL32(000000FA), ref: 0040D29B
    • MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 0040D2AE
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040D2D0, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 62
    APIs
    • LoadLibraryA.KERNEL32(advapi32), ref: 0040D2F5
    • GetProcAddress.KERNEL32(?,CheckTokenMembership), ref: 0040D308
    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0040D32B
    • DuplicateToken.ADVAPI32 ref: 0040D342
    • FreeLibrary.KERNEL32 ref: 0040D350
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00406910, Relevance: 13.6, APIs: 9, Instructions: 101
    APIs
    • GlobalAlloc.KERNEL32(00000002,?), ref: 00406924
    • GlobalLock.KERNEL32 ref: 0040692D
    • GlobalUnlock.KERNEL32 ref: 00406945
    • CreateStreamOnHGlobal.OLE32(?,00000001,?), ref: 00406959
    • #418.OLEAUT32(00000000,00000000,00000000,0042A470,00000000,?,00000001,?), ref: 00406970
    • GetDC.USER32(00000000), ref: 0040699D
    • GetDeviceCaps.GDI32(?,00000058), ref: 004069A8
    • GetDeviceCaps.GDI32(?,00000058), ref: 004069E5
    • ReleaseDC.USER32(00000000), ref: 00406A24
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00422BD3, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 244
    APIs
    • GetCPInfo.KERNEL32(00000000,?), ref: 00422C91
    • MultiByteToWideChar.KERNEL32(00000000,00000009,?,?,00000000,00000000), ref: 00422D17
    • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000), ref: 00422D8A
    • MultiByteToWideChar.KERNEL32(00000000,00000009,q.B,?,00000000,00000000), ref: 00422DA3
      • Part of subcall function 00411697: HeapAlloc.KERNEL32(00000000,00000001,?,?,?,?,004111D4,?), ref: 004116DC
    • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000), ref: 00422DFF
    • CompareStringW.KERNEL32(?,?,00000000,?,00000000), ref: 00422E13
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041C4A6, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191
    APIs
      • Part of subcall function 00415A31: Sleep.KERNEL32(00000000), ref: 00415A59
      • Part of subcall function 004159EC: Sleep.KERNEL32(00000000), ref: 00415A0D
      • Part of subcall function 00416790: GetLastError.KERNEL32(?,?,?,?,00000000), ref: 004167E8
      • Part of subcall function 00416790: GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000), ref: 004168C5
      • Part of subcall function 00416790: GetLocaleInfoW.KERNEL32(?,00001004), ref: 004168E5
      • Part of subcall function 00416790: GetLocaleInfoW.KERNEL32(?,?,00000000,00000002), ref: 00416921
    • InterlockedDecrement.KERNEL32(?), ref: 0041C64A
    • InterlockedDecrement.KERNEL32(?), ref: 0041C657
      • Part of subcall function 0041165D: HeapFree.KERNEL32(00000000,00000000,?,00416C86,?,?,?,?,00415B64,00411720), ref: 00411673
      • Part of subcall function 0041165D: GetLastError.KERNEL32(?,?,00416C86,?,?,?,?,00415B64,00411720), ref: 00411685
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041D0EF, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172
    APIs
      • Part of subcall function 0041D0B3: EnumSystemLocalesA.KERNEL32(0041CF8C,00000001), ref: 0041D0DE
      • Part of subcall function 0041D04C: EnumSystemLocalesA.KERNEL32(0041CDBB,00000001), ref: 0041D093
    • EnumSystemLocalesA.KERNEL32(0041CCB9,00000001), ref: 0041D1BF
    • GetUserDefaultLCID.KERNEL32 ref: 0041D1D8
      • Part of subcall function 0041CBC4: GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002), ref: 0041CC03
      • Part of subcall function 0041CBC4: GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002), ref: 0041CC2C
      • Part of subcall function 0041CBC4: GetACP.KERNEL32 ref: 0041CC40
    • IsValidCodePage.KERNEL32 ref: 0041D22A
    • IsValidLocale.KERNEL32(?,00000001), ref: 0041D23D
    • GetLocaleInfoA.KERNEL32(?,00001002,?,00000040), ref: 0041D2BB
      • Part of subcall function 00416A83: GetCurrentProcess.KERNEL32 ref: 00416A99
      • Part of subcall function 00416A83: TerminateProcess.KERNEL32 ref: 00416AA0
    • GetLocaleInfoA.KERNEL32(?,00001001,?,00000040), ref: 0041D2A7
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00417142, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,0043683A,00000104,00000001,?,00000000), ref: 004171DE
      • Part of subcall function 00416A83: GetCurrentProcess.KERNEL32 ref: 00416A99
      • Part of subcall function 00416A83: TerminateProcess.KERNEL32 ref: 00416AA0
      • Part of subcall function 0041F19A: LoadLibraryW.KERNEL32(USER32.DLL), ref: 0041F1D5
      • Part of subcall function 0041F19A: GetProcAddress.KERNEL32(?,MessageBoxW), ref: 0041F1F1
      • Part of subcall function 0041F19A: EncodePointer.KERNEL32(?,?,MessageBoxW), ref: 0041F202
      • Part of subcall function 0041F19A: GetProcAddress.KERNEL32(?,GetActiveWindow), ref: 0041F20F
      • Part of subcall function 0041F19A: EncodePointer.KERNEL32(?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0041F212
      • Part of subcall function 0041F19A: GetProcAddress.KERNEL32(?,GetLastActivePopup), ref: 0041F21F
      • Part of subcall function 0041F19A: EncodePointer.KERNEL32(?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0041F222
      • Part of subcall function 0041F19A: GetProcAddress.KERNEL32(?,GetUserObjectInformationW), ref: 0041F22F
      • Part of subcall function 0041F19A: EncodePointer.KERNEL32(?,?,GetUserObjectInformationW,?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0041F232
      • Part of subcall function 0041F19A: GetProcAddress.KERNEL32(?,GetProcessWindowStation), ref: 0041F243
      • Part of subcall function 0041F19A: EncodePointer.KERNEL32(?,?,GetProcessWindowStation,?,?,GetUserObjectInformationW,?,?,GetLastActivePopup,?,?,GetActiveWindow,?,?,MessageBoxW), ref: 0041F246
      • Part of subcall function 0041F19A: DecodePointer.KERNEL32(?,00436808,00000314), ref: 0041F268
      • Part of subcall function 0041F19A: DecodePointer.KERNEL32(?,00436808,00000314), ref: 0041F272
      • Part of subcall function 0041F19A: DecodePointer.KERNEL32(?,00436808,00000314), ref: 0041F2B1
      • Part of subcall function 0041F19A: DecodePointer.KERNEL32(?), ref: 0041F2CB
      • Part of subcall function 0041F19A: DecodePointer.KERNEL32(00436808,00000314), ref: 0041F2DF
    • GetStdHandle.KERNEL32(000000F4), ref: 00417290
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004172DC
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040C760, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 75
    APIs
    • RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040C7C1
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    • RegSetValueExA.ADVAPI32(?,MaxCacheTtl,00000000,00000004,?,00000004), ref: 0040C806
    • RegSetValueExA.ADVAPI32(?,MaxNegativeCacheTtl,?,00000004,00000001,00000004), ref: 0040C82A
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00419DBB, Relevance: 12.1, APIs: 8, Instructions: 61
    APIs
    • InterlockedDecrement.KERNEL32(?), ref: 00419DD5
    • InterlockedDecrement.KERNEL32(?), ref: 00419DE2
    • InterlockedDecrement.KERNEL32(?), ref: 00419DEF
    • InterlockedDecrement.KERNEL32(?), ref: 00419DFC
    • InterlockedDecrement.KERNEL32(?), ref: 00419E09
    • InterlockedDecrement.KERNEL32 ref: 00419E25
    • InterlockedDecrement.KERNEL32(00000000), ref: 00419E35
    • InterlockedDecrement.KERNEL32(?), ref: 00419E4B
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00419D2C, Relevance: 12.1, APIs: 8, Instructions: 58
    APIs
    • InterlockedIncrement.KERNEL32(004111D4,00000001,004111D4), ref: 00419D3E
    • InterlockedIncrement.KERNEL32(000051E8), ref: 00419D4B
    • InterlockedIncrement.KERNEL32(5853E856), ref: 00419D58
    • InterlockedIncrement.KERNEL32(FF8BC359), ref: 00419D65
    • InterlockedIncrement.KERNEL32(50FEE856), ref: 00419D72
    • InterlockedIncrement.KERNEL32 ref: 00419D8E
    • InterlockedIncrement.KERNEL32(50F0458D), ref: 00419D9E
    • InterlockedIncrement.KERNEL32(00005421), ref: 00419DB4
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00407040, Relevance: 10.8, APIs: 7, Instructions: 332
    APIs
      • Part of subcall function 00407B00: InterlockedIncrement.KERNEL32(?,?), ref: 00407B2E
      • Part of subcall function 00407B00: InterlockedDecrement.KERNEL32(?), ref: 00407B47
      • Part of subcall function 004057A0: InterlockedDecrement.KERNEL32(?,0040506E,00000000), ref: 004057B7
      • Part of subcall function 004056D0: InterlockedIncrement.KERNEL32(?,?,0012FEB0), ref: 00405765
    • IsWindow.USER32(?), ref: 00407144
    • DestroyWindow.USER32(?), ref: 0040714F
    • TlsSetValue.KERNEL32(?,00000000), ref: 004072F6
    • TlsFree.KERNEL32(?), ref: 00407303
    • DeleteCriticalSection.KERNEL32(?), ref: 00407320
    • DeleteCriticalSection.KERNEL32(?), ref: 00407326
    • DeleteCriticalSection.KERNEL32(?), ref: 0040732C
      • Part of subcall function 004057F0: InterlockedDecrement.KERNEL32(?,?,?), ref: 00405807
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040708B, Relevance: 10.8, APIs: 7, Instructions: 299
    APIs
      • Part of subcall function 00407B00: InterlockedIncrement.KERNEL32(?,?), ref: 00407B2E
      • Part of subcall function 00407B00: InterlockedDecrement.KERNEL32(?), ref: 00407B47
      • Part of subcall function 004057A0: InterlockedDecrement.KERNEL32(?,0040506E,00000000), ref: 004057B7
      • Part of subcall function 004056D0: InterlockedIncrement.KERNEL32(?,?,0012FEB0), ref: 00405765
    • IsWindow.USER32(?), ref: 00407144
    • DestroyWindow.USER32(?), ref: 0040714F
    • TlsSetValue.KERNEL32(?,00000000), ref: 004072F6
    • TlsFree.KERNEL32(?), ref: 00407303
    • DeleteCriticalSection.KERNEL32(?), ref: 00407320
    • DeleteCriticalSection.KERNEL32(?), ref: 00407326
    • DeleteCriticalSection.KERNEL32(?), ref: 0040732C
      • Part of subcall function 004057F0: InterlockedDecrement.KERNEL32(?,?,?), ref: 00405807
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041751C, Relevance: 10.7, APIs: 7, Instructions: 195
    APIs
    • GetStartupInfoW.KERNEL32(?), ref: 00417527
      • Part of subcall function 00415A31: Sleep.KERNEL32(00000000), ref: 00415A59
    • GetFileType.KERNEL32 ref: 0041765A
    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 00417690
    • GetStdHandle.KERNEL32 ref: 004176E4
    • GetFileType.KERNEL32 ref: 004176F6
    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 00417724
    • LockResource.KERNEL32 ref: 0041774D
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00406AC0, Relevance: 10.6, APIs: 7, Instructions: 69
    APIs
      • Part of subcall function 00411697: HeapAlloc.KERNEL32(00000000,00000001,?,?,?,?,004111D4,?), ref: 004116DC
    • GetModuleHandleA.KERNEL32(00000000), ref: 00406ADE
    • LoadResource.KERNEL32 ref: 00406AE1
    • LockResource.KERNEL32 ref: 00406AE8
    • GetModuleHandleA.KERNEL32(00000000), ref: 00406AF4
    • SizeofResource.KERNEL32 ref: 00406AF7
      • Part of subcall function 00406910: GlobalAlloc.KERNEL32(00000002,?), ref: 00406924
      • Part of subcall function 00406910: GlobalLock.KERNEL32 ref: 0040692D
      • Part of subcall function 00406910: GlobalUnlock.KERNEL32 ref: 00406945
      • Part of subcall function 00406910: CreateStreamOnHGlobal.OLE32(?,00000001,?), ref: 00406959
      • Part of subcall function 00406910: #418.OLEAUT32(00000000,00000000,00000000,0042A470,00000000,?,00000001,?), ref: 00406970
      • Part of subcall function 00406910: GetDC.USER32(00000000), ref: 0040699D
      • Part of subcall function 00406910: GetDeviceCaps.GDI32(?,00000058), ref: 004069A8
      • Part of subcall function 00406910: GetDeviceCaps.GDI32(?,00000058), ref: 004069E5
      • Part of subcall function 00406910: ReleaseDC.USER32(00000000), ref: 00406A24
    • GetDC.USER32(?), ref: 00406B4C
    • ReleaseDC.USER32(?), ref: 00406B60
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 004211F1, Relevance: 9.2, APIs: 6, Instructions: 191
    APIs
      • Part of subcall function 00415A31: Sleep.KERNEL32(00000000), ref: 00415A59
    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 0042136F
    • GetLastError.KERNEL32(?,00000000), ref: 00421377
      • Part of subcall function 0041165D: HeapFree.KERNEL32(00000000,00000000,?,00416C86,?,?,?,?,00415B64,00411720), ref: 00411673
      • Part of subcall function 0041165D: GetLastError.KERNEL32(?,?,00416C86,?,?,?,?,00415B64,00411720), ref: 00411685
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004213B1
    • GetExitCodeProcess.KERNEL32(?,00000000), ref: 004213BE
    • CloseHandle.KERNEL32(?), ref: 004213D2
    • CloseHandle.KERNEL32(?), ref: 004213DC
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00415226, Relevance: 9.2, APIs: 6, Instructions: 190
    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000100,00000000,00000000), ref: 00415297
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?), ref: 00415305
    • LCMapStringW.KERNEL32(?,?,?,?,00000000,00000000), ref: 00415321
    • LCMapStringW.KERNEL32(?,?,?,?,00000000), ref: 0041535A
      • Part of subcall function 00411697: HeapAlloc.KERNEL32(00000000,00000001,?,?,?,?,004111D4,?), ref: 004116DC
    • LCMapStringW.KERNEL32(?,?,?,?,?,?), ref: 004153C0
    • WideCharToMultiByte.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004153DF
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00423261, Relevance: 9.2, APIs: 6, Instructions: 156
    APIs
      • Part of subcall function 00417C21: SetFilePointer.KERNEL32(?,7C802446,00000000,00418B97), ref: 00417C63
      • Part of subcall function 00417C21: GetLastError.KERNEL32(?,7C802446,00000000,00418B97,?,7C802446,?,?,?,00417E63,7C802446,00000000,00000000,00000002,?,00000001), ref: 00417C70
    • GetProcessHeap.KERNEL32 ref: 004232CA
    • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00421D37), ref: 004232D1
      • Part of subcall function 00417D90: GetConsoleMode.KERNEL32(?,?), ref: 00417EA0
      • Part of subcall function 00417D90: GetConsoleCP.KERNEL32 ref: 00417EC0
      • Part of subcall function 00417D90: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00417FB0
      • Part of subcall function 00417D90: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00417FD9
      • Part of subcall function 00417D90: WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00418032
      • Part of subcall function 00417D90: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004181A0
      • Part of subcall function 00417D90: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0041827A
      • Part of subcall function 00417D90: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000), ref: 0041834A
      • Part of subcall function 00417D90: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0041837B
      • Part of subcall function 00417D90: GetLastError.KERNEL32(?,?,?,?,00000000,?,?,00000D55,00000000,00000000), ref: 00418391
      • Part of subcall function 00417D90: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004183D2
      • Part of subcall function 00417D90: GetLastError.KERNEL32(?,?,?,?,00000000,?,00000001,?,?,00418522,?,?,?,0042FFD0,00000010,004174F9), ref: 004183F1
    • GetProcessHeap.KERNEL32 ref: 0042334D
    • HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00421D37), ref: 00423354
    • SetEndOfFile.KERNEL32 ref: 004233AF
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00421D37), ref: 004233DC
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00401F00, Relevance: 9.1, APIs: 6, Instructions: 143
    APIs
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
      • Part of subcall function 004043D0: InterlockedIncrement.KERNEL32(00000000,?,0012FED0), ref: 00404436
    • InterlockedIncrement.KERNEL32(?,?), ref: 00401F6B
    • InterlockedDecrement.KERNEL32(00000000,?), ref: 00401F88
    • InterlockedDecrement.KERNEL32(?,?), ref: 00401FAC
    • InterlockedIncrement.KERNEL32(?,?), ref: 00401FE7
    • InterlockedDecrement.KERNEL32(?,?), ref: 00402004
    • InterlockedDecrement.KERNEL32(?,?), ref: 00402028
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040CAC0, Relevance: 9.1, APIs: 6, Instructions: 121
    APIs
    • GetCurrentDirectoryA.KERNEL32(00000104), ref: 0040CAF4
    • lstrcatA.KERNEL32(?,0042DDF4,0000000A), ref: 0040CB68
    • lstrcatA.KERNEL32(?,?,?,0042DDF4,0000000A), ref: 0040CB72
    • FindFirstFileA.KERNEL32(?,?), ref: 0040CB7C
    • FindNextFileA.KERNEL32(?,?), ref: 0040CBF8
    • FindClose.KERNEL32 ref: 0040CC03
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 004111B5, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57
    APIs
      • Part of subcall function 00411697: HeapAlloc.KERNEL32(00000000,00000001,?,?,?,?,004111D4,?), ref: 004116DC
      • Part of subcall function 004163A7: DecodePointer.KERNEL32(?,0041171A,?,?,?,004111D4,?), ref: 004163B2
      • Part of subcall function 00412DB6: RaiseException.KERNEL32(?,?,00411234,?), ref: 00412DF8
    • GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
    • GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041CBC4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54
    APIs
    • GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002), ref: 0041CC03
    • GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002), ref: 0041CC2C
    • GetACP.KERNEL32 ref: 0041CC40
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00411378, Relevance: 7.6, APIs: 5, Instructions: 98
    APIs
      • Part of subcall function 00416549: EnterCriticalSection.KERNEL32(?,004111D4,?,00416BB2,0000000D), ref: 00416573
    • DecodePointer.KERNEL32(0042FAF8,00000020,004114DF,004111D4,00000001,00000000,?,0041151F,000000FF,?,00416570,00000011,004111D4,?,00416BB2,0000000D), ref: 004113C2
    • DecodePointer.KERNEL32(?,0041151F,000000FF,?,00416570,00000011,004111D4,?,00416BB2,0000000D), ref: 004113D3
      • Part of subcall function 00416AE5: EncodePointer.KERNEL32(00000000,0041F1C0,00436808,00000314,?,?,?,?,?,?,0041727F,00436808,Microsoft Visual C++ Runtime Library,00012010), ref: 00416AE7
    • DecodePointer.KERNEL32(?,?,0041151F,000000FF,?,00416570,00000011,004111D4,?,00416BB2,0000000D), ref: 004113F9
    • DecodePointer.KERNEL32(?,?,0041151F,000000FF,?,00416570,00000011,004111D4,?,00416BB2,0000000D), ref: 0041140C
    • DecodePointer.KERNEL32(?,?,0041151F,000000FF,?,00416570,00000011,004111D4,?,00416BB2,0000000D), ref: 00411416
      • Part of subcall function 00416470: LeaveCriticalSection.KERNEL32(?,00416547,0000000A,00416537,0042FEC0,0000000C,00416564,004111D4,004111D4,?,00416BB2,0000000D), ref: 0041647F
      • Part of subcall function 00411260: ExitProcess.KERNEL32(004111D4,?,004164B9,000000FF,0000001E,0042FEC0,0000000C,00416564,004111D4,004111D4,?,00416BB2,0000000D), ref: 00411271
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00401DE0, Relevance: 7.6, APIs: 5, Instructions: 96
    APIs
    • TlsGetValue.KERNEL32(?,?,0012FED0), ref: 00401E16
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
    • EnterCriticalSection.KERNEL32(?,?), ref: 00401E6A
      • Part of subcall function 00404580: InterlockedIncrement.KERNEL32(00000000,?,?), ref: 004045E6
      • Part of subcall function 00404320: InterlockedIncrement.KERNEL32(?,00000000,00401E8B), ref: 0040435C
      • Part of subcall function 00404320: InterlockedIncrement.KERNEL32(?,00000000,00401E8B), ref: 0040438A
    • InterlockedDecrement.KERNEL32 ref: 00401E9C
    • LeaveCriticalSection.KERNEL32(?), ref: 00401ED1
    • TlsSetValue.KERNEL32(?,00000000), ref: 00401EE2
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 004015C0, Relevance: 7.6, APIs: 5, Instructions: 86
    APIs
    • EnterCriticalSection.KERNEL32(0012FED0), ref: 004015EA
    • LeaveCriticalSection.KERNEL32(0012FED0), ref: 0040160C
    • InterlockedIncrement.KERNEL32(?), ref: 0040165F
      • Part of subcall function 004057A0: InterlockedDecrement.KERNEL32(?,0040506E,00000000), ref: 004057B7
    • WindowFromDC.USER32(?), ref: 0040167B
    • SaveDC.GDI32(?), ref: 00401698
      • Part of subcall function 00401550: EnterCriticalSection.KERNEL32(0012FE28,?,0012FED0), ref: 0040156C
      • Part of subcall function 00401550: LeaveCriticalSection.KERNEL32(0012FE28,0012FE80), ref: 004015B3
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00401450, Relevance: 7.6, APIs: 5, Instructions: 81
    APIs
    • EnterCriticalSection.KERNEL32(0012FED0), ref: 00401482
    • LeaveCriticalSection.KERNEL32(?), ref: 004014A9
    • InterlockedIncrement.KERNEL32(?), ref: 004014BF
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
    • SaveDC.GDI32(00000000), ref: 00401504
    • WindowFromDC.USER32(00000000), ref: 00401511
      • Part of subcall function 00401550: EnterCriticalSection.KERNEL32(0012FE28,?,0012FED0), ref: 0040156C
      • Part of subcall function 00401550: LeaveCriticalSection.KERNEL32(0012FE28,0012FE80), ref: 004015B3
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00410FAF, Relevance: 7.6, APIs: 5, Instructions: 74
    APIs
    • EncodePointer.KERNEL32(004362E8,0042A4F4,?,?,?,004110B3,?,0042FAB8,0000000C,004110DF,?,?,00411219,0042956B,?), ref: 00410FC4
    • EncodePointer.KERNEL32(?,?,?,004110B3,?,0042FAB8,0000000C,004110DF,?,?,00411219,0042956B,?), ref: 00410FD1
      • Part of subcall function 0041625F: HeapSize.KERNEL32(00000000,00000000,?,00410FEF,?,?,?,?,004110B3,?,0042FAB8,0000000C,004110DF,?,?,00411219), ref: 0041628A
      • Part of subcall function 00415A7D: Sleep.KERNEL32(00000000), ref: 00415AA7
    • EncodePointer.KERNEL32(?,?,?,?,004110B3,?,0042FAB8,0000000C,004110DF,?,?,00411219,0042956B,?), ref: 00411036
    • EncodePointer.KERNEL32(?,?,?,?,004110B3,?,0042FAB8,0000000C,004110DF,?,?,00411219,0042956B,?), ref: 0041104A
    • EncodePointer.KERNEL32(?,?,?,?,004110B3,?,0042FAB8,0000000C,004110DF,?,?,00411219,0042956B,?), ref: 00411052
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041B6BC, Relevance: 7.6, APIs: 5, Instructions: 72
    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 0041B6C6
    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B704
    • FreeEnvironmentStringsW.KERNEL32 ref: 0041B746
      • Part of subcall function 004159EC: Sleep.KERNEL32(00000000), ref: 00415A0D
    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041B727
    • FreeEnvironmentStringsW.KERNEL32 ref: 0041B73A
      • Part of subcall function 0041165D: HeapFree.KERNEL32(00000000,00000000,?,00416C86,?,?,?,?,00415B64,00411720), ref: 00411673
      • Part of subcall function 0041165D: GetLastError.KERNEL32(?,?,00416C86,?,?,?,?,00415B64,00411720), ref: 00411685
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00407519, Relevance: 7.6, APIs: 5, Instructions: 66
    APIs
    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00407535
    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040755C
    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040756B
    • TranslateMessage.USER32(?), ref: 0040759A
    • DispatchMessageA.USER32(?), ref: 004075A4
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041B753, Relevance: 7.6, APIs: 5, Instructions: 54
    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0041B78A
    • GetCurrentProcessId.KERNEL32 ref: 0041B796
    • GetCurrentThreadId.KERNEL32 ref: 0041B79E
    • GetTickCount.KERNEL32 ref: 0041B7A6
    • QueryPerformanceCounter.KERNEL32(?), ref: 0041B7B2
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00402600, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 176
    APIs
    • GetClassInfoA.USER32(?,00000000,00000000), ref: 00402688
    • RegisterClassA.USER32(?), ref: 004026F2
      • Part of subcall function 00401A50: GetLastError.KERNEL32 ref: 00401A61
      • Part of subcall function 00401A50: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,000000FE,00000000), ref: 00401A9F
      • Part of subcall function 00412DB6: RaiseException.KERNEL32(?,?,00411234,?), ref: 00412DF8
      • Part of subcall function 004019B0: EnterCriticalSection.KERNEL32(0012FED0), ref: 004019DA
      • Part of subcall function 004019B0: LeaveCriticalSection.KERNEL32(0012FED0), ref: 004019FF
      • Part of subcall function 004019B0: IsMenu.USER32(00000000), ref: 00401A09
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040D0C0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100
    APIs
    • ExpandEnvironmentStringsA.KERNEL32(%ALLUSERSPROFILE%,?,00000104), ref: 0040D118
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 0040D165
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00407730, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48
    APIs
    • RegisterClassA.USER32 ref: 00407785
    • GetClassInfoA.USER32(?,Win32++ Temporary Window Class), ref: 004077C5
    • UnregisterClassA.USER32(Win32++ Temporary Window Class,?), ref: 004077E1
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00411235, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
    APIs
    • GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
    • GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00416790, Relevance: 6.2, APIs: 4, Instructions: 155
    APIs
    • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 004167E8
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
      • Part of subcall function 00416A83: GetCurrentProcess.KERNEL32 ref: 00416A99
      • Part of subcall function 00416A83: TerminateProcess.KERNEL32 ref: 00416AA0
    • GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000), ref: 004168C5
      • Part of subcall function 00415A31: Sleep.KERNEL32(00000000), ref: 00415A59
    • GetLocaleInfoW.KERNEL32(?,00001004), ref: 004168E5
      • Part of subcall function 0041165D: HeapFree.KERNEL32(00000000,00000000,?,00416C86,?,?,?,?,00415B64,00411720), ref: 00411673
      • Part of subcall function 0041165D: GetLastError.KERNEL32(?,?,00416C86,?,?,?,?,00415B64,00411720), ref: 00411685
    • GetLocaleInfoW.KERNEL32(?,?,00000000,00000002), ref: 00416921
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 004139C7, Relevance: 6.1, APIs: 4, Instructions: 133
    APIs
      • Part of subcall function 004159EC: Sleep.KERNEL32(00000000), ref: 00415A0D
    • InterlockedDecrement.KERNEL32(?), ref: 00413A93
    • InterlockedDecrement.KERNEL32(?), ref: 00413AAA
      • Part of subcall function 00416A83: GetCurrentProcess.KERNEL32 ref: 00416A99
      • Part of subcall function 00416A83: TerminateProcess.KERNEL32 ref: 00416AA0
      • Part of subcall function 0041165D: HeapFree.KERNEL32(00000000,00000000,?,00416C86,?,?,?,?,00415B64,00411720), ref: 00411673
      • Part of subcall function 0041165D: GetLastError.KERNEL32(?,?,00416C86,?,?,?,?,00415B64,00411720), ref: 00411685
    • InterlockedDecrement.KERNEL32(?,00000000,00000000), ref: 00413AF3
    • InterlockedDecrement.KERNEL32(?,00000000,00000000), ref: 00413B0A
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00419B74, Relevance: 6.1, APIs: 4, Instructions: 116
    APIs
      • Part of subcall function 0041986B: InterlockedDecrement.KERNEL32(?,00430030,0000000C), ref: 004198C4
      • Part of subcall function 0041986B: InterlockedIncrement.KERNEL32(00952CC8,00430030,0000000C), ref: 004198EF
      • Part of subcall function 0041990F: GetOEMCP.KERNEL32 ref: 00419938
      • Part of subcall function 0041990F: GetACP.KERNEL32 ref: 0041995B
      • Part of subcall function 004159EC: Sleep.KERNEL32(00000000), ref: 00415A0D
      • Part of subcall function 0041998B: IsValidCodePage.KERNEL32 ref: 004199FE
      • Part of subcall function 0041998B: GetCPInfo.KERNEL32(?,?), ref: 00419A11
    • InterlockedDecrement.KERNEL32(85038B09,00430050,00000014), ref: 00419BEA
    • InterlockedIncrement.KERNEL32 ref: 00419C0F
      • Part of subcall function 00416549: EnterCriticalSection.KERNEL32(?,004111D4,?,00416BB2,0000000D), ref: 00416573
    • InterlockedDecrement.KERNEL32 ref: 00419CA1
    • InterlockedIncrement.KERNEL32 ref: 00419CC5
      • Part of subcall function 0041165D: HeapFree.KERNEL32(00000000,00000000,?,00416C86,?,?,?,?,00415B64,00411720), ref: 00411673
      • Part of subcall function 0041165D: GetLastError.KERNEL32(?,?,00416C86,?,?,?,?,00415B64,00411720), ref: 00411685
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 004075F0, Relevance: 6.1, APIs: 4, Instructions: 104
    APIs
    • TranslateAcceleratorA.USER32(?,?,?), ref: 00407637
    • EnterCriticalSection.KERNEL32(?), ref: 00407663
    • LeaveCriticalSection.KERNEL32(?), ref: 004076B5
    • GetParent.USER32(?), ref: 004076D7
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00402090, Relevance: 6.1, APIs: 4, Instructions: 78
    APIs
    • IsWindow.USER32(00000001), ref: 004020D6
    • DestroyWindow.USER32(00000001), ref: 004020E4
      • Part of subcall function 004031E0: EnterCriticalSection.KERNEL32(?,?,00000000), ref: 0040320C
      • Part of subcall function 004031E0: LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 00403250
    • InterlockedDecrement.KERNEL32 ref: 00402117
    • InterlockedDecrement.KERNEL32 ref: 0040213A
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0040B4F0, Relevance: 6.1, APIs: 4, Instructions: 66
    APIs
    • DeleteObject.GDI32 ref: 0040B50F
    • EnterCriticalSection.KERNEL32(0012FED0), ref: 0040B537
    • LeaveCriticalSection.KERNEL32(0012FED0), ref: 0040B55C
    • InterlockedIncrement.KERNEL32(?), ref: 0040B57F
      • Part of subcall function 0040B480: EnterCriticalSection.KERNEL32(0012FE28), ref: 0040B49C
      • Part of subcall function 0040B480: LeaveCriticalSection.KERNEL32(0012FE28), ref: 0040B4E4
      • Part of subcall function 0040B5B0: EnterCriticalSection.KERNEL32(0012FE28,?,0040B50E), ref: 0040B5C3
      • Part of subcall function 0040B5B0: InterlockedDecrement.KERNEL32(?,?), ref: 0040B5E6
      • Part of subcall function 0040B5B0: LeaveCriticalSection.KERNEL32(0012FE28,?,?,0040B50E), ref: 0040B60E
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00416C1C, Relevance: 6.0, APIs: 4, Instructions: 45
    APIs
    • GetLastError.KERNEL32(?,?,00415B64,00411720,?,?,004111D4,?), ref: 00416C20
      • Part of subcall function 00416AF7: TlsGetValue.KERNEL32(?,00416C33), ref: 00416B00
      • Part of subcall function 00416AF7: DecodePointer.KERNEL32(?,00416C33,?,?,00415B64,00411720,?,?,004111D4,?), ref: 00416B12
      • Part of subcall function 00416AF7: TlsSetValue.KERNEL32 ref: 00416B21
    • SetLastError.KERNEL32(?,?,?,00415B64,00411720,?,?,004111D4,?), ref: 00416C8A
      • Part of subcall function 00415A31: Sleep.KERNEL32(00000000), ref: 00415A59
    • DecodePointer.KERNEL32(?,?,?,00415B64,00411720,?,?,004111D4,?), ref: 00416C5C
    • GetCurrentThreadId.KERNEL32 ref: 00416C72
      • Part of subcall function 0041165D: HeapFree.KERNEL32(00000000,00000000,?,00416C86,?,?,?,?,00415B64,00411720), ref: 00411673
      • Part of subcall function 0041165D: GetLastError.KERNEL32(?,?,00416C86,?,?,?,?,00415B64,00411720), ref: 00411685
      • Part of subcall function 00416B68: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00416B79
      • Part of subcall function 00416B68: InterlockedIncrement.KERNEL32(FF0042A7), ref: 00416BBA
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00403270, Relevance: 6.0, APIs: 4, Instructions: 42
    APIs
    • GetSystemMetrics.USER32(0000000C), ref: 004032A0
    • GetSystemMetrics.USER32(0000000B), ref: 004032A5
    • LoadImageA.USER32(?,?,00000001), ref: 004032B0
    • SendMessageA.USER32(?,00000080,00000001), ref: 004032C9
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 004032E0, Relevance: 6.0, APIs: 4, Instructions: 42
    APIs
    • GetSystemMetrics.USER32(00000032), ref: 00403310
    • GetSystemMetrics.USER32(00000031), ref: 00403315
    • LoadImageA.USER32(?,?,00000001), ref: 00403320
    • SendMessageA.USER32(?,00000080,00000000), ref: 00403339
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041C794, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 345
    APIs
      • Part of subcall function 00415A31: Sleep.KERNEL32(00000000), ref: 00415A59
      • Part of subcall function 004159EC: Sleep.KERNEL32(00000000), ref: 00415A0D
      • Part of subcall function 00416790: GetLastError.KERNEL32(?,?,?,?,00000000), ref: 004167E8
      • Part of subcall function 00416790: GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000), ref: 004168C5
      • Part of subcall function 00416790: GetLocaleInfoW.KERNEL32(?,00001004), ref: 004168E5
      • Part of subcall function 00416790: GetLocaleInfoW.KERNEL32(?,?,00000000,00000002), ref: 00416921
    • InterlockedDecrement.KERNEL32 ref: 0041CAA0
    • InterlockedDecrement.KERNEL32 ref: 0041CAB1
      • Part of subcall function 0041165D: HeapFree.KERNEL32(00000000,00000000,?,00416C86,?,?,?,?,00415B64,00411720), ref: 00411673
      • Part of subcall function 0041165D: GetLastError.KERNEL32(?,?,00416C86,?,?,?,?,00415B64,00411720), ref: 00411685
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00403100, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
    APIs
    • GetClassInfoA.USER32(?,?,00000000), ref: 0040316A
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
      • Part of subcall function 00401A50: GetLastError.KERNEL32 ref: 00401A61
      • Part of subcall function 00401A50: FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,000000FE,00000000), ref: 00401A9F
      • Part of subcall function 00412DB6: RaiseException.KERNEL32(?,?,00411234,?), ref: 00412DF8
    • RegisterClassA.USER32(?), ref: 004031B7
    • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 0040320C
    • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 00403250
    Strings
    • Failed to register window class, xrefs: 004031C2
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041B603, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe,00000104), ref: 0041B62D
      • Part of subcall function 004159EC: Sleep.KERNEL32(00000000), ref: 00415A0D
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 0041B601, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe,00000104), ref: 0041B62D
      • Part of subcall function 004159EC: Sleep.KERNEL32(00000000), ref: 00415A0D
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00406589, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65
    APIs
      • Part of subcall function 00410A4E: IsDebuggerPresent.KERNEL32 ref: 00415E1D
      • Part of subcall function 00410A4E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00415E32
      • Part of subcall function 00410A4E: UnhandledExceptionFilter.KERNEL32(PcC), ref: 00415E3D
      • Part of subcall function 00410A4E: GetCurrentProcess.KERNEL32 ref: 00415E59
      • Part of subcall function 00410A4E: TerminateProcess.KERNEL32 ref: 00415E60
    • FindWindowA.USER32(#32770,00000000), ref: 00406597
      • Part of subcall function 004111B5: GetModuleHandleW.KERNEL32(mscoree.dll), ref: 0041123F
      • Part of subcall function 004111B5: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0041124F
      • Part of subcall function 0040BE30: GetWindowThreadProcessId.USER32(?,?), ref: 0040BE6F
      • Part of subcall function 0040BE30: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040BE78
      • Part of subcall function 0040BE30: Process32First.KERNEL32(?,?), ref: 0040BEA0
      • Part of subcall function 0040BE30: Process32Next.KERNEL32(?,00000128), ref: 0040BEC6
      • Part of subcall function 0040BE30: CloseHandle.KERNEL32(?), ref: 0040BF54
    • SetActiveWindow.USER32 ref: 00406673
    • EnumChildWindows.USER32(?,00406530,00000000), ref: 00406681
    • ExitThread.KERNEL32(00000000,?,00406530,00000000), ref: 00406689
    • CertOpenSystemStoreA.CRYPT32(00000000,ROOT,?,?,?,00000000), ref: 004066C3
    • GetLastError.KERNEL32(?,?,?,00000000), ref: 00406729
    • CertCreateCertificateContext.CRYPT32(00010001,?,?,?,?,?,00000000), ref: 0040673F
    • CertCloseStore.CRYPT32(?,00000000,?,?,?,?,?,00000000), ref: 0040674D
    • CreateThread.KERNEL32(00000000,00000000,00406550,00000000), ref: 0040676A
    • CertAddCertificateContextToStore.CRYPT32(?,?,00000001,00000000,?,?,?,?,?,00000000), ref: 00406778
    • GetLastError.KERNEL32(?,?,00000001,00000000,?,?,?,?,?,00000000), ref: 00406788
    • TerminateThread.KERNEL32(?,00000000), ref: 004067F4
    • CertFreeCertificateContext.CRYPT32(?,?,00000000,00000000,?,?,00000001,00000000,?,?,?,?,?,00000000), ref: 004067FB
    • CertCloseStore.CRYPT32(?,00000000,?,?,00000000,00000000,?,?,00000001,00000000,?,?,?,?,?,00000000), ref: 00406804
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Function 00416B68, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40
    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00416B79
      • Part of subcall function 00416549: EnterCriticalSection.KERNEL32(?,004111D4,?,00416BB2,0000000D), ref: 00416573
    • InterlockedIncrement.KERNEL32(FF0042A7), ref: 00416BBA
      • Part of subcall function 00419D2C: InterlockedIncrement.KERNEL32(004111D4,00000001,004111D4), ref: 00419D3E
      • Part of subcall function 00419D2C: InterlockedIncrement.KERNEL32(000051E8), ref: 00419D4B
      • Part of subcall function 00419D2C: InterlockedIncrement.KERNEL32(5853E856), ref: 00419D58
      • Part of subcall function 00419D2C: InterlockedIncrement.KERNEL32(FF8BC359), ref: 00419D65
      • Part of subcall function 00419D2C: InterlockedIncrement.KERNEL32(50FEE856), ref: 00419D72
      • Part of subcall function 00419D2C: InterlockedIncrement.KERNEL32 ref: 00419D8E
      • Part of subcall function 00419D2C: InterlockedIncrement.KERNEL32(50F0458D), ref: 00419D9E
      • Part of subcall function 00419D2C: InterlockedIncrement.KERNEL32(00005421), ref: 00419DB4
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.639236716.00400000.00000040.sdmp, Offset: 00400000, based on PE: true