Joe Sandbox Desktop - Analysis Report 35502

General Information

Analysis ID:	35502
Start time:	14:04:37
Start date:	11/09/2013
Overall analysis duration:	0h 12m 9s
Report type:	full
Sample file name:	g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe
Cookbook file name:	Bypass long sleeps.jbs
Analysis system description:	XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
HCA enabled:	true
HCA success:	true, ratio: 98%
Warnings:	Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy	Detection	Index	Report FP/FN
Threshold	malicious	0.040

Signature Overview

Networking:

Contains functionality to download additional files from the internet		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Code function: 0_2_00404D6A InternetOpenW,InternetOpenUrlW,VirtualAlloc,InternetReadFile,VirtualFree,InternetCloseHandle,InternetOpenUrlA,VirtualAlloc,InternetReadFile,VirtualAlloc,VirtualFree,VirtualFree,InternetCloseHandle,InternetCloseHandle,	0_2_00404D6A
Tries to download non-existing http data (HTTP/1.1 404 Not Found)		Show sources
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUND Server: nginx/1.4.1 Date: Wed, 11 Sep 2013 12:04:57 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive
Urls found in memory or binary data		Show sources
Source: g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	String found in binary or memory: http://
Source: g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	String found in binary or memory: http://ns.adobe.com/exif/1.0/
Source: g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	String found in binary or memory: http://ns.adobe.com/tiff/1.0/
Source: g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	String found in binary or memory: http://ns.adobe.com/xap/1.0/
Source: g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	String found in binary or memory: http://sys-doctor.com
Source: g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	String found in binary or memory: http://www.iec.ch
Source: g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	String found in binary or memory: http://www.w3.org/1999/02/22-rdf-syntax-ns#
Downloads files from webservers via HTTP		Show sources
Source: global traffic	HTTP traffic detected: GET /api/stats/debug/1/?ts=4ab975b8b3b7e69e13380bf46a335a6e3dad2fa2&token=sysdocx1&group=asp&nid=264D4000&lid=0072&ver=0072&affid=51800 HTTP/1.1 Host: 219.235.1.127 Connection: Keep-Alive

Boot Survival:

Creates an autostart registry key			Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run AS2014

Persistence and Installation Behavior:

Drops PE files			Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	File created: C:\Documents and Settings\All Users\Application Data\sasrrU33\sasrrU33.exe

Data Obfuscation:

Binary may include packed or encrypted data		Show sources
Source: initial sample	Static PE information: section name: .text entropy: 6.09931624224
Contains functionality to dynamically determine API calls		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Code function: 0_2_0043E686 RtlEncodePointer,RtlEncodePointer,LoadLibraryExW,RtlGetLastWin32Error,LoadLibraryW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,	0_2_0043E686
PE file contains an invalid checksum		Show sources
Source: initial sample	Static PE information: real checksum: 0x0 should be: 0xad1ac
PE sections with suspicious entropy found		Show sources
Source: initial sample	Static PE information: section name: .data entropy: 7.12738207246 raw section size: 0x91000

Spreading:

Contains functionality to enumerate / list files inside a directory			Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Code function: 0_2_0040496D FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,		0_2_0040496D

System Summary:

Contains functionality to adjust token privileges (e.g. debug / backup)		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Code function: 0_1_00406123 AdjustTokenPrivileges,	0_1_00406123
Contains functionality to enum processes or threads		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Code function: 0_2_00401780 GetWindowsDirectoryW,CharLowerW,CreateToolhelp32Snapshot,Process32FirstW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,SendMessageW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,GetModuleFileNameExW,CharLowerW,OpenProcess,TerminateProcess,CloseHandle,GetSystemTime,SendMessageW,CloseHandle,Process32NextW,CloseHandle,Sleep,	0_2_00401780
Contains functionality to load and extract PE file embedded resources		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Code function: 0_2_0041DBD2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GlobalUnlock,	0_2_0041DBD2
Creates files inside the user directory		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	File created: C:\Documents and Settings\All Users\Application Data\sasrrU33
Creates mutexes		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Mutant created: \BaseNamedObjects\AA-72857482-618394027-261638484
Enables driver privileges		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Process token adjusted: Load Driver
Tries to load missing DLLs		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Section loaded: xpsp2res.dll

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)			Show sources
Source: g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Binary or memory string: Shell_TrayWnd

Anti Debugging:

Contains functionality to register its own exception handler		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Code function: 0_2_0043844E SetUnhandledExceptionFilter,	0_2_0043844E
Contains functionality to check if a debugger is running (IsDebuggerPresent)		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Code function: 0_2_00435A88 IsDebuggerPresent,	0_2_00435A88
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Code function: 0_2_00401780 GetWindowsDirectoryW,CharLowerW,CreateToolhelp32Snapshot,Process32FirstW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,SendMessageW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,GetModuleFileNameExW,CharLowerW,OpenProcess,TerminateProcess,CloseHandle,GetSystemTime,SendMessageW,CloseHandle,Process32NextW,CloseHandle,Sleep,	0_2_00401780
Contains functionality to dynamically determine API calls		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Code function: 0_2_0043E686 RtlEncodePointer,RtlEncodePointer,LoadLibraryExW,RtlGetLastWin32Error,LoadLibraryW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,	0_2_0043E686
Creates guard pages, often used to prevent reverse engineering and debugging		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Memory protected: page read and write and page guard
Found dropped PE file which has not been started or loaded		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\sasrrU33\sasrrU33.exe
Executes massive amount of sleeps in a loop		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Thread delayed: Count: 2634

Virtual Machine Detection:

Contains functionality to enumerate / list files inside a directory		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Code function: 0_2_0040496D FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,	0_2_0040496D
Queries a list of all running processes		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Process information queried: ProcessInformation
May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory)		Show sources
Source: g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Binary or memory string: vmware
Source: g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Binary or memory string: VMWARE
Source: g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Binary or memory string: vmtoolsd.exe
Source: g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Binary or memory string: VIRTUAL HD
Contains long sleeps (>= 3 min)		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Thread delayed: delay time: -301

Language, Device and Operating System Detection:

Contains functionality to query local / system time		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Code function: 0_2_00401780 GetWindowsDirectoryW,CharLowerW,CreateToolhelp32Snapshot,Process32FirstW,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,SendMessageW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,GetModuleFileNameExW,CharLowerW,OpenProcess,TerminateProcess,CloseHandle,GetSystemTime,SendMessageW,CloseHandle,Process32NextW,CloseHandle,Sleep,	0_2_00401780
Contains functionality to query the account / user name		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Code function: 0_2_0040A981 GetUserNameW,SHGetFolderPathW,GetComputerNameW,PathAppendW,PathAppendW,GetFileAttributesW,GetFileAttributesW,GetModuleFileNameW,PathAppendW,GetFileAttributesW,CreateThread,RegQueryValueExW,CreateThread,RegCloseKey,CreateThread,	0_2_0040A981
Contains functionality to query windows version		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Code function: 0_2_0040540A GetVersionExW,ObtainUserAgentString,GetEnvironmentVariableW,GetUserDefaultLCID,InternetOpenW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,	0_2_0040540A
Queries device information via Setup API		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Code function: 0_2_0040575F GetFileAttributesW,GetFileAttributesW,ExitProcess,GetFileAttributesW,SetupDiGetClassDevsA,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,CharUpperA,	0_2_0040575F
Queries the volume information (name, serial number etc) of a device		Show sources
Source: C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe	Qeruies volume information: C:\Program Files\Internet Explorer\iexplore.exe VolumeInformation

Screenshot

Startup

system is xp g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe (PID: 1352 MD5: 9FAC72A50A7F756D0D3319C686850516) cleanup

system is xp

g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe (PID: 1352 MD5: 9FAC72A50A7F756D0D3319C686850516)

cleanup

Created / dropped Files

File Path	Hashes
C:\Documents and Settings\All Users\Application Data\sasrrU33\sasrrU33.exe	MD5: 9FAC72A50A7F756D0D3319C686850516 SHA: 44C0C63E78A7CFE90E748A44C99951DC59C5AA29 SHA-256: 5D349792F053BF0B410A7E89FEDF065D413C80CF113368040CBDED9E0BD758C7 SHA-512: 0D7980E2D93CC93A62371FEA6824028FE488FBF9716D29A5468B46642B6F4AB79878C00C58C378779660AD68A09ED7DF9E6844034D2DE823569DAE4152177062
C:\Documents and Settings\All Users\Application Data\sasrrU33\sasrrU33.exe.manifest	MD5: 9FFFC81F7CB3C76097DB6A7397450850 SHA: 8528BEA71CBC1B5494C4CDC975278612EE4B0243 SHA-256: 41F146D5CB10313FC2A7BE20F31847BC1877197CBFE76EA594EE77DF1F1F749C SHA-512: BA3B6EE390C25942CAF8FDD790F94F60F0E38C7A49F09C28A9825FDDC1DB811D1C3CF080ABE598264D7D4D90BC23473DFEF1D7D24914D1F546E9BE20EF32E40B
C:\Documents and Settings\All Users\Application Data\sasrrU33\sasrrU33.ico	MD5: E6D7C185280DB54CFC2F6EB247C1F960 SHA: 4BB754999CC2B6F39FDB286FDE59A49C5DF8E8E0 SHA-256: 5333BA8E31A41394DE77E9C65B3C482386B127788C4C6CDC94C9A7DACC9447D7 SHA-512: AA62754B67099FABE9C57E5570A2A0B16D459E1D040876F7A63CFC534F13CFBBF90A25504D417AC370D367D5D63E59B1F39A7598CEAFA4DDB037C7A64B528D70
C:\Documents and Settings\All Users\Application Data\sasrrU33\sasrrU33NwixDxva.in	MD5: F160C7D92B1700407E9FD84D53BF6D9D SHA: D55A9BD3E370626C0B1F01DD26DF610DC05A86DF SHA-256: 007D9E759C9A7894F4418A2CF1BEF0AD6F606E5536B74B426BA4D5B055C8BFFA SHA-512: A53E16EBBF6EFA352F3CD1C484A29BFFE7F835EE3F5358232FDCFD619CEDB931B8D7BC1DC080E5B3305A9219080049AF0282293EEF0A00A00ACB6954A75637D3
\ROUTER	MD5: 1E83B2814FEBD334463FE800FDEA51E3 SHA: BB3F61B15AE767F501C67AE840B98E9D41E3959A SHA-256: A2210C779EF463BE5BF27375BFED442A55B159FFDE8F7A1E1EEB92D34387D67C SHA-512: C2F398DC770F91AC81E7641C1BDA86E294023484208B14AB1EAB1ED8F8011DC6EA2637816EBCC6551219F0344395076C74D31077E3BCDB2544D6676D24138C52

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

File type:	Users\admin\Desktop\35502\sample\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe; PE32 executable for MS Windows (GUI) Intel 80386 32-bit
File name:	g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe
File size:	688128
MD5:	9fac72a50a7f756d0d3319c686850516
SHA1:	44c0c63e78a7cfe90e748a44c99951dc59c5aa29
SHA256:	5d349792f053bf0b410a7e89fedf065d413c80cf113368040cbded9e0bd758c7
SHA512:	0d7980e2d93cc93a62371fea6824028fe488fbf9716d29a5468b46642b6f4ab79878c00c58c378779660ad68a09ed7df9e6844034d2de823569dae4152177062

Static PE Info

General
Entrypoint:	0x403c90
Entrypoint Section:	.text
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4C36E8CC [Fri Jul 09 09:15:56 2010 UTC]
TLS Callbacks:
Digitally signed:	False

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xfe310	0x468	ump; data	Chinese	China
RT_DIALOG	0x106578	0x116	ump; data	English	United States
RT_DIALOG	0x106690	0x26e	ump; data	English	United States
RT_DIALOG	0x106900	0x26e	ump; data	Japanese	Japan
RT_DIALOG	0x106b70	0x26e	ump; data	Korean	North Korea
RT_DIALOG	0x106b70	0x26e	ump; data	Korean	South Korea
RT_DIALOG	0x106de0	0x26e	ump; data	Chinese	China
RT_DIALOG	0x107050	0xc2	ump; data	English	United States
RT_DIALOG	0x107114	0xc2	ump; data	Japanese	Japan
RT_DIALOG	0x1071d8	0xc2	ump; data	Korean	North Korea
RT_DIALOG	0x1071d8	0xc2	ump; data	Korean	South Korea
RT_DIALOG	0x10729c	0xb2	ump; data	Chinese	China
RT_STRING	0x107350	0xc2	ump; data	English	United States
RT_STRING	0x107414	0xc2	ump; data	Japanese	Japan
RT_STRING	0x1074d8	0x6e	ump; data	Chinese	China
RT_GROUP_ICON	0x107548	0x4c	ump; MS Windows icon resource - 1 icon	Chinese	China

Imports

DLL	Import
MFC42.DLL
MSVCRT.dll	__set_app_type, __p__fmode, _setmbcp, __CxxFrameHandler, _mbscmp, free, malloc, _mbsrchr, atoi, sprintf, __dllonexit, _onexit, _except_handler3, ?terminate@@YAXXZ, _exit, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, _controlfp
KERNEL32.dll	SetLastError, GetStartupInfoA, GetPrivateProfileStringA, LocalFree, GetLastError, WritePrivateProfileStringA, lstrlenA, CopyFileA, GetTempPathA, Sleep, GetSystemDirectoryA, GetVersionExA, GetModuleFileNameA, GetPrivateProfileIntA, GetSystemDefaultLCID, GetCurrentProcess, CloseHandle, WriteFile, CreateFileA, DeleteFileA, FreeLibrary, GetModuleHandleA, LoadLibraryA, GetProcAddress
USER32.dll	SetTimer, ExitWindowsEx, SetDlgItemTextA, MsgWaitForMultipleObjects, GetForegroundWindow, PeekMessageA, DispatchMessageA, GetWindowLongA, IsIconic, GetWindowTextA, DrawIcon, UpdateWindow, GetSystemMenu, AppendMenuA, SetParent, LoadIconA, EnableWindow, DrawFocusRect, SetRect, FillRect, GetClientRect, GetParent, SendMessageA, InflateRect, DrawStateA, InvalidateRect, LoadImageA, CopyRect, PostMessageA, GetSystemMetrics, KillTimer
GDI32.dll	GetTextExtentPoint32A, CreatePen, CreateSolidBrush, RoundRect
ADVAPI32.dll	RegEnumKeyExA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyA, RegQueryInfoKeyA, RegQueryValueExA, RegDeleteValueA, RegCreateKeyA, RegSetValueExA, RegCloseKey, RegOpenKeyExA
SHELL32.dll	ShellExecuteA, ShellExecuteExA
COMCTL32.dll	_TrackMouseEvent
VERSION.dll	GetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA
SHLWAPI.dll	PathFileExistsA
SETUPAPI.dll	SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupDiGetDeviceRegistryPropertyW

Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy
.text	0x1000	0x85d2	0x9000	6.09931624224
.rdata	0xa000	0x2b3c	0x3000	4.493124447
.data	0xd000	0xf0560	0x91000	7.12738207246
.rsrc	0xfe000	0xa095a0	0xa000	5.33524932677

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States
Japanese	Japan
Korean	North Korea
Korean	South Korea

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 11, 2013 14:05:58.783783913 MESZ	1031	80	192.168.0.10	219.235.1.127
Sep 11, 2013 14:05:58.783812046 MESZ	80	1031	219.235.1.127	192.168.0.10
Sep 11, 2013 14:05:58.784151077 MESZ	1031	80	192.168.0.10	219.235.1.127
Sep 11, 2013 14:05:58.785469055 MESZ	1032	80	192.168.0.10	219.235.1.127
Sep 11, 2013 14:05:58.785499096 MESZ	80	1032	219.235.1.127	192.168.0.10
Sep 11, 2013 14:05:58.785815001 MESZ	1032	80	192.168.0.10	219.235.1.127
Sep 11, 2013 14:05:58.790313959 MESZ	1032	80	192.168.0.10	219.235.1.127
Sep 11, 2013 14:05:58.790330887 MESZ	80	1032	219.235.1.127	192.168.0.10
Sep 11, 2013 14:05:58.791136026 MESZ	1031	80	192.168.0.10	219.235.1.127
Sep 11, 2013 14:05:58.791147947 MESZ	80	1031	219.235.1.127	192.168.0.10
Sep 11, 2013 14:06:09.030019045 MESZ	80	1032	219.235.1.127	192.168.0.10
Sep 11, 2013 14:06:09.209880114 MESZ	1032	80	192.168.0.10	219.235.1.127
Sep 11, 2013 14:06:18.610122919 MESZ	1032	80	192.168.0.10	219.235.1.127
Sep 11, 2013 14:06:18.610140085 MESZ	80	1032	219.235.1.127	192.168.0.10
Sep 11, 2013 14:06:24.238883972 MESZ	80	1032	219.235.1.127	192.168.0.10
Sep 11, 2013 14:06:24.242336988 MESZ	1032	80	192.168.0.10	219.235.1.127
Sep 11, 2013 14:06:24.242353916 MESZ	80	1032	219.235.1.127	192.168.0.10
Sep 11, 2013 14:06:29.316023111 MESZ	1031	80	192.168.0.10	219.235.1.127
Sep 11, 2013 14:06:29.316122055 MESZ	80	1031	219.235.1.127	192.168.0.10
Sep 11, 2013 14:06:29.316428900 MESZ	1031	80	192.168.0.10	219.235.1.127
Sep 11, 2013 14:06:34.390074968 MESZ	80	1032	219.235.1.127	192.168.0.10
Sep 11, 2013 14:06:34.576905012 MESZ	1032	80	192.168.0.10	219.235.1.127
Sep 11, 2013 14:07:39.354384899 MESZ	80	1032	219.235.1.127	192.168.0.10
Sep 11, 2013 14:07:39.354948997 MESZ	1032	80	192.168.0.10	219.235.1.127

HTTP Request Dependency Graph

219.235.1.127

HTTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Header	Total Bytes Transfered (KB)
Sep 11, 2013 14:05:58.790313959 MESZ	1032	80	192.168.0.10	219.235.1.127	GET /api/stats/debug/1/?ts=4ab975b8b3b7e69e13380bf46a335a6e3dad2fa2&token=sysdocx1&group=asp&nid=264D4000&lid=0072&ver=0072&affid=51800 HTTP/1.1 Host: 219.235.1.127 Connection: Keep-Alive	0
Sep 11, 2013 14:05:58.791136026 MESZ	1031	80	192.168.0.10	219.235.1.127	GET /api/dom/no_respond/?ts=4ab975b8b3b7e69e13380bf46a335a6e3dad2fa2&token=sysdocx1&group=asp&nid=264D4000&lid=0072&ver=0072&affid=51800&dx=0 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 1.0.3705);(b:2600;c:x86_Family_6_Model_30_Stepping_5,_GenuineIntel;l:1033) Host: 219.235.1.127 Connection: Keep-Alive	1
Sep 11, 2013 14:06:09.030019045 MESZ	80	1032	219.235.1.127	192.168.0.10	HTTP/1.1 404 NOT FOUND Server: nginx/1.4.1 Date: Wed, 11 Sep 2013 12:04:57 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive	1
Sep 11, 2013 14:06:18.610122919 MESZ	1032	80	192.168.0.10	219.235.1.127	GET /api/stats/debug/2/?ts=4ab975b8b3b7e69e13380bf46a335a6e3dad2fa2&token=sysdocx1&group=asp&nid=264D4000&lid=0072&ver=0072&affid=51800 HTTP/1.1 Host: 219.235.1.127 Connection: Keep-Alive	1
Sep 11, 2013 14:06:24.238883972 MESZ	80	1032	219.235.1.127	192.168.0.10	HTTP/1.1 404 NOT FOUND Server: nginx/1.4.1 Date: Wed, 11 Sep 2013 12:05:10 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive	2
Sep 11, 2013 14:06:24.242336988 MESZ	1032	80	192.168.0.10	219.235.1.127	GET /api/stats/debug/3/?ts=4ab975b8b3b7e69e13380bf46a335a6e3dad2fa2&token=sysdocx1&group=asp&nid=264D4000&lid=0072&ver=0072&affid=51800 HTTP/1.1 Host: 219.235.1.127 Connection: Keep-Alive	2
Sep 11, 2013 14:06:34.390074968 MESZ	80	1032	219.235.1.127	192.168.0.10	HTTP/1.1 404 NOT FOUND Server: nginx/1.4.1 Date: Wed, 11 Sep 2013 12:05:23 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive	2

Code Manipulation Behavior

System Behavior

Analysis Process: g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe PID: 1352 Parent PID: 1060

General

Start time:	09:50:05
Start date:	24/01/2012
Path:	C:\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x400000
File size:	688128 bytes
MD5 hash:	9FAC72A50A7F756D0D3319C686850516

Chronological Activities

Disassembly

Code Analysis

< >

Analysis Process: g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe PID: 1352 Parent PID: 1060

Executed Functions

Function 00401780, Relevance: 47.7, APIs: 24, Strings: 3, Instructions: 471

APIs

GetWindowsDirectoryW.KERNEL32(?,00000200,?,?,?,?,?,00447E63,000000FF), ref: 004017EA
CharLowerW.USER32(?), ref: 004017F7

Part of subcall function 0040DF0E: RtlEnterCriticalSection.NTDLL(004A9510,00000000,vmware,00401910), ref: 0040DF16
Part of subcall function 0040DF0E: RtlLeaveCriticalSection.NTDLL(004A9510,?,windir), ref: 0040DF23

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040191B
Process32FirstW.KERNEL32(?,?), ref: 00401941

Part of subcall function 00401E92: CharLowerW.USER32(?), ref: 00401EC6

GetCurrentProcessId.KERNEL32 ref: 00401977
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0040198E
TerminateProcess.KERNEL32(?,00000000), ref: 004019A0
CloseHandle.KERNEL32 ref: 004019A7
SendMessageW.USER32(?,0000004A,00000547,?), ref: 004019E8

Part of subcall function 00401EFF: CharLowerW.USER32(?), ref: 00401F33

GetCurrentProcessId.KERNEL32 ref: 00401A02
GetCurrentProcessId.KERNEL32 ref: 00401A14
GetCurrentProcessId.KERNEL32 ref: 00401A26
OpenProcess.KERNEL32(00000410,00000000,?), ref: 00401A44
GetModuleFileNameExW.PSAPI(?,00000000,?,00001000), ref: 00401A6A
CharLowerW.USER32(?), ref: 00401A7E
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00401BCD
TerminateProcess.KERNEL32(?,00000000), ref: 00401BE1
CloseHandle.KERNEL32 ref: 00401BE8
GetSystemTime.KERNEL32(?), ref: 00401C09

Part of subcall function 0040D50F: RtlEnterCriticalSection.NTDLL(004A94F8,?,?,00401DAC), ref: 0040D517
Part of subcall function 0040D50F: RtlLeaveCriticalSection.NTDLL(004A94F8,?,?,00401DAC), ref: 0040D524

SendMessageW.USER32(?,0000004A,00000547,?), ref: 00401DAD
CloseHandle.KERNEL32 ref: 00401DCE
Process32NextW.KERNEL32(?,?), ref: 00401DED
CloseHandle.KERNEL32(?), ref: 00401E00
Sleep.KERNEL32(00000064), ref: 00401E08

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Strings

systemroot, xrefs: 00401802 00401813 0040182E
windir, xrefs: 00401892 004018A3 004018BE
vmware, xrefs: 004018CF 004018E0 004018FB

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0040A981, Relevance: 33.7, APIs: 13, Strings: 6, Instructions: 496

APIs

Part of subcall function 0040481E: RegOpenKeyW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00404854
Part of subcall function 0040481E: RegQueryValueExW.ADVAPI32(?,Programs,00000000,00000000,?,?), ref: 0040487B
Part of subcall function 0040481E: SHGetFolderPathW.SHELL32(00000000,00000002,00000000,00000000,?), ref: 00404891
Part of subcall function 0040481E: PathAppendW.SHLWAPI(?,System Care Antivirus), ref: 004048AD
Part of subcall function 0040481E: GetFileAttributesW.KERNEL32(?), ref: 004048BA
Part of subcall function 0040481E: ExitProcess.KERNEL32(00000000,00000000), ref: 004048D0
Part of subcall function 0040481E: RegOpenKeyExW.ADVAPI32(?,System Doctor 2014), ref: 004048DC
Part of subcall function 0040481E: RegOpenKeyExW.ADVAPI32(?,Attentive Antivirus,?,System Doctor 2014), ref: 004048EE
Part of subcall function 0040481E: RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\System Care Antivirus,00000000,00000001,?), ref: 00404912
Part of subcall function 0040481E: RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\System Doctor 2014,00000000,00000001,?), ref: 00404928
Part of subcall function 0040481E: RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\Attentive Antivirus ,00000000,00000001,?), ref: 0040493E
Part of subcall function 0040481E: RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\Attentive Antivirus,00000000,00000001,?), ref: 00404954

GetUserNameW.ADVAPI32(?,?), ref: 0040A9F0
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 0040AACB
GetComputerNameW.KERNEL32(?,?), ref: 0040AAF1
PathAppendW.SHLWAPI(?,?), ref: 0040AC6D
GetFileAttributesW.KERNEL32(?), ref: 0040AE54
GetModuleFileNameW.KERNEL32(00000000,?,00000400,?,00000001,00000000,?,00000001,00000000,?,00000001,00000000,?,00000001,00000000), ref: 0040AE76
PathAppendW.SHLWAPI(?,?), ref: 0040AEB7
GetFileAttributesW.KERNEL32(?), ref: 0040AF73
CreateThread.KERNEL32(00000000,00000000,00405307,00000000), ref: 0040AF94

Part of subcall function 004052C3: RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 004052EB

RegQueryValueExW.ADVAPI32(?,AS2014,00000000,00000000,?,?), ref: 0040AFCA
CreateThread.KERNEL32(00000000,00000000,00405307,00000000), ref: 0040B014
RegCloseKey.ADVAPI32 ref: 0040B01B
CreateThread.KERNEL32(00000000,00000000,00405307,00000000), ref: 0040B054

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Strings

a, xrefs: 0040AA02
z, xrefs: 0040AA0C
0, xrefs: 0040AA16
9, xrefs: 0040AA20
.exe, xrefs: 0040ABFE 0040AF15 0040AF1A 0040AF22
AS2014, xrefs: 0040AFBA

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0040540A, Relevance: 24.6, APIs: 8, Strings: 4, Instructions: 180

APIs

GetVersionExW.KERNEL32(?), ref: 00405452
ObtainUserAgentString.URLMON(00000000,?,?), ref: 0040549B
GetEnvironmentVariableW.KERNEL32(PROCESSOR_IDENTIFIER,?,000003E8), ref: 00405534
GetUserDefaultLCID.KERNEL32 ref: 00405592
InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004055E7
InternetCloseHandle.WININET(?,?,00000000,00000000,00400000,00000000), ref: 00405621
InternetCloseHandle.WININET ref: 00405635
InternetCloseHandle.WININET ref: 00405638

Strings

;(b:, xrefs: 004054D3
;c:, xrefs: 0040550C
PROCESSOR_IDENTIFIER, xrefs: 0040552F
;l:, xrefs: 00405585

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0040575F, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 130

APIs

GetFileAttributesW.KERNEL32(C:\sd2.dbg), ref: 0040577B
ExitProcess.KERNEL32(00000000), ref: 00405784
GetFileAttributesW.KERNEL32(C:\sd.dbg), ref: 0040578F

Part of subcall function 0043562B: RtlAllocateHeap.NTDLL(00140000,00000000,00000001), ref: 0043566E

SetupDiGetClassDevsA.SETUPAPI(?,00000000,00000000,00000002), ref: 00405801
SetupDiEnumDeviceInfo.SETUPAPI(?,00000000,?), ref: 00405819
SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,?,0000000C,?,?,00001000,?), ref: 00405838
CharUpperA.USER32 ref: 00405843

Part of subcall function 004355F3: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00435607
Part of subcall function 004355F3: RtlGetLastWin32Error.NTDLL ref: 00435619

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Strings

C:\sd2.dbg, xrefs: 00405776
C:\sd.dbg, xrefs: 0040578A
VMWARE, xrefs: 0040579E
VBOX, xrefs: 004057AA
VIRTUAL HD, xrefs: 004057AF
QEMU, xrefs: 004057D1

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00406123, Relevance: 1.5, APIs: 1, Instructions: 45

APIs

AdjustTokenPrivileges.ADVAPI32 ref: 00406167

Memory Dump Source

Source File: 00000000.00000001.685086799.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.685035811.00400000.00000002.sdmp
Associated: 00000000.00000001.685148604.0040A000.00000002.sdmp
Associated: 00000000.00000001.685190450.0040D000.00000008.sdmp
Associated: 00000000.00000001.685727978.0049E000.00000004.sdmp
Associated: 00000000.00000001.686096185.004FE000.00000008.sdmp
Associated: 00000000.00000001.686169891.00508000.00000004.sdmp

Function 00401702, Relevance: 56.1, APIs: 28, Strings: 4, Instructions: 123

APIs

#2414.MFC42 ref: 0040171A
#800.MFC42 ref: 00401730
#800.MFC42 ref: 0040175A
#800.MFC42 ref: 00401771
#800.MFC42 ref: 0040177E
#800.MFC42 ref: 0040178B
#800.MFC42 ref: 00401798
#800.MFC42 ref: 004017A5
#800.MFC42 ref: 004017B2
#800.MFC42 ref: 004017BF
#800.MFC42 ref: 004017CC
#800.MFC42 ref: 004017D9
#800.MFC42 ref: 004017E6
#800.MFC42 ref: 004017F3
#800.MFC42 ref: 00401800
#800.MFC42 ref: 0040180D
#800.MFC42 ref: 0040181A
#800.MFC42 ref: 00401827
#800.MFC42 ref: 00401834
#800.MFC42 ref: 00401841
#800.MFC42 ref: 0040184E
#800.MFC42 ref: 0040185A
#795.MFC42 ref: 0040186A
#693.MFC42 ref: 0040187A
#765.MFC42 ref: 0040188A

Part of subcall function 00407390: #2414.MFC42 ref: 004073C5
Part of subcall function 00407390: #2414.MFC42 ref: 004073CF
Part of subcall function 00407390: #2414.MFC42 ref: 004073D7
Part of subcall function 00407390: #2414.MFC42 ref: 004073DF
Part of subcall function 00407390: #2414.MFC42 ref: 004073E7
Part of subcall function 00407390: #2414.MFC42 ref: 004073F2
Part of subcall function 00407390: #2414.MFC42 ref: 004073FF
Part of subcall function 00407390: #2414.MFC42 ref: 00407407
Part of subcall function 00407390: #2414.MFC42 ref: 0040740F
Part of subcall function 00407390: #2414.MFC42 ref: 00407417
Part of subcall function 00407390: #2414.MFC42 ref: 00407422
Part of subcall function 00407390: #2414.MFC42 ref: 00407439
Part of subcall function 00407390: #2414.MFC42 ref: 0040745D
Part of subcall function 00407390: #2414.MFC42 ref: 00407481
Part of subcall function 00407390: #2414.MFC42 ref: 004074A2
Part of subcall function 00407390: #2414.MFC42 ref: 004074C3
Part of subcall function 00407390: #2414.MFC42 ref: 004074E4
Part of subcall function 00407390: #2414.MFC42 ref: 00407505
Part of subcall function 00407390: #2414.MFC42 ref: 00407526
Part of subcall function 00407390: #2414.MFC42 ref: 00407547

Part of subcall function 00407390: #609.MFC42 ref: 00407581

#765.MFC42 ref: 004018FE
#641.MFC42 ref: 0040190A
#641.MFC42 ref: 00401919

Strings

", xrefs: 0040176C
!, xrefs: 00401779
, xrefs: 00401786
#, xrefs: 004018F9

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 004153AB, Relevance: 55.2, APIs: 25, Strings: 2, Instructions: 223

APIs

CloseHandle.KERNEL32(00000000), ref: 004153C1
CreateFileW.KERNEL32(?,001F01FF,00000000,00000000,00000002,00000080,00000000), ref: 004153EC
WriteFile.KERNEL32(?,00485B3C,00000001,?,00000000), ref: 00415417
WriteFile.KERNEL32(00485B40,00000001,?,00000000), ref: 0041542A
WriteFile.KERNEL32(00485B44,00000001,?,00000000), ref: 0041543D
WriteFile.KERNEL32(00485B60,00000001,?,00000000), ref: 00415450
WriteFile.KERNEL32(0048704C,00000001,?,00000000), ref: 00415463
WriteFile.KERNEL32(00487068,00000001,?,00000000), ref: 00415476
WriteFile.KERNEL32(004AA824,00000001,?,00000000), ref: 00415489
WriteFile.KERNEL32(00485B84,00000001,?,00000000), ref: 0041549C
WriteFile.KERNEL32(004A9534,00000001,?,00000000), ref: 004154AF
WriteFile.KERNEL32(00486FD0,00000001,?,00000000), ref: 004154C2
WriteFile.KERNEL32(004A9584,00000001,?,00000000), ref: 004154D5
WriteFile.KERNEL32(004A952C,00000001,?,00000000), ref: 004154E8
WriteFile.KERNEL32(004864D4,00000004,?,00000000), ref: 004154FE
WriteFile.KERNEL32(004864D8,00000004,?,00000000), ref: 00415511
WriteFile.KERNEL32(004A9578,00000004,?,00000000), ref: 00415524
WriteFile.KERNEL32(004AA9A8,00000004,?,00000000), ref: 00415537
WriteFile.KERNEL32(004AA9AC,00000004,?,00000000), ref: 0041554A
WriteFile.KERNEL32(004AA9B0,00000004,?,00000000), ref: 0041555D
WriteFile.KERNEL32(004AA9B4,00000004,?,00000000), ref: 00415570
WriteFile.KERNEL32(REGK,?,?,00000000), ref: 00415593
WriteFile.KERNEL32(?,0000002A,?,00000000), ref: 004155BB
WriteFile.KERNEL32(INST,?,?,00000000), ref: 004155DE
WriteFile.KERNEL32(?,00000031,?,00000000), ref: 00415606

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Strings

REGK, xrefs: 0041557F 00415584 0041558C
INST, xrefs: 004155CA 004155CF 004155D7

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0040481E, Relevance: 42.3, APIs: 12, Strings: 9, Instructions: 116

APIs

RegOpenKeyW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00404854
RegQueryValueExW.ADVAPI32(?,Programs,00000000,00000000,?,?), ref: 0040487B
SHGetFolderPathW.SHELL32(00000000,00000002,00000000,00000000,?), ref: 00404891
PathAppendW.SHLWAPI(?,System Care Antivirus), ref: 004048AD
GetFileAttributesW.KERNEL32(?), ref: 004048BA
ExitProcess.KERNEL32(00000000,00000000), ref: 004048D0
RegOpenKeyExW.ADVAPI32(?,System Doctor 2014), ref: 004048DC
RegOpenKeyExW.ADVAPI32(?,Attentive Antivirus,?,System Doctor 2014), ref: 004048EE
RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\System Care Antivirus,00000000,00000001,?), ref: 00404912
RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\System Doctor 2014,00000000,00000001,?), ref: 00404928
RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\Attentive Antivirus ,00000000,00000001,?), ref: 0040493E
RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\Attentive Antivirus,00000000,00000001,?), ref: 00404954

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040483F
Programs, xrefs: 00404870
System Care Antivirus, xrefs: 004048A1
System Doctor 2014, xrefs: 004048D6
Attentive Antivirus, xrefs: 004048E8
Software\Microsoft\Windows\CurrentVersion\Uninstall\System Care Antivirus, xrefs: 0040490C
Software\Microsoft\Windows\CurrentVersion\Uninstall\System Doctor 2014, xrefs: 00404922
Software\Microsoft\Windows\CurrentVersion\Uninstall\Attentive Antivirus , xrefs: 00404938
Software\Microsoft\Windows\CurrentVersion\Uninstall\Attentive Antivirus, xrefs: 0040494E

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0042D929, Relevance: 14.6, APIs: 6, Strings: 1, Instructions: 151

APIs

Sleep.KERNEL32(0000000A), ref: 0042DA21

Part of subcall function 0042DBF7: CoInitialize.OLE32(00000000), ref: 0042DC2A

Part of subcall function 0042DD1D: IsWindow.USER32(00000000), ref: 0042DE68
Part of subcall function 0042DD1D: GetWindowTextLengthW.USER32(00000000), ref: 0042DE75
Part of subcall function 0042DD1D: GetWindowTextW.USER32(00000000), ref: 0042DE99

GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0042DAA1
TranslateMessage.USER32(?), ref: 0042DAB9
IsWindow.USER32(?), ref: 0042DAC2
DispatchMessageW.USER32(?), ref: 0042DAD0
Sleep.KERNEL32(00000000), ref: 0042DAE6

Strings

MyIE, xrefs: 0042D9A3

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00405260, Relevance: 14.2, APIs: 8, Instructions: 62

APIs

RegOpenKeyExA.ADVAPI32(80000000,?,00000000,00020119,?), ref: 004052A7
RegQueryValueExA.ADVAPI32(?,0040D534,00000000,?,?,?), ref: 004052CC
#537.MFC42(?), ref: 004052DF
_mbscmp.MSVCRT(?,0040D534,?), ref: 004052EE
#800.MFC42(?,?), ref: 00405307
#800.MFC42(?,?), ref: 0040531E
#800.MFC42(?,?), ref: 0040533C
#800.MFC42(?,?), ref: 00405353

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 004051CF, Relevance: 13.6, APIs: 9, Instructions: 96

APIs

CreateFileW.KERNEL32(?,00120089,00000001,00000000,00000003,00000080,00000000), ref: 00405209
CreateFileW.KERNEL32(?,001F01FF,00000003,00000000,00000001,00000080,00000000), ref: 00405233
GetFileSize.KERNEL32(?,00000000), ref: 00405249
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0040525B
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040526E
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00405286
CloseHandle.KERNEL32(?), ref: 00405297
CloseHandle.KERNEL32 ref: 0040529A
CopyFileW.KERNEL32(?,?,?), ref: 004052AA

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00415617, Relevance: 10.8, APIs: 6, Instructions: 95

APIs

CloseHandle.KERNEL32(00000000), ref: 0041562E
CreateFileW.KERNEL32(?,001F01FF,00000000,00000000,00000002,00000080,00000000), ref: 00415659
WriteFile.KERNEL32(?,?,00000004,?,00000000), ref: 004156A3
WriteFile.KERNEL32(?,00000004,?,00000000), ref: 004156BF
WriteFile.KERNEL32(?,00000004,?,00000000), ref: 004156D9
WriteFile.KERNEL32(?,00000004,?,00000000), ref: 004156F3

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0040D638, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101

APIs

CreateWindowExW.USER32 ref: 0040D6CB
CreateThread.KERNEL32(00000000,00000000,004130AF,00000000), ref: 0040D6EB

Part of subcall function 00412DB4: CreateFileW.KERNEL32(?,001F01FF,00000000,00000000,00000001,00000080,00000000), ref: 00412DED
Part of subcall function 00412DB4: CloseHandle.KERNEL32 ref: 00412DF4
Part of subcall function 00412DB4: RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\Antivirus Security Pro,00000000,00471670,00000000,000F003F,00000000,?,00000000), ref: 00412E1D
Part of subcall function 00412DB4: RegSetValueExW.ADVAPI32(?,DisplayName,00000000,00000001,Antivirus Security Pro), ref: 00412E51
Part of subcall function 00412DB4: RegSetValueExW.ADVAPI32(?,InstallLocation,00000000,00000001,?,0000003D), ref: 00412E7F
Part of subcall function 00412DB4: RegSetValueExW.ADVAPI32(?,NoModify,00000000,00000004,?,00000004), ref: 00412E93
Part of subcall function 00412DB4: RegSetValueExW.ADVAPI32(?,NoRepair,00000000,00000004,?,00000004), ref: 00412EA4
Part of subcall function 00412DB4: RegSetValueExW.ADVAPI32(?,UninstallString,00000000,00000001,?,?), ref: 00412F3A
Part of subcall function 00412DB4: RegSetValueExW.ADVAPI32(?,DisplayIcon,00000000,00000001,?,?), ref: 00412F94
Part of subcall function 00412DB4: RegCloseKey.ADVAPI32(?), ref: 00412F99

CreateWindowExW.USER32 ref: 0040D723
LoadIconW.USER32(?,0000008C), ref: 0040D765

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Strings

Antivirus Security Pro, xrefs: 0040D6BC 0040D714
MainAntivirus_Class, xrefs: 0040D6C1 0040D719

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0041207C, Relevance: 6.0, APIs: 4, Instructions: 44

APIs

GetFileAttributesW.KERNEL32(?), ref: 00412082

Part of subcall function 0040540A: GetVersionExW.KERNEL32(?), ref: 00405452
Part of subcall function 0040540A: ObtainUserAgentString.URLMON(00000000,?,?), ref: 0040549B
Part of subcall function 0040540A: GetEnvironmentVariableW.KERNEL32(PROCESSOR_IDENTIFIER,?,000003E8), ref: 00405534
Part of subcall function 0040540A: GetUserDefaultLCID.KERNEL32 ref: 00405592
Part of subcall function 0040540A: InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004055E7
Part of subcall function 0040540A: InternetCloseHandle.WININET(?,?,00000000,00000000,00400000,00000000), ref: 00405621
Part of subcall function 0040540A: InternetCloseHandle.WININET ref: 00405635
Part of subcall function 0040540A: InternetCloseHandle.WININET ref: 00405638

Sleep.KERNEL32(000003E8), ref: 004120AD
CreateFileW.KERNEL32(?,0012019F,00000000,00000000,00000002,00000080,00000000), ref: 004120D4
CloseHandle.KERNEL32 ref: 004120E0

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0042DC80, Relevance: 5.5, APIs: 3, Instructions: 67

APIs

CoCreateInstance.OLE32(0042D7D3,?,00000014,0046ECA4,?), ref: 0042DCBA
OleRun.OLE32(0042D7D3), ref: 0042DCC9
CoCreateInstance.OLE32(0042D7D3,?,00000014,0046F054,?), ref: 0042DCFB

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00401930, Relevance: 3.7, APIs: 2, Instructions: 20

APIs

#765.MFC42(?,?,?,00408908,000000FF), ref: 00401958
#641.MFC42(?,?,?,00408908,000000FF), ref: 00401967

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00401BE0, Relevance: 1.9, APIs: 1, Instructions: 18

APIs

#2414.MFC42(?,?,?,00408A68,000000FF), ref: 00401C0B

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 004051F0, Relevance: 1.5, APIs: 1, Instructions: 24

APIs

#860.MFC42(0040D308,00402270,00000001,?,00000000,0000007C,?,00000000,?,00000000,00000154,?,?,00001026,00000000,00FFF7F7), ref: 00405253

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Non-executed Functions

Function 0043E686, Relevance: 56.4, APIs: 22, Strings: 6, Instructions: 168

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0043E6AE
LoadLibraryExW.KERNEL32(USER32.DLL,00000000,00000800), ref: 0043E6D4
RtlGetLastWin32Error.NTDLL ref: 0043E6E0
LoadLibraryW.KERNEL32(USER32.DLL), ref: 0043E6F4
GetProcAddress.KERNEL32(?,MessageBoxW), ref: 0043E70A
RtlEncodePointer.NTDLL ref: 0043E719
GetProcAddress.KERNEL32(?,GetActiveWindow), ref: 0043E726
RtlEncodePointer.NTDLL ref: 0043E72D
GetProcAddress.KERNEL32(?,GetLastActivePopup), ref: 0043E73A
RtlEncodePointer.NTDLL ref: 0043E741
GetProcAddress.KERNEL32(?,GetUserObjectInformationW), ref: 0043E74E
RtlEncodePointer.NTDLL ref: 0043E755
GetProcAddress.KERNEL32(?,GetProcessWindowStation), ref: 0043E766
RtlEncodePointer.NTDLL ref: 0043E76D
IsDebuggerPresent.KERNEL32 ref: 0043E777
OutputDebugStringW.KERNEL32(?), ref: 0043E789
RtlDecodePointer.NTDLL(?,004AB9A0,00000000,?,?,?,?,?,00438C0C,004AB9A0,Microsoft Visual C++ Runtime Library,00012010), ref: 0043E7A7
RtlDecodePointer.NTDLL(?,?,004AB9A0,00000000,?,?,?,?,?,00438C0C,004AB9A0,Microsoft Visual C++ Runtime Library,00012010), ref: 0043E7C9
RtlDecodePointer.NTDLL(?,?,004AB9A0,00000000,?,?,?,?,?,00438C0C,004AB9A0,Microsoft Visual C++ Runtime Library,00012010), ref: 0043E7D4
RtlDecodePointer.NTDLL(?,?,004AB9A0,00000000,?,?,?,?,?,00438C0C,004AB9A0,Microsoft Visual C++ Runtime Library,00012010), ref: 0043E819
RtlDecodePointer.NTDLL(?,?,?,004AB9A0,00000000,?,?,?,?,?,00438C0C,004AB9A0,Microsoft Visual C++ Runtime Library,00012010), ref: 0043E831
RtlDecodePointer.NTDLL(?,004AB9A0,00000000,?,?,?,?,?,00438C0C,004AB9A0,Microsoft Visual C++ Runtime Library,00012010), ref: 0043E845

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Strings

USER32.DLL, xrefs: 0043E6CF 0043E6EF
MessageBoxW, xrefs: 0043E704
GetActiveWindow, xrefs: 0043E71B
GetLastActivePopup, xrefs: 0043E72F
GetUserObjectInformationW, xrefs: 0043E743
GetProcessWindowStation, xrefs: 0043E760

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00404D6A, Relevance: 21.3, APIs: 14, Instructions: 292

APIs

InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404DCE
InternetOpenUrlW.WININET(?,?,00000000,00000000,00400000,00000000), ref: 00404E1B
VirtualAlloc.KERNEL32(00000000,00010001,00003000,00000004), ref: 00404E3D
InternetReadFile.WININET(?,?,00001000,?), ref: 00404E83
VirtualFree.KERNEL32(?,00010001,00008000), ref: 00404FBD
InternetCloseHandle.WININET(?), ref: 00404FC9
InternetOpenUrlA.WININET(?,?,00000000,00000000,00400000,00000000), ref: 0040505A
VirtualAlloc.KERNEL32(00000000,00001000,00003000,00000004), ref: 00405083
InternetReadFile.WININET(?,?,00001000,?), ref: 004050AA
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 004050CD
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004050EF
InternetCloseHandle.WININET(?), ref: 0040515D

Part of subcall function 00410DB2: CreateFileW.KERNEL32(?,001F01FF,00000003,00000000,00000002,00000080,00000000), ref: 00410EAD
Part of subcall function 00410DB2: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00410EC9
Part of subcall function 00410DB2: CloseHandle.KERNEL32 ref: 00410ED0

VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00405151
InternetCloseHandle.WININET(?), ref: 0040519C

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0040496D, Relevance: 17.1, APIs: 5, Strings: 3, Instructions: 253

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004049F2
lstrcmpW.KERNEL32(?,0046EB94), ref: 00404A1C
lstrcmpW.KERNEL32(?,0046EB98), ref: 00404A36
FindNextFileW.KERNEL32(?,?), ref: 00404C6A
FindClose.KERNEL32 ref: 00404C79

Strings

DSC, xrefs: 00404B9D
IMG, xrefs: 00404BB9
.jpg, xrefs: 00404BDB

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0041DBD2, Relevance: 12.1, APIs: 8, Instructions: 108

APIs

FindResourceW.KERNEL32(?,?,?), ref: 0041DBE9
SizeofResource.KERNEL32(?), ref: 0041DBFE
LoadResource.KERNEL32(?), ref: 0041DC15
LockResource.KERNEL32 ref: 0041DC1C
GlobalAlloc.KERNEL32(00000002), ref: 0041DC2F
GlobalLock.KERNEL32 ref: 0041DC43
CreateStreamOnHGlobal.OLE32(?,00000000,?), ref: 0041DC67
GlobalUnlock.KERNEL32 ref: 0041DCD9

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00435A88, Relevance: 2.1, APIs: 1, Instructions: 20

APIs

IsDebuggerPresent.KERNEL32 ref: 00435A8B

Part of subcall function 00438471: SetUnhandledExceptionFilter.KERNEL32(00000000,?,004395EC,?,?,?,00000001), ref: 00438476
Part of subcall function 00438471: UnhandledExceptionFilter.KERNEL32(004395EC,?,004395EC,?,?,?,00000001), ref: 0043847F

Part of subcall function 0043845C: GetCurrentProcess.KERNEL32 ref: 00438462
Part of subcall function 0043845C: TerminateProcess.KERNEL32 ref: 00438469

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0043844E, Relevance: 1.9, APIs: 1, Instructions: 6

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00438454

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00402E20, Relevance: 128.7, APIs: 62, Strings: 2, Instructions: 454

APIs

malloc.MSVCRT ref: 00402E46
GetTempPathA.KERNEL32(000001F4), ref: 00402E5B
#540.MFC42 ref: 00402E65
#540.MFC42 ref: 00402E77
#2818.MFC42(?,0040D0FC), ref: 00402E8F
#2818.MFC42(?,0040D0F0,?,?,0040D0FC), ref: 00402E9F
WritePrivateProfileStringA.KERNEL32(0040D0D8,0040D0E4,0040D0EC,?), ref: 00402EBB

Part of subcall function 00405390: GetModuleFileNameA.KERNEL32(00000000,?,000001F4), ref: 004053D0
Part of subcall function 00405390: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F013F,?), ref: 00405417
Part of subcall function 00405390: RegDeleteValueA.ADVAPI32(?,0040D0D8), ref: 00405452
Part of subcall function 00405390: RegCreateKeyA.ADVAPI32(80000002,?,?), ref: 00405470
Part of subcall function 00405390: RegSetValueExA.ADVAPI32(?,0040D0D8,?,00000001,?,00000100), ref: 00405491
Part of subcall function 00405390: RegCloseKey.ADVAPI32 ref: 0040549C

#6675.MFC42(00000000,00000001), ref: 00402EE7
#540.MFC42(00000001), ref: 00402F0C
#540.MFC42(00000001), ref: 00402F1D
#540.MFC42(00000001), ref: 00402F2E
#540.MFC42(00000001), ref: 00402F3F
#2818.MFC42(?,0040D044,?,00000001), ref: 00402F5D
#540.MFC42(?,?,00000001), ref: 00402F9B
#2818.MFC42(?,0040D0D4,?,?,?,00000001), ref: 00402FB3
WritePrivateProfileStringA.KERNEL32(0040D0D8,0040D0CC,?,?), ref: 00402FCF
#800.MFC42(?,?,?,?,?,00000001), ref: 00402FE1
#2818.MFC42(?,0040D064,?,?,?,00000001), ref: 00402FF9
#2919.MFC42(000001F4,000001F4,?,?,?,?,?,?,00000001), ref: 0040301E
GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,000001F4,000001F4), ref: 00403028
#2818.MFC42(?,0040D0C4,?,?,?,?,?,00000000,?,000001F4,000001F4,?), ref: 0040304B
#858.MFC42(?,?,?,00000001), ref: 00403061
#2818.MFC42(?,0040D0BC,?,?,?,?,?,00000001), ref: 0040307A
#6675.MFC42(?,?,?,?,?,?,?,00000001), ref: 0040308B
#4224.MFC42(?,?,00000001,?,?,?,?,?,?,?,00000001), ref: 004030AF
#540.MFC42(?,?,00000001,?,?,?,?,?,?,?,00000001), ref: 004030CE
#2818.MFC42(?,0040D0D4,?,?,?,00000001,?,?,?,?,?,?,?,00000001), ref: 004030EC
WritePrivateProfileStringA.KERNEL32(0040D0D8,0040D0B0,?,?), ref: 00403108
#535.MFC42(?,?,00000000,?,?,?,?,?,?,?,00000001), ref: 0040312D
PathFileExistsA.SHLWAPI ref: 00403141
_mbscmp.MSVCRT(?,0040D0A8,?,?,?,?,?,?,?,?,00000001), ref: 004031A0
CopyFileA.KERNEL32(?,?,00000000), ref: 004031B4
ShellExecuteExA.SHELL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004031C7
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004031DD
GetForegroundWindow.USER32 ref: 004031E7
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00403204
DispatchMessageA.USER32(?), ref: 0040320F
_mbscmp.MSVCRT(?,0040D0A4,?,?,00000001,?,?,?,?,?,?,?,?,00000001), ref: 00403220
#4224.MFC42(?,?,00000000,?,?,?,?,?,?,?,?,00000001), ref: 0040324C
#4224.MFC42(?,?,00000001,?,?,?,?,?,?,?,?,00000001), ref: 0040326E
_mbscmp.MSVCRT(?,0040D0A8,?,?,00000001,?,?,?,?,?,?,?,?,00000001), ref: 0040328B
CopyFileA.KERNEL32(?,?,00000000), ref: 0040329F
ShellExecuteExA.SHELL32(?,?,?,00000001,?,?,?,?,?,?,?,?,00000001), ref: 004032B2
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004032C8
GetForegroundWindow.USER32 ref: 004032D2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004032F3
DispatchMessageA.USER32(?), ref: 00403301
#1200.MFC42(?,00000010,00000000,?,?,?,?,?,?,?,?,00000001), ref: 00403313
#800.MFC42(?,00000010,00000000,?,?,?,?,?,?,?,?,00000001), ref: 00403324
#535.MFC42(?,?,00000000,?,?,?,?,?,?,?,00000001), ref: 00403349
#535.MFC42(?,?,?,?,00000000,?,?,?,?,?,?,?,00000001), ref: 00403361
#4224.MFC42(?,0040D0A0,00000001,?,?,?,?,00000000,?,?,?,?,?,?,?,00000001), ref: 0040337D
#800.MFC42(?,?,00000001), ref: 004033B0
#800.MFC42(?,?,00000001), ref: 004033C1
#800.MFC42(?,?,00000001), ref: 004033D2
#800.MFC42(?,?,00000001), ref: 004033E3
#1200.MFC42(?,00000010,00000000,00000001), ref: 004033F4
#535.MFC42(?,?,?,00000010,00000000,00000001), ref: 00403405

Part of subcall function 00406460: DeleteFileA.KERNEL32(?), ref: 00406465
Part of subcall function 00406460: #800.MFC42(?,?,00000010,00000000,00000001), ref: 0040646F

#535.MFC42(?,?,?,?,?,00000010,00000000,00000001), ref: 0040341D
free.MSVCRT ref: 0040342A
#800.MFC42(00000000), ref: 00403448
#800.MFC42(00000000), ref: 0040345C

Strings

<, xrefs: 00403152
@, xrefs: 00403163

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00403480, Relevance: 105.4, APIs: 58, Strings: 2, Instructions: 399

APIs

#6215.MFC42(00000000), ref: 004034A4
WritePrivateProfileStringA.KERNEL32(0040D0D8,0040D0E4,0040D110,0040D090), ref: 004034BD
#540.MFC42 ref: 004034C7
#540.MFC42 ref: 004034D7
#540.MFC42 ref: 004034E8
#2818.MFC42(?,0040D044), ref: 00403506

Part of subcall function 00407060: #540.MFC42(?,?,?,004093C8,000000FF,00403524), ref: 0040707D
Part of subcall function 00407060: #2818.MFC42(?,0040D454,?), ref: 0040709E
Part of subcall function 00407060: #5953.MFC42(00000402,?,004093C8,000000FF,00403524), ref: 004070B2
Part of subcall function 00407060: #800.MFC42(00000402,?,004093C8,000000FF,00403524), ref: 004070C3

SendMessageA.USER32(?,00000402,?,00000000), ref: 0040353F
#6334.MFC42(00000000,?,00000402,?,00000000), ref: 00403548
#540.MFC42(00000000,?,00000402,?,00000000), ref: 0040357D
#2818.MFC42(?,0040D0D4,?,00000000,?,00000402,?,00000000), ref: 00403595
WritePrivateProfileStringA.KERNEL32(0040D0D8,0040D0CC,?,0040D090), ref: 004035B1
#800.MFC42(?,00000000), ref: 004035C3
#2818.MFC42(?,0040D064,?,00000000,?,00000402,?,00000000), ref: 004035E1
#2919.MFC42(000001F4,000001F4,?,?,00000000), ref: 00403606
GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,000001F4,000001F4), ref: 00403610
#858.MFC42(?,00000000,?,00000402,?,00000000), ref: 00403626
#6675.MFC42(?,?,00000000,?,00000402,?,00000000), ref: 00403635
#540.MFC42(?,?,00000000,?,00000402,?,00000000), ref: 0040365D
#2818.MFC42(?,0040D0D4,?,?,?,00000000,?,00000402,?,00000000), ref: 0040367B
WritePrivateProfileStringA.KERNEL32(0040D0D8,0040D0B0,0040D0D4,0040D090), ref: 00403697
PathFileExistsA.SHLWAPI ref: 004036A1
_mbscmp.MSVCRT(?,0040D534,?,?,00000000), ref: 004036B9
#4224.MFC42(?,?,00000000,?,?,?,00000000), ref: 004036D1
_mbscmp.MSVCRT(?,?,?,?,?,00000000), ref: 00403713
#535.MFC42(?,?,?,?,00000000), ref: 0040372D

Part of subcall function 00407010: #5953.MFC42(00000401,?,?,004093A8,000000FF,0040373C,?,?,?,?,00000000), ref: 00407037
Part of subcall function 00407010: #800.MFC42(00000401,?,?,004093A8,000000FF,0040373C,?,?,?,?,00000000), ref: 00407048

SendMessageA.USER32(?,00000408,00000000,00000000), ref: 0040374A
SendMessageA.USER32(?,00000402,?,00000000), ref: 00403779
#6334.MFC42(00000000,?,00000402,?,00000000,?,?,00000408,00000000,00000000,?,?,?,?,00000000), ref: 00403783
#4224.MFC42(?,?,00000000,00000000,?,00000402,?,00000000,?,?,00000408,00000000,00000000), ref: 00403798
#800.MFC42(?,?,00000000,00000000,?,00000402,?,00000000,?,?,00000408,00000000,00000000), ref: 004037AB
#535.MFC42(?,?,?,?,?,?,?,00000000), ref: 004037E6
#535.MFC42(?,?,?,?,?,?,?,?,00000000), ref: 004037FE
ShellExecuteExA.SHELL32(?), ref: 00403810
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00403828
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00403840
DispatchMessageA.USER32(?), ref: 0040384B
SendMessageA.USER32(?,00000408,00000000,00000000), ref: 0040385F
#535.MFC42(?,?,?,?,00000408,00000000,00000000,?,?,?,0040D10C,?,?,?), ref: 00403887
#535.MFC42(?,?,?,?,?,?,00000408,00000000,00000000,?,?,?,0040D10C,?,?,?), ref: 0040389C
#6334.MFC42(00000000,?,?,?,?,?,?,00000408,00000000,00000000,?,?,?,0040D10C), ref: 004038B3
Sleep.KERNEL32(00001388), ref: 004038BD
#6334.MFC42(00000000,?,00000408,00000000,00000000), ref: 004038CB
#535.MFC42(?,?,?,00000000,?,00000408,00000000,00000000), ref: 004038DE
#535.MFC42(?,?,?,?,?,00000000,?,00000408,00000000,00000000), ref: 004038F3

Part of subcall function 004066F0: #535.MFC42(?,?,?,?,?,?,?,00409290,000000FF,00403907,?,?,?,?,?,00000000), ref: 0040671F
Part of subcall function 004066F0: #535.MFC42(?,?,?,?,?,?,?,?,?,00409290,000000FF,00403907,?,?,?), ref: 0040673A
Part of subcall function 004066F0: SendMessageA.USER32(?,00000402,?,00000000), ref: 00406761
Part of subcall function 004066F0: #800.MFC42(?,00000402,?,00000000,?,?,?,?,?,?,?,?,?,?,00409290,000000FF), ref: 00406770
Part of subcall function 004066F0: #800.MFC42(?,00000402,?,00000000,?,?,?,?,?,?,?,?,?,?,00409290,000000FF), ref: 00406781

#924.MFC42(?,?,0040D10C,?,?,?,?,?,00000000,?,00000408,00000000,00000000), ref: 00403916
#858.MFC42(?,?,?,0040D10C,?,?,?,?,?,00000000,?,00000408,00000000,00000000), ref: 00403928
#800.MFC42(?,?,?,0040D10C,?,?,?,?,?,00000000,?,00000408,00000000,00000000), ref: 00403939
Sleep.KERNEL32(00001388), ref: 00403943
#800.MFC42(00000002), ref: 00403963
#800.MFC42(00000002), ref: 00403974
SendMessageA.USER32(?,00000402,00000064,00000000), ref: 0040399E
#6334.MFC42(00000000,?,00000402,00000064,00000000,00000064,00000000,?,00000402,?,00000000), ref: 004039A7
#4224.MFC42(?,?,00000000,00000000,?,00000402,00000064,00000000,00000064,00000000,?,00000402,?,00000000), ref: 004039BD
#6215.MFC42(00000005,?,?,00000000,00000000,?,00000402,00000064,00000000,00000064,00000000,?,00000402,?,00000000), ref: 004039CD
#537.MFC42(0040D090,?,00000005,?,?,00000000,00000000,?,00000402,00000064,00000000,00000064,00000000,?,00000402), ref: 004039DE

Part of subcall function 00406460: DeleteFileA.KERNEL32(?), ref: 00406465
Part of subcall function 00406460: #800.MFC42(?,?,00000010,00000000,00000001), ref: 0040646F

Part of subcall function 00405390: GetModuleFileNameA.KERNEL32(00000000,?,000001F4), ref: 004053D0
Part of subcall function 00405390: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F013F,?), ref: 00405417
Part of subcall function 00405390: RegDeleteValueA.ADVAPI32(?,0040D0D8), ref: 00405452
Part of subcall function 00405390: RegCreateKeyA.ADVAPI32(80000002,?,?), ref: 00405470
Part of subcall function 00405390: RegSetValueExA.ADVAPI32(?,0040D0D8,?,00000001,?,00000100), ref: 00405491
Part of subcall function 00405390: RegCloseKey.ADVAPI32 ref: 0040549C

#800.MFC42(00000000,?,00000402,?,00000000), ref: 004039FE
#800.MFC42(00000000,?,00000402,?,00000000), ref: 00403A0F
#800.MFC42(00000000,?,00000402,?,00000000), ref: 00403A23

Strings

<, xrefs: 004036EB
@, xrefs: 004036F3

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00405A20, Relevance: 104.1, APIs: 59, Instructions: 467

APIs

#540.MFC42 ref: 00405A56
#540.MFC42 ref: 00405A67
#540.MFC42 ref: 00405A78
#4129.MFC42(?,00000003), ref: 00405A93
#858.MFC42(?,?,00000003), ref: 00405AA5
#800.MFC42(?,?,00000003), ref: 00405AB6
_mbscmp.MSVCRT(?,0040D398,?,?,00000003), ref: 00405ACB
#4129.MFC42(?,0000000C), ref: 00405AE2
#858.MFC42(?,?,0000000C), ref: 00405AF4
#5710.MFC42(?), ref: 00405B2A
#858.MFC42(?,?), ref: 00405B3C
#800.MFC42(?,?), ref: 00405B4D
#6663.MFC42(?,00000001,?,?), ref: 00405B5D
#4129.MFC42(?,?,?,00000001,?,?), ref: 00405B6C
#922.MFC42(?,?,?,?,?,?,00000001,?,?), ref: 00405B85
#858.MFC42(?,?,?,?,?,?,?,00000001,?,?), ref: 00405B97
#800.MFC42(?,?,?,?,?,?,?,00000001,?,?), ref: 00405BA7
#800.MFC42(?,?,?,?,?,?,?,00000001,?,?), ref: 00405BB8
_mbscmp.MSVCRT(00000001,0040D534,?,?,?,?,?,?,?,00000001,?,?), ref: 00405BC7
#4129.MFC42(?,0000000C,?), ref: 00405BDE
#858.MFC42(?,?,0000000C,?), ref: 00405BF0
#800.MFC42(?,?,0000000C,?), ref: 00405C01
#5710.MFC42(?,?,?), ref: 00405C26
#858.MFC42(?,?,?,?), ref: 00405C3B
#800.MFC42(?,?,?,?), ref: 00405C4C
_mbscmp.MSVCRT(?,0040D534,?,?,?,?), ref: 00405C5B
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00405CE9
RegQueryValueExA.ADVAPI32(?,0040D36C,00000000,?,?,?), ref: 00405D0E
#537.MFC42(?,?,?,?), ref: 00405D21
#800.MFC42(?,?,?,?), ref: 00405D2A
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00405D52
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00405D99
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00405E13
RegQueryValueExA.ADVAPI32(?,0040D36C,00000000,?,?,?), ref: 00405E34
#537.MFC42(?,?,?,?), ref: 00405E47
_mbscmp.MSVCRT(?,0040D534,?,?,?,?), ref: 00405E5E
#800.MFC42(?,?,?,?,?), ref: 00405E7B
RegCloseKey.ADVAPI32(?), ref: 00405E85
RegCloseKey.ADVAPI32(?), ref: 00405EA3
#5710.MFC42(?,?,?,?,?), ref: 00405EC9
#858.MFC42(?,?,?,?,?,?), ref: 00405EDB
#800.MFC42(?,?,?,?,?,?), ref: 00405EEC
#6663.MFC42(?,00000001,?,?,?,?,?,?), ref: 00405EFC
#4129.MFC42(?,?,?,00000001,?,?,?,?,?,?), ref: 00405F0B
#858.MFC42(?,?,?,?,00000001,?,?,?,?,?,?), ref: 00405F1D
#800.MFC42(?,?,?,?,00000001,?,?,?,?,?,?), ref: 00405F2E
_mbscmp.MSVCRT(00000001,0040D534,?,?,?,?,00000001,?,?,?,?,?,?), ref: 00405F3D
#858.MFC42(?,?,?,?,?,?), ref: 00405F52
#922.MFC42(?,?,?,?,?,?,?,?), ref: 00405F68
#858.MFC42(?,?,?,?,?,?,?,?,?), ref: 00405F7A
#800.MFC42(?,?,?,?,?,?,?,?,?), ref: 00405F8B
#5710.MFC42(?,?,?,?,?,?,?,?,?,?,?), ref: 00405FB0
#858.MFC42(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405FC5
#800.MFC42(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405FD6
_mbscmp.MSVCRT(?,0040D534,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405FE5
#535.MFC42(?,?,?,?), ref: 00406000
#800.MFC42(?,?,?,?), ref: 00406019
#800.MFC42(?,?,?,?), ref: 0040602A
#800.MFC42(?,?,?,?), ref: 0040603B

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 0042C700, Relevance: 98.4, APIs: 26, Strings: 23, Instructions: 218

APIs

RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Internet Explorer,00000000,00000000,00000000,00000002,00000000,?,?), ref: 0042C73C
RegCreateKeyExW.ADVAPI32(?,Download,00000000,00000000,00000000,00000002,00000000,?,?), ref: 0042C754
RegSetValueExW.ADVAPI32(0042C28F,CheckExeSignatures,00000000,00000001,00472620,00000006), ref: 0042C76E
RegCloseKey.ADVAPI32(0042C28F), ref: 0042C779
RegCreateKeyExW.ADVAPI32(?,Extensions,00000000,00000000,00000000,00000002,00000000,?,?), ref: 0042C793
RegCloseKey.ADVAPI32(0042C28F), ref: 0042C798
RegCreateKeyExW.ADVAPI32(?,LowRegistry\DontShowMeThisDialogAgain,00000000,00000000,00000000,00000002,00000000,?,?), ref: 0042C7B2
RegCloseKey.ADVAPI32(0042C28F), ref: 0042C7B7
RegCreateKeyExW.ADVAPI32(?,Main,00000000,00000000,00000000,00000002,00000000,?,?), ref: 0042C7D1
RegSetValueExW.ADVAPI32(0042C28F,Play_Animations,00000000,00000001,00472620,00000006), ref: 0042C7E6
RegSetValueExW.ADVAPI32(0042C28F,Play_Background_Sounds,00000000,00000001,00472620,00000006), ref: 0042C7FB
RegSetValueExW.ADVAPI32(0042C28F,Display Inline Images,00000000,00000001,yes,00000008), ref: 0042C810
RegCloseKey.ADVAPI32(0042C28F), ref: 0042C815
RegCreateKeyExW.ADVAPI32(?,New Windows,00000000,00000000,00000000,00000002,00000000,?,?), ref: 0042C82F
RegSetValueExW.ADVAPI32(0042C28F,AllowHTTPS,00000000,00000004,?,00000004), ref: 0042C84A
RegSetValueExW.ADVAPI32(0042C28F,PlaySound,00000000,00000004,?,00000004), ref: 0042C862
RegSetValueExW.ADVAPI32(0042C28F,PopupMgr,00000000,00000004,?,00000004), ref: 0042C87A
RegSetValueExW.ADVAPI32(0042C28F,PopupMgr,00000000,00000001,00472620,00000006), ref: 0042C88F
RegCloseKey.ADVAPI32(0042C28F), ref: 0042C894
RegCreateKeyExW.ADVAPI32(?,Security,00000000,00000000,00000000,00000002,00000000,?,?), ref: 0042C8AE
RegSetValueExW.ADVAPI32(0042C28F,Safety Warning Level,00000000,00000001,SucceedSilent,0000001C), ref: 0042C8C3
RegSetValueExW.ADVAPI32(0042C28F,Trust Warning Level,00000000,00000001,No Security,00000018), ref: 0042C8D8
RegSetValueExW.ADVAPI32(0042C28F,Sending_Security,00000000,00000001,Low,00000008), ref: 0042C8EE
RegSetValueExW.ADVAPI32(0042C28F,Viewing_Security,00000000,00000001,Low,00000008), ref: 0042C8FF
RegCloseKey.ADVAPI32(0042C28F), ref: 0042C904
RegCloseKey.ADVAPI32(?), ref: 0042C909

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Strings

Browser_Class, xrefs: 0042C718
Software\Microsoft\Internet Explorer, xrefs: 0042C729
Download, xrefs: 0042C74C
CheckExeSignatures, xrefs: 0042C766
Extensions, xrefs: 0042C78B
LowRegistry\DontShowMeThisDialogAgain, xrefs: 0042C7AA
Main, xrefs: 0042C7C9
Play_Animations, xrefs: 0042C7DE
Play_Background_Sounds, xrefs: 0042C7F3
yes, xrefs: 0042C7FF
Display Inline Images, xrefs: 0042C808
New Windows, xrefs: 0042C827
AllowHTTPS, xrefs: 0042C83B
PlaySound, xrefs: 0042C85A
PopupMgr, xrefs: 0042C872 0042C887
Security, xrefs: 0042C8A6
SucceedSilent, xrefs: 0042C8B2
Safety Warning Level, xrefs: 0042C8BB
No Security, xrefs: 0042C8C7
Trust Warning Level, xrefs: 0042C8D0
Low, xrefs: 0042C8DC 0042C8E1 0042C8F2
Sending_Security, xrefs: 0042C8E6
Viewing_Security, xrefs: 0042C8F7

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0041333D, Relevance: 77.4, APIs: 30, Strings: 14, Instructions: 393

APIs

InitCommonControls.COMCTL32 ref: 0041336F
GetModuleFileNameW.KERNEL32(00000000,?,00000400,?,?,?,?,?,00449604,000000FF), ref: 00413384
MessageBoxW.USER32(00000000,Are you sure to uninstall Antivirus Security Pro?,Antivirus Security Pro,00040124), ref: 004133F7
ExitProcess.KERNEL32(00000000), ref: 00413403
FindWindowW.USER32(MainAntivirus_Class,00000000), ref: 0041340E
SendMessageW.USER32(?,00000002,00001234,0000ABCD), ref: 00413425
Sleep.KERNEL32(000007D0), ref: 00413430

Part of subcall function 004052C3: RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 004052EB

RegDeleteValueW.ADVAPI32(?,AS2014), ref: 00413451
RegSetValueExW.ADVAPI32(?,AS2014,00000000,00000001,?,00000001), ref: 00413478
RegCloseKey.ADVAPI32(?), ref: 00413484
RegOpenKeyW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 004134A7
RegQueryValueExW.ADVAPI32(?,Programs,00000000,00000000,?,?), ref: 004134CA
SHGetFolderPathW.SHELL32(00000000,00000002,00000000,00000000,?), ref: 004134E2
PathAppendW.SHLWAPI(?,Antivirus Security Pro), ref: 004134FC
SHFileOperationW.SHELL32(?), ref: 0041356A
RegCloseKey.ADVAPI32(?), ref: 00413576
DeleteFileW.KERNEL32 ref: 00413589
RegOpenKeyW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\RunOnce,?), ref: 004135A8
MoveFileW.KERNEL32(?,?), ref: 00413619
RegSetValueExW.ADVAPI32(?,Uninstall AS2014,00000000,00000001,?,?), ref: 004136B3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 004136E1
SHGetPathFromIDListW.SHELL32(?,?), ref: 004136FC
SetFileAttributesW.KERNEL32(?,00000080), ref: 00413799
DeleteFileW.KERNEL32(?), ref: 004137B6
SetFileAttributesW.KERNEL32(?,00000080), ref: 00413819
DeleteFileW.KERNEL32(?), ref: 00413830
SetFileAttributesW.KERNEL32(?,00000080), ref: 00413893
DeleteFileW.KERNEL32(?), ref: 004138AA
SHDeleteKeyW.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\Antivirus Security Pro), ref: 004138C9
MessageBoxW.USER32(00000000,Antivirus Security Pro was deleted successfully,Antivirus Security Pro,00000000), ref: 004138DB

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Strings

Antivirus Security Pro, xrefs: 004133EC 004134F0 004138D0
Are you sure to uninstall Antivirus Security Pro?, xrefs: 004133F1
MainAntivirus_Class, xrefs: 00413409
AS2014, xrefs: 0041344B 00413467
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00413493
Programs, xrefs: 004134BF
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 0041359E
cmd /C del /F /Q ", xrefs: 004135B2 004135C3 004135E2
Uninstall AS2014, xrefs: 004136A8
\Antivirus Security Pro registration info.url, xrefs: 00413760 00413765 0041376D
\Antivirus Security Pro support.url, xrefs: 004137E6 004137EB 004137F3
\Antivirus Security Pro.lnk, xrefs: 00413860 00413865 0041386D
Software\Microsoft\Windows\CurrentVersion\Uninstall\Antivirus Security Pro, xrefs: 004138BF
Antivirus Security Pro was deleted successfully, xrefs: 004138D5

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00404A90, Relevance: 76.0, APIs: 43, Instructions: 275

APIs

#2919.MFC42(000001F4,000001F4,?,?,?,?,?,00409030,000000FF,0040483A,?), ref: 00404ACD
GetPrivateProfileStringA.KERNEL32(00000000,0040D2F4,00000000,?,000001F4,000001F4), ref: 00404AE1
_mbscmp.MSVCRT(?,0040D534,?,000001F4,000001F4,?,?,?,?,?,00409030,000000FF,0040483A,?), ref: 00404AEC
#800.MFC42 ref: 00404B01
#800.MFC42 ref: 00404B12
#2919.MFC42(000001F4,000001F4,?), ref: 00404B46
GetPrivateProfileStringA.KERNEL32(?,0040D2E8,00000000,?,000001F4,000001F4), ref: 00404B54
#2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404B6F
GetPrivateProfileStringA.KERNEL32(?,0040D2DC,00000000,?,000001F4,000001F4), ref: 00404B7D
#2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404B98
GetPrivateProfileStringA.KERNEL32(000001F4,0040D194,00000000,?,000001F4,000001F4), ref: 00404BA6
#2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404BC1
GetPrivateProfileStringA.KERNEL32(000001F4,0040D2D4,00000000,?,000001F4,000001F4), ref: 00404BCF
#2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404BEA
GetPrivateProfileStringA.KERNEL32(000001F4,0040D2CC,00000000,?,000001F4,000001F4), ref: 00404BF8
#2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404C13
GetPrivateProfileStringA.KERNEL32(000001F4,0040D2C0,00000000,?,000001F4,000001F4), ref: 00404C21
#2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404C3C
GetPrivateProfileStringA.KERNEL32(000001F4,0040D2B4,00000000,?,000001F4,000001F4), ref: 00404C4A
#2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404C65
GetPrivateProfileStringA.KERNEL32(000001F4,0040D2AC,00000000,?,000001F4,000001F4), ref: 00404C73
#2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404C8E
GetPrivateProfileStringA.KERNEL32(000001F4,0040D2A4,00000000,?,000001F4,000001F4), ref: 00404C9C
#2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404CB7
GetPrivateProfileStringA.KERNEL32(000001F4,0040D298,00000000,?,000001F4,000001F4), ref: 00404CC5
#2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404CE0
GetPrivateProfileStringA.KERNEL32(000001F4,0040D28C,00000000,?,000001F4,000001F4), ref: 00404CEE
#2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404D09
GetPrivateProfileStringA.KERNEL32(000001F4,0040D27C,00000000,?,000001F4,000001F4), ref: 00404D17
#2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404D32
GetPrivateProfileStringA.KERNEL32(000001F4,0040D270,00000000,?,000001F4,000001F4), ref: 00404D40
#2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404D5B
GetPrivateProfileStringA.KERNEL32(000001F4,0040D264,00000000,?,000001F4,000001F4), ref: 00404D69
#2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404D84
GetPrivateProfileStringA.KERNEL32(000001F4,0040D258,00000000,?,000001F4,000001F4), ref: 00404D92
#2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404DAD
GetPrivateProfileStringA.KERNEL32(000001F4,0040D24C,00000000,?,000001F4,000001F4), ref: 00404DBB
#2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404DD6
GetPrivateProfileStringA.KERNEL32(000001F4,0040D244,00000000,?,000001F4,000001F4), ref: 00404DE4
#2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404DFF
GetPrivateProfileStringA.KERNEL32(000001F4,0040D23C,00000000,?,000001F4,000001F4), ref: 00404E0D
#800.MFC42(?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404E18
#800.MFC42(?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404E29

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 004054B0, Relevance: 70.9, APIs: 47, Instructions: 372

APIs

#540.MFC42(?,00000000), ref: 004054D3
#540.MFC42(?,00000000), ref: 004054E5
#540.MFC42(?,00000000), ref: 004054F6
#2818.MFC42(?,0040D188,?,?,?,00000000), ref: 0040551B
GetPrivateProfileIntA.KERNEL32(0040D190,0040D0CC,00000000,?), ref: 00405533
#2818.MFC42(?,0040D180,00000001,0000C6CE,?,?,?,?,00000000), ref: 0040555B
#2919.MFC42(000001F4,000001F4,?,?,0000C6CE,?,?,?,?,00000000), ref: 0040557A
GetPrivateProfileStringA.KERNEL32(0040D190,?,00000000,?,000001F4,000001F4), ref: 00405588
#540.MFC42(?,000001F4,000001F4,?,?,0000C6CE,?,?,?,?,00000000), ref: 004055AB
#6663.MFC42(0040D17C,00000001,?,000001F4,000001F4,?,?,0000C6CE,?,?,?,?,00000000), ref: 004055C3
#4129.MFC42(?,?,0040D17C,00000001,?,000001F4,000001F4,?,?,0000C6CE,?,?,?,?,00000000), ref: 004055D2
#858.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?,?,0000C6CE,?,?,?,?,00000000), ref: 004055F5
#800.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?,?,0000C6CE,?,?,?,?,00000000), ref: 00405606
#6663.MFC42(0040D17C,00000001,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?,?,0000C6CE), ref: 0040561D
#5710.MFC42(?,?,0040D17C,00000001,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?,?,0000C6CE), ref: 0040562F
#2818.MFC42(?,0040D188,?,?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001,?,000001F4,000001F4), ref: 00405650
#800.MFC42(?,000001F4,000001F4,?,?,0000C6CE,?,?,?,?,00000000), ref: 00405664
#6663.MFC42(0040D17C,00000001,?,000001F4,000001F4,?,?,0000C6CE,?,?,?,?,00000000), ref: 00405674
#4129.MFC42(?,?,0040D17C,00000001,?,000001F4,000001F4,?,?,0000C6CE,?,?,?,?,00000000), ref: 00405683
#858.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?,?,0000C6CE,?,?,?,?,00000000), ref: 004056A6
#800.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?,?,0000C6CE,?,?,?,?,00000000), ref: 004056B7
#6663.MFC42(0040D17C,00000001,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?,?,0000C6CE), ref: 004056CE
#5710.MFC42(?,?,0040D17C,00000001,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?,?,0000C6CE), ref: 004056E0
#858.MFC42(?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?,?,0000C6CE), ref: 004056F2
#800.MFC42(?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?,?,0000C6CE), ref: 00405703
#6663.MFC42(0040D17C,00000001,?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00405713
#4129.MFC42(?,?,0040D17C,00000001,?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001,?,000001F4), ref: 00405722
#858.MFC42(?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001), ref: 00405742
#800.MFC42(?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001), ref: 00405753
#6663.MFC42(0040D17C,00000001,?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001,?,?,?,0040D17C), ref: 0040576A
#5710.MFC42(?,?,0040D17C,00000001,?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001,?,?), ref: 0040577C
#858.MFC42(?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001), ref: 0040579F
#800.MFC42(?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001), ref: 004057B0
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F023F,?), ref: 00405877
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F013F,?), ref: 00405896
RegQueryValueExA.ADVAPI32(?,0040D358,00000000,?,?,?), ref: 004058C1
#537.MFC42(?,?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001), ref: 004058D0
#858.MFC42(?,?,?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001), ref: 004058F7
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F013F,?), ref: 00405934
RegQueryValueExA.ADVAPI32(?,0040D358,00000000,?,?,?), ref: 00405955
#537.MFC42(?,?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001), ref: 00405964
#858.MFC42(?,?,?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001), ref: 0040598B
#800.MFC42(?,?,?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001), ref: 0040599C
#800.MFC42(?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001), ref: 004059AD
#800.MFC42(?,?,?,00000000), ref: 004059D2
#800.MFC42(?,?,?,00000000), ref: 004059E3
#800.MFC42(?,?,?,00000000), ref: 004059F7

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 0040276E, Relevance: 69.4, APIs: 46, Instructions: 356

APIs

LocalFree.KERNEL32(?), ref: 00402843
GetLastError.KERNEL32 ref: 004028C5
GetLastError.KERNEL32 ref: 004028C7
GetLastError.KERNEL32 ref: 004028CE
LocalFree.KERNEL32(?), ref: 004028EC
GetLastError.KERNEL32 ref: 004028F2
#540.MFC42 ref: 0040291D
#540.MFC42 ref: 0040292F
#540.MFC42 ref: 00402940
#2818.MFC42(?,0040D070,?,?), ref: 00402964
#2818.MFC42(?,0040D070,?,?), ref: 0040298F
#540.MFC42 ref: 004029A8
#2818.MFC42(?,0040D064,00000000), ref: 004029DD
#535.MFC42(?,?,00000000), ref: 004029F0
#535.MFC42(?,?,?,?,00000000), ref: 00402A09

Part of subcall function 00404210: #540.MFC42(00000000), ref: 0040423B
Part of subcall function 00404210: #2818.MFC42(?,0040D188,?,?,00000000), ref: 0040425D
Part of subcall function 00404210: #540.MFC42(00000000), ref: 00404269
Part of subcall function 00404210: #540.MFC42(00000000), ref: 00404277
Part of subcall function 00404210: GetPrivateProfileIntA.KERNEL32(?,0040D0CC,00000000,?), ref: 00404292
Part of subcall function 00404210: #2818.MFC42(?,0040D180,00000001), ref: 004042B5
Part of subcall function 00404210: #2919.MFC42(000001F4,000001F4,?), ref: 004042D8
Part of subcall function 00404210: GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,000001F4,000001F4), ref: 004042E2
Part of subcall function 00404210: #6663.MFC42(0040D17C,00000001,?,000001F4,000001F4,?), ref: 004042EF
Part of subcall function 00404210: #4129.MFC42(?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004042FE
Part of subcall function 00404210: #858.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040430D
Part of subcall function 00404210: #800.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040431B
Part of subcall function 00404210: #4202.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404324
Part of subcall function 00404210: #4202.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040432D
Part of subcall function 00404210: #2764.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040433B
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040435B
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404369
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404377
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404385
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404396
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043BB
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043C9
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043D7
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043E5
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043F6

#535.MFC42(?,?,?,?,?,?,00000000), ref: 00402A41

Part of subcall function 004067A0: #540.MFC42 ref: 004067CF
Part of subcall function 004067A0: #535.MFC42(?), ref: 004067E5
Part of subcall function 004067A0: #858.MFC42 ref: 00406800
Part of subcall function 004067A0: #800.MFC42 ref: 0040680E
Part of subcall function 004067A0: #6663.MFC42(0040D3E4,00000001), ref: 00406825
Part of subcall function 004067A0: #5710.MFC42(?,?,0040D3E4,00000001), ref: 00406837
Part of subcall function 004067A0: #858.MFC42(?,?,?,0040D3E4,00000001), ref: 00406846
Part of subcall function 004067A0: #800.MFC42(?,?,?,0040D3E4,00000001), ref: 00406854
Part of subcall function 004067A0: #535.MFC42(?,?,?,?,0040D3E4,00000001), ref: 00406864
Part of subcall function 004067A0: #800.MFC42(?,?,?,?,0040D3E4,00000001), ref: 0040687A
Part of subcall function 004067A0: #800.MFC42(?,?,?,?,0040D3E4,00000001), ref: 00406888

#858.MFC42(?,?,?,?,?,?,?,?,00000000), ref: 00402A60
#800.MFC42(?,?,?,?,?,?,?,?,00000000), ref: 00402A71
#858.MFC42(?,?,?,?,?,?,?,?,?,00000000), ref: 00402A7E
#858.MFC42(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402A8B
_mbscmp.MSVCRT(?,0040D534,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402A98
#860.MFC42(0040D054), ref: 00402AAC
#540.MFC42(0040D054), ref: 00402AB5
#540.MFC42(0040D054), ref: 00402AC6
#540.MFC42(0040D054), ref: 00402AD7
#2818.MFC42(?,0040D044), ref: 00402AF5
#2818.MFC42(?,0040D034,?,?,0040D044), ref: 00402B0B
#2919.MFC42(000001F4,000001F4,?), ref: 00402B32
GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,000001F4,000001F4), ref: 00402B40
_mbscmp.MSVCRT(?,0040D534,?,000001F4,000001F4,?), ref: 00402B50
#858.MFC42(?,000001F4,?), ref: 00402B64
#800.MFC42(000001F4,?), ref: 00402B75
#800.MFC42(000001F4,?), ref: 00402B86
#800.MFC42(000001F4,?), ref: 00402B97
#800.MFC42(?,000001F4,?,?,?,?,?,?,0040D054), ref: 00402BC2
#800.MFC42(?,000001F4,?,?,?,?,?,?,0040D054), ref: 00402BD3
#800.MFC42(?,000001F4,?,?,?,?,?,?,0040D054), ref: 00402BE4
#800.MFC42(?,000001F4,?,?,?,?,?,?,0040D054), ref: 00402BF8
SetupDiEnumDeviceInfo.SETUPAPI(?,?,?), ref: 00402C11
GetLastError.KERNEL32(?,?,?,?,?,0040D054), ref: 00402C23
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00402C2C
SetLastError.KERNEL32(?,?,?,?,?,?,0040D054), ref: 00402C33
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00402C60
SetLastError.KERNEL32 ref: 00402C67
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00402C76
SetLastError.KERNEL32 ref: 00402C7D

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 0040279D, Relevance: 63.3, APIs: 42, Instructions: 347

APIs

LocalFree.KERNEL32(?), ref: 00402843
GetLastError.KERNEL32 ref: 004028C5
GetLastError.KERNEL32 ref: 004028C7
GetLastError.KERNEL32 ref: 004028CE
LocalFree.KERNEL32(?), ref: 004028EC
GetLastError.KERNEL32 ref: 004028F2
#540.MFC42 ref: 0040291D
#540.MFC42 ref: 0040292F
#540.MFC42 ref: 00402940
#2818.MFC42(?,0040D070,?,?), ref: 00402964
#2818.MFC42(?,0040D070,?,?), ref: 0040298F
#540.MFC42 ref: 004029A8
#2818.MFC42(?,0040D064,00000000), ref: 004029DD
#535.MFC42(?,?,00000000), ref: 004029F0
#535.MFC42(?,?,?,?,00000000), ref: 00402A09

Part of subcall function 00404210: #540.MFC42(00000000), ref: 0040423B
Part of subcall function 00404210: #2818.MFC42(?,0040D188,?,?,00000000), ref: 0040425D
Part of subcall function 00404210: #540.MFC42(00000000), ref: 00404269
Part of subcall function 00404210: #540.MFC42(00000000), ref: 00404277
Part of subcall function 00404210: GetPrivateProfileIntA.KERNEL32(?,0040D0CC,00000000,?), ref: 00404292
Part of subcall function 00404210: #2818.MFC42(?,0040D180,00000001), ref: 004042B5
Part of subcall function 00404210: #2919.MFC42(000001F4,000001F4,?), ref: 004042D8
Part of subcall function 00404210: GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,000001F4,000001F4), ref: 004042E2
Part of subcall function 00404210: #6663.MFC42(0040D17C,00000001,?,000001F4,000001F4,?), ref: 004042EF
Part of subcall function 00404210: #4129.MFC42(?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004042FE
Part of subcall function 00404210: #858.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040430D
Part of subcall function 00404210: #800.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040431B
Part of subcall function 00404210: #4202.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404324
Part of subcall function 00404210: #4202.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040432D
Part of subcall function 00404210: #2764.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040433B
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040435B
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404369
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404377
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404385
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404396
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043BB
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043C9
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043D7
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043E5
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043F6

#535.MFC42(?,?,?,?,?,?,00000000), ref: 00402A41

Part of subcall function 004067A0: #540.MFC42 ref: 004067CF
Part of subcall function 004067A0: #535.MFC42(?), ref: 004067E5
Part of subcall function 004067A0: #858.MFC42 ref: 00406800
Part of subcall function 004067A0: #800.MFC42 ref: 0040680E
Part of subcall function 004067A0: #6663.MFC42(0040D3E4,00000001), ref: 00406825
Part of subcall function 004067A0: #5710.MFC42(?,?,0040D3E4,00000001), ref: 00406837
Part of subcall function 004067A0: #858.MFC42(?,?,?,0040D3E4,00000001), ref: 00406846
Part of subcall function 004067A0: #800.MFC42(?,?,?,0040D3E4,00000001), ref: 00406854
Part of subcall function 004067A0: #535.MFC42(?,?,?,?,0040D3E4,00000001), ref: 00406864
Part of subcall function 004067A0: #800.MFC42(?,?,?,?,0040D3E4,00000001), ref: 0040687A
Part of subcall function 004067A0: #800.MFC42(?,?,?,?,0040D3E4,00000001), ref: 00406888

#858.MFC42(?,?,?,?,?,?,?,?,00000000), ref: 00402A60
#800.MFC42(?,?,?,?,?,?,?,?,00000000), ref: 00402A71
#858.MFC42(?,?,?,?,?,?,?,?,?,00000000), ref: 00402A7E
#858.MFC42(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402A8B
_mbscmp.MSVCRT(?,0040D534,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402A98
#860.MFC42(0040D054), ref: 00402AAC
#540.MFC42(0040D054), ref: 00402AB5
#540.MFC42(0040D054), ref: 00402AC6
#540.MFC42(0040D054), ref: 00402AD7
#2818.MFC42(?,0040D044), ref: 00402AF5
#2818.MFC42(?,0040D034,?,?,0040D044), ref: 00402B0B
#2919.MFC42(000001F4,000001F4,?), ref: 00402B32
GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,000001F4,000001F4), ref: 00402B40
_mbscmp.MSVCRT(?,0040D534,?,000001F4,000001F4,?), ref: 00402B50
#858.MFC42(?,000001F4,?), ref: 00402B64
#800.MFC42(000001F4,?), ref: 00402B75
#800.MFC42(000001F4,?), ref: 00402B86
#800.MFC42(000001F4,?), ref: 00402B97
#800.MFC42(?,000001F4,?,?,?,?,?,?,0040D054), ref: 00402BC2
#800.MFC42(?,000001F4,?,?,?,?,?,?,0040D054), ref: 00402BD3
#800.MFC42(?,000001F4,?,?,?,?,?,?,0040D054), ref: 00402BE4
#800.MFC42(?,000001F4,?,?,?,?,?,?,0040D054), ref: 00402BF8
SetupDiEnumDeviceInfo.SETUPAPI(?,?,?), ref: 00402C11
GetLastError.KERNEL32(?,?,?,?,?,0040D054), ref: 00402C23
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00402C2C
SetLastError.KERNEL32(?,?,?,?,?,?,0040D054), ref: 00402C33
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00402C60
SetLastError.KERNEL32 ref: 00402C67
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00402C76
SetLastError.KERNEL32 ref: 00402C7D

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 0040278D, Relevance: 63.3, APIs: 42, Instructions: 337

APIs

LocalFree.KERNEL32(?), ref: 00402843
GetLastError.KERNEL32 ref: 004028C5
GetLastError.KERNEL32 ref: 004028C7
GetLastError.KERNEL32 ref: 004028CE
LocalFree.KERNEL32(?), ref: 004028EC
GetLastError.KERNEL32 ref: 004028F2
#540.MFC42 ref: 0040291D
#540.MFC42 ref: 0040292F
#540.MFC42 ref: 00402940
#2818.MFC42(?,0040D070,?,?), ref: 00402964
#2818.MFC42(?,0040D070,?,?), ref: 0040298F
#540.MFC42 ref: 004029A8
#2818.MFC42(?,0040D064,00000000), ref: 004029DD
#535.MFC42(?,?,00000000), ref: 004029F0
#535.MFC42(?,?,?,?,00000000), ref: 00402A09

Part of subcall function 00404210: #540.MFC42(00000000), ref: 0040423B
Part of subcall function 00404210: #2818.MFC42(?,0040D188,?,?,00000000), ref: 0040425D
Part of subcall function 00404210: #540.MFC42(00000000), ref: 00404269
Part of subcall function 00404210: #540.MFC42(00000000), ref: 00404277
Part of subcall function 00404210: GetPrivateProfileIntA.KERNEL32(?,0040D0CC,00000000,?), ref: 00404292
Part of subcall function 00404210: #2818.MFC42(?,0040D180,00000001), ref: 004042B5
Part of subcall function 00404210: #2919.MFC42(000001F4,000001F4,?), ref: 004042D8
Part of subcall function 00404210: GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,000001F4,000001F4), ref: 004042E2
Part of subcall function 00404210: #6663.MFC42(0040D17C,00000001,?,000001F4,000001F4,?), ref: 004042EF
Part of subcall function 00404210: #4129.MFC42(?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004042FE
Part of subcall function 00404210: #858.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040430D
Part of subcall function 00404210: #800.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040431B
Part of subcall function 00404210: #4202.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404324
Part of subcall function 00404210: #4202.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040432D
Part of subcall function 00404210: #2764.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040433B
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040435B
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404369
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404377
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404385
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404396
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043BB
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043C9
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043D7
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043E5
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043F6

#535.MFC42(?,?,?,?,?,?,00000000), ref: 00402A41

Part of subcall function 004067A0: #540.MFC42 ref: 004067CF
Part of subcall function 004067A0: #535.MFC42(?), ref: 004067E5
Part of subcall function 004067A0: #858.MFC42 ref: 00406800
Part of subcall function 004067A0: #800.MFC42 ref: 0040680E
Part of subcall function 004067A0: #6663.MFC42(0040D3E4,00000001), ref: 00406825
Part of subcall function 004067A0: #5710.MFC42(?,?,0040D3E4,00000001), ref: 00406837
Part of subcall function 004067A0: #858.MFC42(?,?,?,0040D3E4,00000001), ref: 00406846
Part of subcall function 004067A0: #800.MFC42(?,?,?,0040D3E4,00000001), ref: 00406854
Part of subcall function 004067A0: #535.MFC42(?,?,?,?,0040D3E4,00000001), ref: 00406864
Part of subcall function 004067A0: #800.MFC42(?,?,?,?,0040D3E4,00000001), ref: 0040687A
Part of subcall function 004067A0: #800.MFC42(?,?,?,?,0040D3E4,00000001), ref: 00406888

#858.MFC42(?,?,?,?,?,?,?,?,00000000), ref: 00402A60
#800.MFC42(?,?,?,?,?,?,?,?,00000000), ref: 00402A71
#858.MFC42(?,?,?,?,?,?,?,?,?,00000000), ref: 00402A7E
#858.MFC42(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402A8B
_mbscmp.MSVCRT(?,0040D534,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402A98
#860.MFC42(0040D054), ref: 00402AAC
#540.MFC42(0040D054), ref: 00402AB5
#540.MFC42(0040D054), ref: 00402AC6
#540.MFC42(0040D054), ref: 00402AD7
#2818.MFC42(?,0040D044), ref: 00402AF5
#2818.MFC42(?,0040D034,?,?,0040D044), ref: 00402B0B
#2919.MFC42(000001F4,000001F4,?), ref: 00402B32
GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,000001F4,000001F4), ref: 00402B40
_mbscmp.MSVCRT(?,0040D534,?,000001F4,000001F4,?), ref: 00402B50
#858.MFC42(?,000001F4,?), ref: 00402B64
#800.MFC42(000001F4,?), ref: 00402B75
#800.MFC42(000001F4,?), ref: 00402B86
#800.MFC42(000001F4,?), ref: 00402B97
#800.MFC42(?,000001F4,?,?,?,?,?,?,0040D054), ref: 00402BC2
#800.MFC42(?,000001F4,?,?,?,?,?,?,0040D054), ref: 00402BD3
#800.MFC42(?,000001F4,?,?,?,?,?,?,0040D054), ref: 00402BE4
#800.MFC42(?,000001F4,?,?,?,?,?,?,0040D054), ref: 00402BF8
SetupDiEnumDeviceInfo.SETUPAPI(?,?,?), ref: 00402C11
GetLastError.KERNEL32(?,?,?,?,?,0040D054), ref: 00402C23
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00402C2C
SetLastError.KERNEL32(?,?,?,?,?,?,0040D054), ref: 00402C33
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00402C60
SetLastError.KERNEL32 ref: 00402C67
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00402C76
SetLastError.KERNEL32 ref: 00402C7D

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 004027EA, Relevance: 63.3, APIs: 42, Instructions: 312

APIs

LocalFree.KERNEL32(?), ref: 00402843
GetLastError.KERNEL32 ref: 004028C5
GetLastError.KERNEL32 ref: 004028C7
GetLastError.KERNEL32 ref: 004028CE
LocalFree.KERNEL32(?), ref: 004028EC
GetLastError.KERNEL32 ref: 004028F2
#540.MFC42 ref: 0040291D
#540.MFC42 ref: 0040292F
#540.MFC42 ref: 00402940
#2818.MFC42(?,0040D070,?,?), ref: 00402964
#2818.MFC42(?,0040D070,?,?), ref: 0040298F
#540.MFC42 ref: 004029A8
#2818.MFC42(?,0040D064,00000000), ref: 004029DD
#535.MFC42(?,?,00000000), ref: 004029F0
#535.MFC42(?,?,?,?,00000000), ref: 00402A09

Part of subcall function 00404210: #540.MFC42(00000000), ref: 0040423B
Part of subcall function 00404210: #2818.MFC42(?,0040D188,?,?,00000000), ref: 0040425D
Part of subcall function 00404210: #540.MFC42(00000000), ref: 00404269
Part of subcall function 00404210: #540.MFC42(00000000), ref: 00404277
Part of subcall function 00404210: GetPrivateProfileIntA.KERNEL32(?,0040D0CC,00000000,?), ref: 00404292
Part of subcall function 00404210: #2818.MFC42(?,0040D180,00000001), ref: 004042B5
Part of subcall function 00404210: #2919.MFC42(000001F4,000001F4,?), ref: 004042D8
Part of subcall function 00404210: GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,000001F4,000001F4), ref: 004042E2
Part of subcall function 00404210: #6663.MFC42(0040D17C,00000001,?,000001F4,000001F4,?), ref: 004042EF
Part of subcall function 00404210: #4129.MFC42(?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004042FE
Part of subcall function 00404210: #858.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040430D
Part of subcall function 00404210: #800.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040431B
Part of subcall function 00404210: #4202.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404324
Part of subcall function 00404210: #4202.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040432D
Part of subcall function 00404210: #2764.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040433B
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040435B
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404369
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404377
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404385
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404396
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043BB
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043C9
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043D7
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043E5
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043F6

#535.MFC42(?,?,?,?,?,?,00000000), ref: 00402A41

Part of subcall function 004067A0: #540.MFC42 ref: 004067CF
Part of subcall function 004067A0: #535.MFC42(?), ref: 004067E5
Part of subcall function 004067A0: #858.MFC42 ref: 00406800
Part of subcall function 004067A0: #800.MFC42 ref: 0040680E
Part of subcall function 004067A0: #6663.MFC42(0040D3E4,00000001), ref: 00406825
Part of subcall function 004067A0: #5710.MFC42(?,?,0040D3E4,00000001), ref: 00406837
Part of subcall function 004067A0: #858.MFC42(?,?,?,0040D3E4,00000001), ref: 00406846
Part of subcall function 004067A0: #800.MFC42(?,?,?,0040D3E4,00000001), ref: 00406854
Part of subcall function 004067A0: #535.MFC42(?,?,?,?,0040D3E4,00000001), ref: 00406864
Part of subcall function 004067A0: #800.MFC42(?,?,?,?,0040D3E4,00000001), ref: 0040687A
Part of subcall function 004067A0: #800.MFC42(?,?,?,?,0040D3E4,00000001), ref: 00406888

#858.MFC42(?,?,?,?,?,?,?,?,00000000), ref: 00402A60
#800.MFC42(?,?,?,?,?,?,?,?,00000000), ref: 00402A71
#858.MFC42(?,?,?,?,?,?,?,?,?,00000000), ref: 00402A7E
#858.MFC42(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402A8B
_mbscmp.MSVCRT(?,0040D534,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402A98
#860.MFC42(0040D054), ref: 00402AAC
#540.MFC42(0040D054), ref: 00402AB5
#540.MFC42(0040D054), ref: 00402AC6
#540.MFC42(0040D054), ref: 00402AD7
#2818.MFC42(?,0040D044), ref: 00402AF5
#2818.MFC42(?,0040D034,?,?,0040D044), ref: 00402B0B
#2919.MFC42(000001F4,000001F4,?), ref: 00402B32
GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,000001F4,000001F4), ref: 00402B40
_mbscmp.MSVCRT(?,0040D534,?,000001F4,000001F4,?), ref: 00402B50
#858.MFC42(?,000001F4,?), ref: 00402B64
#800.MFC42(000001F4,?), ref: 00402B75
#800.MFC42(000001F4,?), ref: 00402B86
#800.MFC42(000001F4,?), ref: 00402B97
#800.MFC42(?,000001F4,?,?,?,?,?,?,0040D054), ref: 00402BC2
#800.MFC42(?,000001F4,?,?,?,?,?,?,0040D054), ref: 00402BD3
#800.MFC42(?,000001F4,?,?,?,?,?,?,0040D054), ref: 00402BE4
#800.MFC42(?,000001F4,?,?,?,?,?,?,0040D054), ref: 00402BF8
SetupDiEnumDeviceInfo.SETUPAPI(?,?,?), ref: 00402C11
GetLastError.KERNEL32(?,?,?,?,?,0040D054), ref: 00402C23
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00402C2C
SetLastError.KERNEL32(?,?,?,?,?,?,0040D054), ref: 00402C33
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00402C60
SetLastError.KERNEL32 ref: 00402C67
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00402C76
SetLastError.KERNEL32 ref: 00402C7D

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00402873, Relevance: 61.8, APIs: 41, Instructions: 264

APIs

GetLastError.KERNEL32 ref: 004028C5
GetLastError.KERNEL32 ref: 004028C7
GetLastError.KERNEL32 ref: 004028CE
LocalFree.KERNEL32(?), ref: 004028EC
GetLastError.KERNEL32 ref: 004028F2
#540.MFC42 ref: 0040291D
#540.MFC42 ref: 0040292F
#540.MFC42 ref: 00402940
#2818.MFC42(?,0040D070,?,?), ref: 00402964
#2818.MFC42(?,0040D070,?,?), ref: 0040298F
#540.MFC42 ref: 004029A8
#2818.MFC42(?,0040D064,00000000), ref: 004029DD
#535.MFC42(?,?,00000000), ref: 004029F0
#535.MFC42(?,?,?,?,00000000), ref: 00402A09

Part of subcall function 00404210: #540.MFC42(00000000), ref: 0040423B
Part of subcall function 00404210: #2818.MFC42(?,0040D188,?,?,00000000), ref: 0040425D
Part of subcall function 00404210: #540.MFC42(00000000), ref: 00404269
Part of subcall function 00404210: #540.MFC42(00000000), ref: 00404277
Part of subcall function 00404210: GetPrivateProfileIntA.KERNEL32(?,0040D0CC,00000000,?), ref: 00404292
Part of subcall function 00404210: #2818.MFC42(?,0040D180,00000001), ref: 004042B5
Part of subcall function 00404210: #2919.MFC42(000001F4,000001F4,?), ref: 004042D8
Part of subcall function 00404210: GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,000001F4,000001F4), ref: 004042E2
Part of subcall function 00404210: #6663.MFC42(0040D17C,00000001,?,000001F4,000001F4,?), ref: 004042EF
Part of subcall function 00404210: #4129.MFC42(?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004042FE
Part of subcall function 00404210: #858.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040430D
Part of subcall function 00404210: #800.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040431B
Part of subcall function 00404210: #4202.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404324
Part of subcall function 00404210: #4202.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040432D
Part of subcall function 00404210: #2764.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040433B
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040435B
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404369
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404377
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404385
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404396
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043BB
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043C9
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043D7
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043E5
Part of subcall function 00404210: #800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043F6

#535.MFC42(?,?,?,?,?,?,00000000), ref: 00402A41

Part of subcall function 004067A0: #540.MFC42 ref: 004067CF
Part of subcall function 004067A0: #535.MFC42(?), ref: 004067E5
Part of subcall function 004067A0: #858.MFC42 ref: 00406800
Part of subcall function 004067A0: #800.MFC42 ref: 0040680E
Part of subcall function 004067A0: #6663.MFC42(0040D3E4,00000001), ref: 00406825
Part of subcall function 004067A0: #5710.MFC42(?,?,0040D3E4,00000001), ref: 00406837
Part of subcall function 004067A0: #858.MFC42(?,?,?,0040D3E4,00000001), ref: 00406846
Part of subcall function 004067A0: #800.MFC42(?,?,?,0040D3E4,00000001), ref: 00406854
Part of subcall function 004067A0: #535.MFC42(?,?,?,?,0040D3E4,00000001), ref: 00406864
Part of subcall function 004067A0: #800.MFC42(?,?,?,?,0040D3E4,00000001), ref: 0040687A
Part of subcall function 004067A0: #800.MFC42(?,?,?,?,0040D3E4,00000001), ref: 00406888

#858.MFC42(?,?,?,?,?,?,?,?,00000000), ref: 00402A60
#800.MFC42(?,?,?,?,?,?,?,?,00000000), ref: 00402A71
#858.MFC42(?,?,?,?,?,?,?,?,?,00000000), ref: 00402A7E
#858.MFC42(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402A8B
_mbscmp.MSVCRT(?,0040D534,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402A98
#860.MFC42(0040D054), ref: 00402AAC
#540.MFC42(0040D054), ref: 00402AB5
#540.MFC42(0040D054), ref: 00402AC6
#540.MFC42(0040D054), ref: 00402AD7
#2818.MFC42(?,0040D044), ref: 00402AF5
#2818.MFC42(?,0040D034,?,?,0040D044), ref: 00402B0B
#2919.MFC42(000001F4,000001F4,?), ref: 00402B32
GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,000001F4,000001F4), ref: 00402B40
_mbscmp.MSVCRT(?,0040D534,?,000001F4,000001F4,?), ref: 00402B50
#858.MFC42(?,000001F4,?), ref: 00402B64
#800.MFC42(000001F4,?), ref: 00402B75
#800.MFC42(000001F4,?), ref: 00402B86
#800.MFC42(000001F4,?), ref: 00402B97
#800.MFC42(?,000001F4,?,?,?,?,?,?,0040D054), ref: 00402BC2
#800.MFC42(?,000001F4,?,?,?,?,?,?,0040D054), ref: 00402BD3
#800.MFC42(?,000001F4,?,?,?,?,?,?,0040D054), ref: 00402BE4
#800.MFC42(?,000001F4,?,?,?,?,?,?,0040D054), ref: 00402BF8
SetupDiEnumDeviceInfo.SETUPAPI(?,?,?), ref: 00402C11
GetLastError.KERNEL32(?,?,?,?,?,0040D054), ref: 00402C23
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00402C2C
SetLastError.KERNEL32(?,?,?,?,?,?,0040D054), ref: 00402C33
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00402C60
SetLastError.KERNEL32 ref: 00402C67
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00402C76
SetLastError.KERNEL32 ref: 00402C7D

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00401CA0, Relevance: 54.4, APIs: 28, Strings: 3, Instructions: 146

APIs

#324.MFC42(00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401CC5

Part of subcall function 00406E70: #324.MFC42(0000008F,?,?,?,?,?,00409388,000000FF,00401CDC,00000000,00000066,?), ref: 00406E98
Part of subcall function 00406E70: #567.MFC42(0000008F,?,?,?,?,?,00409388,000000FF,00401CDC,00000000,00000066,?), ref: 00406EAA

Part of subcall function 00407130: #567.MFC42(?,?,?,?,?,?,0040948A,000000FF,00401CEC,00000000,00000066,?), ref: 00407150
Part of subcall function 00407130: CreatePen.GDI32(00000006,00000001,00000000), ref: 00407266
Part of subcall function 00407130: #1641.MFC42(?,?,?,?,?,?,?,0040948A,000000FF,00401CEC,00000000,00000066,?), ref: 0040726B
Part of subcall function 00407130: CreatePen.GDI32(00000006,00000003,0058C4FA), ref: 00407279
Part of subcall function 00407130: #1641.MFC42(?,?,?,?,?,?,?,?,0040948A,000000FF,00401CEC,00000000,00000066,?), ref: 0040727E
Part of subcall function 00407130: CreatePen.GDI32(00000006,00000003,006ACAFB), ref: 0040728C
Part of subcall function 00407130: #1641.MFC42(?,?,?,?,?,?,?,?,?,0040948A,000000FF,00401CEC,00000000,00000066,?), ref: 00407292
Part of subcall function 00407130: CreatePen.GDI32(00000006,00000002,0079D2FC), ref: 004072A0
Part of subcall function 00407130: #1641.MFC42(?,?,?,?,?,?,?,?,?,?,0040948A,000000FF,00401CEC,00000000,00000066,?), ref: 004072A6

Part of subcall function 00407130: CreatePen.GDI32(00000006,00000002,000097E5), ref: 004072B4
Part of subcall function 00407130: #1641.MFC42(?,?,?,?,?,?,?,?,?,?,?,0040948A,000000FF,00401CEC,00000000,00000066), ref: 004072BA
Part of subcall function 00407130: CreateSolidBrush.GDI32(00ECDEDF), ref: 004072CA
Part of subcall function 00407130: #1641.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,0040948A,000000FF,00401CEC,00000000), ref: 004072D3
Part of subcall function 00407130: CreateSolidBrush.GDI32(00ECDFDE), ref: 004072DD
Part of subcall function 00407130: #1641.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,0040948A,000000FF,00401CEC), ref: 004072E6
Part of subcall function 00407130: CreatePen.GDI32(00000006,00000003,00FCC699), ref: 004072F4
Part of subcall function 00407130: #1641.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040948A,000000FF), ref: 004072FA
Part of subcall function 00407130: CreatePen.GDI32(00000006,00000002,00FFC9A2), ref: 00407308
Part of subcall function 00407130: #1641.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040948A), ref: 0040730E
Part of subcall function 00407130: CreatePen.GDI32(00000006,00000003,00FCBDA2), ref: 0040731C
Part of subcall function 00407130: #1641.MFC42 ref: 00407322

#567.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401D49
#567.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401D61
#567.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401D79
#540.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401D95
#540.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401DA2
#540.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401DAF
#540.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401DBC
#540.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401DC9
#540.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401DD6
#540.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401DE3
#540.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401DF0
#540.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401DFD
#540.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401E0A
#540.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401E17
#540.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401E24
#540.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401E31
#540.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401E3E
#540.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401E4B
#540.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401E58
#540.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401E65
#540.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401E72
#540.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401E7F
#540.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401E8F
#540.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401EBE
#1168.MFC42(00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401EF2
#1146.MFC42(00000080,0000000E,00000080,00000000,00000066,?,?,?,?,?,00408C32,000000FF), ref: 00401F03
LoadIconA.USER32(?,00000080), ref: 00401F09

Strings

p~@, xrefs: 00401D7E
!, xrefs: 00401EDD
", xrefs: 00401EE7

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00403EF0, Relevance: 54.2, APIs: 36, Instructions: 235

APIs

#540.MFC42(?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 00403F14
#540.MFC42(?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 00403F25
#858.MFC42(?,0000C6CE,?,?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 00403F66
#858.MFC42(?,?,0000C6CE,?,?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 00403F70
#6663.MFC42(0040D10C,00000001,?,?,0000C6CE,?,?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 00403F7F
#4129.MFC42(?,?,0040D10C,00000001,?,?,0000C6CE,?,?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 00403F8E
#6663.MFC42(0040D10C,00000001,?,?,0040D10C,00000001,?,?,0000C6CE,?,?,00000000,00FFF7F7,?,00001036,00000000), ref: 00403FA4
#4129.MFC42(?,?,0040D10C,00000001,?,?,0040D10C,00000001,?,?,0000C6CE,?,?,00000000,00FFF7F7), ref: 00403FB3
atoi.MSVCRT(?,?,?,0040D10C,00000001,?,?,0040D10C,00000001,?,?,0000C6CE,?,?,00000000,00FFF7F7), ref: 00403FBB
atoi.MSVCRT(?,?,?,?,0040D10C,00000001,?,?,0040D10C,00000001,?,?,0000C6CE,?,?,00000000), ref: 00403FC4
#800.MFC42(?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 00403FD5
#800.MFC42(?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 00403FE2
#6663.MFC42(0040D10C,00000001,?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 0040400C
#5710.MFC42(?,?,0040D10C,00000001,?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 0040401E
#858.MFC42(?,?,?,0040D10C,00000001,?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 0040402D
#800.MFC42(?,?,?,0040D10C,00000001,?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 0040403A
#6663.MFC42(0040D10C,00000001,?,?,?,0040D10C,00000001,?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 00404050
#5710.MFC42(?,?,0040D10C,00000001,?,?,?,0040D10C,00000001,?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 00404062
#858.MFC42(?,?,?,0040D10C,00000001,?,?,?,0040D10C,00000001,?,00000000,00FFF7F7,?,00001036,00000000), ref: 00404071
#800.MFC42(?,?,?,0040D10C,00000001,?,?,?,0040D10C,00000001,?,00000000,00FFF7F7,?,00001036,00000000), ref: 0040407E
#6663.MFC42(0040D10C,00000001,?,?,?,0040D10C,00000001,?,?,?,0040D10C,00000001,?,00000000,00FFF7F7), ref: 0040408D
#6663.MFC42(0040D10C,00000001,0040D10C,00000001,?,?,?,0040D10C,00000001,?,?,?,0040D10C,00000001,?,00000000), ref: 004040A5
#6663.MFC42(0040D10C,00000001,?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 004040B9
#4129.MFC42(?,?,0040D10C,00000001,?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 004040C8
#6663.MFC42(0040D10C,00000001,?,?,0040D10C,00000001,?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 004040DE
#4129.MFC42(?,?,0040D10C,00000001,?,?,0040D10C,00000001,?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 004040ED
atoi.MSVCRT(?,?,?,0040D10C,00000001,?,?,0040D10C,00000001,?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 004040F5
atoi.MSVCRT(?,?,?,?,0040D10C,00000001,?,?,0040D10C,00000001,?,00000000,00FFF7F7,?,00001036,00000000), ref: 004040FE
#800.MFC42(0040D10C,00000001,?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 0040410F
#800.MFC42(0040D10C,00000001,?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 0040411C
atoi.MSVCRT(?,0040D10C,00000001,?,?,?,0040D10C,00000001,?,?,?,0040D10C,00000001,?,00000000,00FFF7F7), ref: 00404133
atoi.MSVCRT(00000001,?,?,?,0040D10C,00000001,?,?,?,0040D10C,00000001,?,00000000,00FFF7F7,?,00001036), ref: 0040413C
_mbscmp.MSVCRT(?,?,?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 0040418B
#6888.MFC42(?,00000001,?,?,?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 004041C3
#800.MFC42(?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 004041E5
#800.MFC42(?,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 004041F6

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00404730, Relevance: 46.7, APIs: 31, Instructions: 241

APIs

#540.MFC42(0000C6CE,?,?,?,00000000), ref: 0040475A
#2818.MFC42(?,0040D044,?,0000C6CE,?,?,?,00000000), ref: 00404778
#540.MFC42(?,?,?,00000000), ref: 00404784
GetSystemDefaultLCID.KERNEL32(?,?,?,00000000), ref: 0040478E
GetPrivateProfileIntA.KERNEL32(0040D234,0040D130,00000000,?), ref: 004047AD
#860.MFC42(0040D224,?,?,?,00000000), ref: 00404802
#535.MFC42(?,?,0040D224,?,?,?,00000000), ref: 00404813
#535.MFC42(?), ref: 00404829

Part of subcall function 00404A90: #2919.MFC42(000001F4,000001F4,?,?,?,?,?,00409030,000000FF,0040483A,?), ref: 00404ACD
Part of subcall function 00404A90: GetPrivateProfileStringA.KERNEL32(00000000,0040D2F4,00000000,?,000001F4,000001F4), ref: 00404AE1
Part of subcall function 00404A90: _mbscmp.MSVCRT(?,0040D534,?,000001F4,000001F4,?,?,?,?,?,00409030,000000FF,0040483A,?), ref: 00404AEC
Part of subcall function 00404A90: #800.MFC42 ref: 00404B01
Part of subcall function 00404A90: #800.MFC42 ref: 00404B12
Part of subcall function 00404A90: #2919.MFC42(000001F4,000001F4,?), ref: 00404B46
Part of subcall function 00404A90: GetPrivateProfileStringA.KERNEL32(?,0040D2E8,00000000,?,000001F4,000001F4), ref: 00404B54
Part of subcall function 00404A90: #2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404B6F
Part of subcall function 00404A90: GetPrivateProfileStringA.KERNEL32(?,0040D2DC,00000000,?,000001F4,000001F4), ref: 00404B7D
Part of subcall function 00404A90: #2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404B98
Part of subcall function 00404A90: GetPrivateProfileStringA.KERNEL32(000001F4,0040D194,00000000,?,000001F4,000001F4), ref: 00404BA6
Part of subcall function 00404A90: #2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404BC1
Part of subcall function 00404A90: GetPrivateProfileStringA.KERNEL32(000001F4,0040D2D4,00000000,?,000001F4,000001F4), ref: 00404BCF
Part of subcall function 00404A90: #2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404BEA
Part of subcall function 00404A90: GetPrivateProfileStringA.KERNEL32(000001F4,0040D2CC,00000000,?,000001F4,000001F4), ref: 00404BF8
Part of subcall function 00404A90: #2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404C13
Part of subcall function 00404A90: GetPrivateProfileStringA.KERNEL32(000001F4,0040D2C0,00000000,?,000001F4,000001F4), ref: 00404C21
Part of subcall function 00404A90: #2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404C3C
Part of subcall function 00404A90: GetPrivateProfileStringA.KERNEL32(000001F4,0040D2B4,00000000,?,000001F4,000001F4), ref: 00404C4A
Part of subcall function 00404A90: #2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404C65
Part of subcall function 00404A90: GetPrivateProfileStringA.KERNEL32(000001F4,0040D2AC,00000000,?,000001F4,000001F4), ref: 00404C73

#535.MFC42(?,?,?), ref: 00404876

Part of subcall function 00404A90: #2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404C8E
Part of subcall function 00404A90: GetPrivateProfileStringA.KERNEL32(000001F4,0040D2A4,00000000,?,000001F4,000001F4), ref: 00404C9C
Part of subcall function 00404A90: #2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404CB7
Part of subcall function 00404A90: GetPrivateProfileStringA.KERNEL32(000001F4,0040D298,00000000,?,000001F4,000001F4), ref: 00404CC5
Part of subcall function 00404A90: #2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404CE0
Part of subcall function 00404A90: GetPrivateProfileStringA.KERNEL32(000001F4,0040D28C,00000000,?,000001F4,000001F4), ref: 00404CEE
Part of subcall function 00404A90: #2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404D09
Part of subcall function 00404A90: GetPrivateProfileStringA.KERNEL32(000001F4,0040D27C,00000000,?,000001F4,000001F4), ref: 00404D17
Part of subcall function 00404A90: #2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404D32
Part of subcall function 00404A90: GetPrivateProfileStringA.KERNEL32(000001F4,0040D270,00000000,?,000001F4,000001F4), ref: 00404D40
Part of subcall function 00404A90: #2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404D5B
Part of subcall function 00404A90: GetPrivateProfileStringA.KERNEL32(000001F4,0040D264,00000000,?,000001F4,000001F4), ref: 00404D69
Part of subcall function 00404A90: #2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404D84
Part of subcall function 00404A90: GetPrivateProfileStringA.KERNEL32(000001F4,0040D258,00000000,?,000001F4,000001F4), ref: 00404D92
Part of subcall function 00404A90: #2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404DAD
Part of subcall function 00404A90: GetPrivateProfileStringA.KERNEL32(000001F4,0040D24C,00000000,?,000001F4,000001F4), ref: 00404DBB
Part of subcall function 00404A90: #2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404DD6

#535.MFC42(?,?,?,?,0040D21C,?,?,?), ref: 004048BB

Part of subcall function 00404A90: GetPrivateProfileStringA.KERNEL32(000001F4,0040D244,00000000,?,000001F4,000001F4), ref: 00404DE4
Part of subcall function 00404A90: #2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404DFF
Part of subcall function 00404A90: GetPrivateProfileStringA.KERNEL32(000001F4,0040D23C,00000000,?,000001F4,000001F4), ref: 00404E0D
Part of subcall function 00404A90: #800.MFC42(?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404E18
Part of subcall function 00404A90: #800.MFC42(?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,000001F4,000001F4,?), ref: 00404E29

#2818.MFC42(?,0040D0D4,?,?), ref: 0040484D
#535.MFC42(?), ref: 00404860
#860.MFC42(0040D21C,?,?,?), ref: 00404894
#535.MFC42(?,?,0040D21C,?,?,?), ref: 004048A5

Part of subcall function 00406B90: GetSystemDirectoryA.KERNEL32 ref: 00406BD8
Part of subcall function 00406B90: sprintf.MSVCRT ref: 00406BFA
Part of subcall function 00406B90: LoadLibraryA.KERNEL32(?), ref: 00406C0F
Part of subcall function 00406B90: LoadLibraryA.KERNEL32(0040D40C), ref: 00406C1C
Part of subcall function 00406B90: GetProcAddress.KERNEL32(?,0040D3FC), ref: 00406C2A
Part of subcall function 00406B90: GetCurrentProcess.KERNEL32 ref: 00406C3B
Part of subcall function 00406B90: FreeLibrary.KERNEL32 ref: 00406C49
Part of subcall function 00406B90: FreeLibrary.KERNEL32 ref: 00406C5F

Part of subcall function 00403A50: GetVersionExA.KERNEL32(?), ref: 00403A78
Part of subcall function 00403A50: malloc.MSVCRT ref: 00403AC3
Part of subcall function 00403A50: GetSystemDirectoryA.KERNEL32(?,00000064), ref: 00403AD1
Part of subcall function 00403A50: #540.MFC42(?,?,00000064,0000C5E4), ref: 00403B1A
Part of subcall function 00403A50: #858.MFC42(?,?,?,?,00000064,0000C5E4), ref: 00403B42
Part of subcall function 00403A50: #800.MFC42(?,?,?,?,00000064,0000C5E4), ref: 00403B53
Part of subcall function 00403A50: #4129.MFC42(?,00000001,?,?,?,?,00000064,0000C5E4), ref: 00403B63
Part of subcall function 00403A50: _mbscmp.MSVCRT(?,0040D114,?,00000001,?,?,?,?,00000064,0000C5E4), ref: 00403B76
Part of subcall function 00403A50: #800.MFC42(?,00000064,0000C5E4), ref: 00403B84
Part of subcall function 00403A50: #4129.MFC42(?,00000003,?,00000064,0000C5E4), ref: 00403BA0
Part of subcall function 00403A50: #5710.MFC42(?,00000001,?,00000003,?,00000064,0000C5E4), ref: 00403BB6
Part of subcall function 00403A50: _mbscmp.MSVCRT(?,0040D110,?,00000001,?,00000003,?,00000064,0000C5E4), ref: 00403BC3
Part of subcall function 00403A50: #800.MFC42(?,00000003,?,00000064,0000C5E4), ref: 00403BD1
Part of subcall function 00403A50: #800.MFC42(?,00000003,?,00000064,0000C5E4), ref: 00403BE2
Part of subcall function 00403A50: free.MSVCRT ref: 00403BF4
Part of subcall function 00403A50: #800.MFC42(?,?,00000064,0000C5E4), ref: 00403C09

#860.MFC42(0040D210,?), ref: 004048F8
#860.MFC42(0040D1F8,?), ref: 0040491B
#860.MFC42(0040D1E4,?), ref: 0040493E
#860.MFC42(0040D1D8,0040D1E4,?), ref: 00404954
#2818.MFC42(?,0040D188,?,?,0040D1E4,?), ref: 0040496B
PathFileExistsA.SHLWAPI(?), ref: 00404978
#540.MFC42 ref: 00404986
#2818.MFC42(?,0040D1A4,?), ref: 0040499F
#4224.MFC42(?,00000000,00000000), ref: 004049B2
#860.MFC42(0040D534,?,00000000,00000000), ref: 004049C0
#535.MFC42(?,0040D534,?,00000000,00000000), ref: 004049D0
#800.MFC42(?,0040D534,?,00000000,00000000), ref: 004049E6
GetPrivateProfileIntA.KERNEL32(0040D194,0040D19C,00000000,?), ref: 004049FE
GetPrivateProfileIntA.KERNEL32(0040D190,0040D0CC,00000000,?), ref: 00404A17
#535.MFC42(?), ref: 00404A42
#800.MFC42(?), ref: 00404A58
#800.MFC42(?), ref: 00404A66

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00406480, Relevance: 44.3, APIs: 25, Instructions: 170

APIs

#540.MFC42 ref: 004064A9
#2818.MFC42(?,0040D188,?,?), ref: 004064C9
#540.MFC42 ref: 004064D5
#858.MFC42(?), ref: 004064E8
_mbscmp.MSVCRT(?,0040D534,?), ref: 004064F7
#4224.MFC42(?,00000000,00000000), ref: 00406511
#800.MFC42(?,00000000,00000000), ref: 0040651F
#800.MFC42(?,00000000,00000000), ref: 0040652D
#800.MFC42(?,00000000,00000000), ref: 0040653E
#6663.MFC42(0040D10C,00000001), ref: 00406564
#5710.MFC42(?,?,?,0040D10C,00000001), ref: 00406583

Part of subcall function 00405260: RegOpenKeyExA.ADVAPI32(80000000,?,00000000,00020119,?), ref: 004052A7
Part of subcall function 00405260: RegQueryValueExA.ADVAPI32(?,0040D534,00000000,?,?,?), ref: 004052CC
Part of subcall function 00405260: #537.MFC42(?), ref: 004052DF
Part of subcall function 00405260: _mbscmp.MSVCRT(?,0040D534,?), ref: 004052EE
Part of subcall function 00405260: #800.MFC42(?,?), ref: 00405307
Part of subcall function 00405260: #800.MFC42(?,?), ref: 0040531E
Part of subcall function 00405260: #800.MFC42(?,?), ref: 0040533C
Part of subcall function 00405260: #800.MFC42(?,?), ref: 00405353

ShellExecuteA.SHELL32(?,0040D124,?,00000000,00000000,00000003), ref: 004065A7
#1200.MFC42(?,00000000,00000000,?,0040D124,?,00000000,00000000,00000003,?,?,?,0040D10C,00000001), ref: 004065C1
#540.MFC42(?,?,?,0040D10C,00000001), ref: 004065CF
#6663.MFC42(0040D10C,00000001,?,?,?,0040D10C), ref: 004065EB
#5710.MFC42(?,?,0040D10C,00000001,?,?,?,0040D10C), ref: 004065FC
#2818.MFC42(?,0040D3DC,?,?,?,?,0040D10C,00000001,?), ref: 0040661A
#800.MFC42 ref: 0040662B
#4224.MFC42(?,?,00000001), ref: 00406640
#2818.MFC42(?,0040D188,?,?,?,?,00000001), ref: 0040665C
ShellExecuteA.SHELL32(?,0040D124,?,00000000,00000000,00000001), ref: 00406678
#800.MFC42(?,?,00000001), ref: 00406687
#800.MFC42(?,?,00000001), ref: 00406695
#800.MFC42(?,?,00000001), ref: 004066A3
#800.MFC42(?,?,00000001), ref: 004066B4

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00404210, Relevance: 44.1, APIs: 25, Instructions: 132

APIs

#540.MFC42(00000000), ref: 0040423B
#2818.MFC42(?,0040D188,?,?,00000000), ref: 0040425D
#540.MFC42(00000000), ref: 00404269
#540.MFC42(00000000), ref: 00404277
GetPrivateProfileIntA.KERNEL32(?,0040D0CC,00000000,?), ref: 00404292
#2818.MFC42(?,0040D180,00000001), ref: 004042B5
#2919.MFC42(000001F4,000001F4,?), ref: 004042D8
GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,000001F4,000001F4), ref: 004042E2
#6663.MFC42(0040D17C,00000001,?,000001F4,000001F4,?), ref: 004042EF
#4129.MFC42(?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004042FE
#858.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040430D
#800.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040431B
#4202.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404324
#4202.MFC42(?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040432D
#2764.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040433B
#800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 0040435B
#800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404369
#800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404377
#800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404385
#800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 00404396
#800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043BB
#800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043C9
#800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043D7
#800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043E5
#800.MFC42(?,?,?,?,0040D17C,00000001,?,000001F4,000001F4,?), ref: 004043F6

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00404570, Relevance: 40.6, APIs: 23, Instructions: 127

APIs

#540.MFC42(?,?,?), ref: 00404599
#6663.MFC42(0040D17C,00000002,?,?,?), ref: 004045B9
#5710.MFC42(?,?,0040D17C,00000002,?,?,?), ref: 004045CB
#2818.MFC42 ref: 004045E9
#800.MFC42(00000002,?,?,?), ref: 004045F9
#6663.MFC42(0040D17C,00000001,00000002,?,?,?), ref: 00404608
#4129.MFC42(?,?,0040D17C,00000001,00000002,?,?,?), ref: 00404617
#858.MFC42(?,?,?,0040D17C,00000001,00000002,?,?,?), ref: 00404629
#800.MFC42(?,?,?,0040D17C,00000001,00000002,?,?,?), ref: 00404636
#6663.MFC42(0040D17C,00000001,?,?,?,0040D17C,00000001,00000002,?,?,?), ref: 0040464C
#5710.MFC42(?,?,0040D17C,00000001,?,?,?,0040D17C,00000001,00000002,?,?,?), ref: 0040465E
#858.MFC42(?,?), ref: 0040466D
#800.MFC42(?,?), ref: 0040467A
#6663.MFC42(0040D17C,00000001,?,?), ref: 00404689
#4129.MFC42(?,?,0040D17C,00000001,?,?), ref: 00404698
#858.MFC42(?,?,?,0040D17C,00000001,?,?), ref: 004046A6
#800.MFC42(?,?,?,0040D17C,00000001,?,?), ref: 004046B3
#6663.MFC42(0040D17C,00000001,?,?,?,0040D17C,00000001,?,?), ref: 004046C9
#5710.MFC42(?,?,0040D17C,00000001,?,?,?,0040D17C,00000001,?,?), ref: 004046DB
#858.MFC42(?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001,?,?), ref: 004046E9
#800.MFC42(?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001,?,?), ref: 004046F6
#800.MFC42(?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001,?,?), ref: 00404704
#800.MFC42(?,?,?,0040D17C,00000001,?,?,?,0040D17C,00000001,?,?), ref: 00404715

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00412DB4, Relevance: 38.6, APIs: 10, Strings: 9, Instructions: 166

APIs

CreateFileW.KERNEL32(?,001F01FF,00000000,00000000,00000001,00000080,00000000), ref: 00412DED
CloseHandle.KERNEL32 ref: 00412DF4
RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\Antivirus Security Pro,00000000,00471670,00000000,000F003F,00000000,?,00000000), ref: 00412E1D
RegSetValueExW.ADVAPI32(?,DisplayName,00000000,00000001,Antivirus Security Pro), ref: 00412E51
RegSetValueExW.ADVAPI32(?,InstallLocation,00000000,00000001,?,0000003D), ref: 00412E7F
RegSetValueExW.ADVAPI32(?,NoModify,00000000,00000004,?,00000004), ref: 00412E93
RegSetValueExW.ADVAPI32(?,NoRepair,00000000,00000004,?,00000004), ref: 00412EA4
RegSetValueExW.ADVAPI32(?,UninstallString,00000000,00000001,?,?), ref: 00412F3A
RegSetValueExW.ADVAPI32(?,DisplayIcon,00000000,00000001,?,?), ref: 00412F94
RegCloseKey.ADVAPI32(?), ref: 00412F99

Strings

Software\Microsoft\Windows\CurrentVersion\Uninstall\Antivirus Security Pro, xrefs: 00412E0C
Antivirus Security Pro, xrefs: 00412E2B 00412E30 00412E45
DisplayName, xrefs: 00412E49
InstallLocation, xrefs: 00412E77
NoModify, xrefs: 00412E8B
NoRepair, xrefs: 00412E9C
" -uninstall, xrefs: 00412F02 00412F07 00412F0F
UninstallString, xrefs: 00412F32
DisplayIcon, xrefs: 00412F8C

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00407390, Relevance: 38.1, APIs: 21, Instructions: 120

APIs

#2414.MFC42 ref: 004073C5
#2414.MFC42 ref: 004073CF
#2414.MFC42 ref: 004073D7
#2414.MFC42 ref: 004073DF
#2414.MFC42 ref: 004073E7
#2414.MFC42 ref: 004073F2
#2414.MFC42 ref: 004073FF
#2414.MFC42 ref: 00407407
#2414.MFC42 ref: 0040740F
#2414.MFC42 ref: 00407417
#2414.MFC42 ref: 00407422
#2414.MFC42 ref: 00407439
#2414.MFC42 ref: 0040745D
#2414.MFC42 ref: 00407481
#2414.MFC42 ref: 004074A2
#2414.MFC42 ref: 004074C3
#2414.MFC42 ref: 004074E4
#2414.MFC42 ref: 00407505
#2414.MFC42 ref: 00407526
#2414.MFC42 ref: 00407547

Part of subcall function 00401B90: #2414.MFC42(?,?,?,00408A48,000000FF,00407565), ref: 00401BBB

#609.MFC42 ref: 00407581

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00407130, Relevance: 38.0, APIs: 21, Instructions: 158

APIs

#567.MFC42(?,?,?,?,?,?,0040948A,000000FF,00401CEC,00000000,00000066,?), ref: 00407150
CreatePen.GDI32(00000006,00000001,00000000), ref: 00407266
#1641.MFC42(?,?,?,?,?,?,?,0040948A,000000FF,00401CEC,00000000,00000066,?), ref: 0040726B
CreatePen.GDI32(00000006,00000003,0058C4FA), ref: 00407279
#1641.MFC42(?,?,?,?,?,?,?,?,0040948A,000000FF,00401CEC,00000000,00000066,?), ref: 0040727E
CreatePen.GDI32(00000006,00000003,006ACAFB), ref: 0040728C
#1641.MFC42(?,?,?,?,?,?,?,?,?,0040948A,000000FF,00401CEC,00000000,00000066,?), ref: 00407292
CreatePen.GDI32(00000006,00000002,0079D2FC), ref: 004072A0
#1641.MFC42(?,?,?,?,?,?,?,?,?,?,0040948A,000000FF,00401CEC,00000000,00000066,?), ref: 004072A6
CreatePen.GDI32(00000006,00000002,000097E5), ref: 004072B4
#1641.MFC42(?,?,?,?,?,?,?,?,?,?,?,0040948A,000000FF,00401CEC,00000000,00000066), ref: 004072BA
CreateSolidBrush.GDI32(00ECDEDF), ref: 004072CA
#1641.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,0040948A,000000FF,00401CEC,00000000), ref: 004072D3
CreateSolidBrush.GDI32(00ECDFDE), ref: 004072DD
#1641.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,0040948A,000000FF,00401CEC), ref: 004072E6
CreatePen.GDI32(00000006,00000003,00FCC699), ref: 004072F4
#1641.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040948A,000000FF), ref: 004072FA
CreatePen.GDI32(00000006,00000002,00FFC9A2), ref: 00407308
#1641.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040948A), ref: 0040730E
CreatePen.GDI32(00000006,00000003,00FCBDA2), ref: 0040731C
#1641.MFC42 ref: 00407322

Part of subcall function 00407CB0: CreatePen.GDI32(?,?,?), ref: 00407CC2
Part of subcall function 00407CB0: #1641.MFC42(?,?,0040733B,00000006,00000002,00FFC9A2), ref: 00407CCB

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 004068C0, Relevance: 34.7, APIs: 23, Instructions: 199

APIs

#540.MFC42(0000C6CE,?,?,00000000), ref: 004068F0
#2818.MFC42(?,0040D044,?,0000C6CE,?,?,00000000), ref: 0040690E
#540.MFC42(?,?,00000000), ref: 0040691A
#2919.MFC42(000001F4,000001F4,?,?,?,00000000), ref: 0040693A
GetPrivateProfileStringA.KERNEL32(0040D234,0040D138,00000000,?,000001F4,000001F4), ref: 00406952
#540.MFC42(?,000001F4,000001F4,?,?,?,00000000), ref: 00406958
#2919.MFC42(000001F4,000001F4,?,?,000001F4,000001F4,?,?,?,00000000), ref: 0040697E
GetPrivateProfileStringA.KERNEL32(?,0040D3F0,00000000,?,000001F4,000001F4), ref: 0040698C
_mbscmp.MSVCRT(?,0040D534,?,0040D3F0,00000000,?,000001F4,000001F4,?,?,000001F4,000001F4,?,?,?,00000000), ref: 0040699E
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F013F,?), ref: 00406A4E
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F023F,?), ref: 00406A6A
RegQueryValueExA.ADVAPI32(?,0040D3E8,00000000,?,?,?), ref: 00406A92
#537.MFC42(?,?,?,00000000), ref: 00406AA8
#858.MFC42(?,?,?,?,00000000), ref: 00406AC0
_mbscmp.MSVCRT(?,0040D534,?,?,?,?,00000000), ref: 00406ACF
#858.MFC42(?,?,?,?,?,?,?,00000000), ref: 00406AE3
#800.MFC42(?,?,?,?,?,?,00000000), ref: 00406AF4
#860.MFC42(0040D534,?,?,00000000), ref: 00406B06
#858.MFC42(?,0040D534,?,?,00000000), ref: 00406B16
#800.MFC42(000001F4,?,?,?,00000000), ref: 00406B27
#800.MFC42(000001F4,?,?,?,00000000), ref: 00406B38
#800.MFC42(000001F4,?,?,?,00000000), ref: 00406B49
#800.MFC42(000001F4,?,?,?,00000000), ref: 00406B60

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00405050, Relevance: 30.1, APIs: 20, Instructions: 120

APIs

#540.MFC42(0000C6CE,?,00000000), ref: 00405071
#6675.MFC42(00000000,0000C6CE,?,00000000), ref: 004050A2
#4160.MFC42(00000067,0000C6CE,?,00000000), ref: 004050C7
#5953.MFC42(000003F3,0000C6CE,00000067,0000C6CE,?,00000000), ref: 004050D8
#4160.MFC42(00000068,000003F3,0000C6CE,00000067,0000C6CE,?,00000000), ref: 004050E3
#5953.MFC42(000003F2,0000C6CE,00000068,000003F3,0000C6CE,00000067,0000C6CE,?,00000000), ref: 004050F4
#4160.MFC42(00000069,000003F2,0000C6CE,00000068,000003F3,0000C6CE,00000067,0000C6CE,?,00000000), ref: 004050FF
#5953.MFC42(000003F7,0000C6CE,00000069,000003F2,0000C6CE,00000068,000003F3,0000C6CE,00000067,0000C6CE,?,00000000), ref: 00405110
#4160.MFC42(0000006A,000003F7,0000C6CE,00000069,000003F2,0000C6CE,00000068,000003F3,0000C6CE,00000067,0000C6CE,?,00000000), ref: 0040511B
#5953.MFC42(000003FC,0000C6CE,0000006A,000003F7,0000C6CE,00000069,000003F2,0000C6CE,00000068,000003F3,0000C6CE,00000067,0000C6CE,?,00000000), ref: 0040512C
#4160.MFC42(0000006B,000003FC,0000C6CE,0000006A,000003F7,0000C6CE,00000069,000003F2,0000C6CE,00000068,000003F3,0000C6CE,00000067,0000C6CE,?,00000000), ref: 00405137
#5953.MFC42(000003F4,0000C6CE,0000006B,000003FC,0000C6CE,0000006A,000003F7,0000C6CE,00000069,000003F2,0000C6CE,00000068,000003F3,0000C6CE,00000067,0000C6CE), ref: 00405148
#4160.MFC42(0000006C,000003F4,0000C6CE,0000006B,000003FC,0000C6CE,0000006A,000003F7,0000C6CE,00000069,000003F2,0000C6CE,00000068,000003F3,0000C6CE,00000067), ref: 00405153
#5953.MFC42(000003F5,0000C6CE,0000006C,000003F4,0000C6CE,0000006B,000003FC,0000C6CE,0000006A,000003F7,0000C6CE,00000069,000003F2,0000C6CE,00000068,000003F3), ref: 00405164
_mbscmp.MSVCRT(?,0040D534,000003F5,0000C6CE,0000006C,000003F4,0000C6CE,0000006B,000003FC,0000C6CE,0000006A,000003F7,0000C6CE,00000069,000003F2,0000C6CE), ref: 00405175
#3092.MFC42(000003FC,?,?,00000000), ref: 0040518A
#6215.MFC42(000003FC,?,?,00000000), ref: 00405191
#6241.MFC42(00000400,?,?,00000000), ref: 004051A4
#537.MFC42(0040D2FC,?,00000400,?,?,00000000), ref: 004051B5
#800.MFC42(0040D2FC), ref: 004051CD

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00401980, Relevance: 28.6, APIs: 19, Instructions: 71

APIs

#800.MFC42(?,?,?,004089E3,000000FF), ref: 004019A8
#800.MFC42(?,?,?,004089E3,000000FF), ref: 004019B5
#800.MFC42(?,?,?,004089E3,000000FF), ref: 004019C2
#800.MFC42(?,?,?,004089E3,000000FF), ref: 004019CF
#800.MFC42(?,?,?,004089E3,000000FF), ref: 004019DC
#800.MFC42(?,?,?,004089E3,000000FF), ref: 004019E9
#800.MFC42(?,?,?,004089E3,000000FF), ref: 004019F6
#800.MFC42(?,?,?,004089E3,000000FF), ref: 00401A03
#800.MFC42(?,?,?,004089E3,000000FF), ref: 00401A10
#800.MFC42(?,?,?,004089E3,000000FF), ref: 00401A1D
#800.MFC42(?,?,?,004089E3,000000FF), ref: 00401A2A
#800.MFC42(?,?,?,004089E3,000000FF), ref: 00401A37
#800.MFC42(?,?,?,004089E3,000000FF), ref: 00401A44
#800.MFC42(?,?,?,004089E3,000000FF), ref: 00401A51
#800.MFC42(?,?,?,004089E3,000000FF), ref: 00401A5E
#800.MFC42(?,?,?,004089E3,000000FF), ref: 00401A6B
#800.MFC42(?,?,?,004089E3,000000FF), ref: 00401A78
#800.MFC42(?,?,?,004089E3,000000FF), ref: 00401A85
#800.MFC42(?,?,?,004089E3,000000FF), ref: 00401A94

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00403A50, Relevance: 28.3, APIs: 16, Instructions: 140

APIs

GetVersionExA.KERNEL32(?), ref: 00403A78
malloc.MSVCRT ref: 00403AC3
GetSystemDirectoryA.KERNEL32(?,00000064), ref: 00403AD1

Part of subcall function 00406D00: #540.MFC42(?,?,?,0040933B,000000FF,00403B0B,?,?,00000064,0000C5E4), ref: 00406D20

#540.MFC42(?,?,00000064,0000C5E4), ref: 00403B1A

Part of subcall function 00406D80: #540.MFC42(?,?,?,00000064,0000C5E4), ref: 00406DA8
Part of subcall function 00406D80: VerQueryValueA.VERSION(?,0040D42C,?,?,?,?,?,00000064,0000C5E4), ref: 00406DC6
Part of subcall function 00406D80: #2818.MFC42(?,0040D12C,?,?,0040D42C,?,?,?,?,?,00000064,0000C5E4), ref: 00406DD8
Part of subcall function 00406D80: #535.MFC42(?,?,?,?,?,00000064,0000C5E4), ref: 00406DEB
Part of subcall function 00406D80: #800.MFC42(?,?,?,?,?,00000064,0000C5E4), ref: 00406E01

#858.MFC42(?,?,?,?,00000064,0000C5E4), ref: 00403B42
#800.MFC42(?,?,?,?,00000064,0000C5E4), ref: 00403B53
#4129.MFC42(?,00000001,?,?,?,?,00000064,0000C5E4), ref: 00403B63
_mbscmp.MSVCRT(?,0040D114,?,00000001,?,?,?,?,00000064,0000C5E4), ref: 00403B76
#800.MFC42(?,00000064,0000C5E4), ref: 00403B84
#4129.MFC42(?,00000003,?,00000064,0000C5E4), ref: 00403BA0
#5710.MFC42(?,00000001,?,00000003,?,00000064,0000C5E4), ref: 00403BB6
_mbscmp.MSVCRT(?,0040D110,?,00000001,?,00000003,?,00000064,0000C5E4), ref: 00403BC3
#800.MFC42(?,00000003,?,00000064,0000C5E4), ref: 00403BD1
#800.MFC42(?,00000003,?,00000064,0000C5E4), ref: 00403BE2
free.MSVCRT ref: 00403BF4
#800.MFC42(?,?,00000064,0000C5E4), ref: 00403C09

Part of subcall function 00406D60: free.MSVCRT ref: 00406D6D
Part of subcall function 00406D60: #800.MFC42(00403C22,?,?,00000064,0000C5E4), ref: 00406D79

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00407660, Relevance: 27.2, APIs: 18, Instructions: 210

APIs

CopyRect.USER32(?), ref: 0040767C
#2859.MFC42 ref: 00407686
GetWindowTextA.USER32(?,?,00000104), ref: 004076AD
#5788.MFC42(?,?,?,00000104), ref: 004076B9
RoundRect.GDI32(?,?,00000104,00000104,?,00000005,00000005), ref: 004076DC
#5788.MFC42(?,?,?,00000104,00000104,?,00000005,00000005,?,?,?,00000104), ref: 00407725
GetSystemMetrics.USER32(0000002E), ref: 00407732
GetSystemMetrics.USER32(0000002D), ref: 00407738
InflateRect.USER32(?), ref: 00407745
#5787.MFC42(?,?,?,?,?,?,00000104,00000104,?,00000005,00000005,?,?,?,00000104), ref: 00407764
#5787.MFC42(?,?,?,?,?,?,?,?,?,?,?,00000104,00000104,?,00000005,00000005), ref: 004077A2
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004077BD
#2860.MFC42(?,?,00000031,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 004077C4
lstrlenA.KERNEL32(?,?,?,?,00000031,00000000,00000000,?,?,?,?,?), ref: 004077DA
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 004077EF
#5875.MFC42(00000001,?,?,?,?,?,?,?,00000031,00000000,00000000,?,?,?,?,?), ref: 00407840
DrawStateA.USER32(?,00000000,00000000,?,00000000,?,?,?,00000005,00000002), ref: 0040786E
#5875.MFC42(?,?,00000000,00000000,?,00000000,?,?,?,00000005,00000002,00000001,?,?,?,?), ref: 00407887

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 004062E0, Relevance: 24.1, APIs: 16, Instructions: 120

APIs

KillTimer.USER32(?,00000003), ref: 00406300
#4853.MFC42(?,00000003), ref: 00406308
#2379.MFC42(?,00000003), ref: 0040630F
SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00406330
KillTimer.USER32(?,00000002), ref: 00406349

Part of subcall function 00407060: #540.MFC42(?,?,?,004093C8,000000FF,00403524), ref: 0040707D
Part of subcall function 00407060: #2818.MFC42(?,0040D454,?), ref: 0040709E
Part of subcall function 00407060: #5953.MFC42(00000402,?,004093C8,000000FF,00403524), ref: 004070B2
Part of subcall function 00407060: #800.MFC42(00000402,?,004093C8,000000FF,00403524), ref: 004070C3

SendMessageA.USER32(?,00000402,?,00000000), ref: 0040636C
#6334.MFC42(00000000,?,00000402,?,00000000,?,?,00000408,00000000,00000000), ref: 00406372
UpdateWindow.USER32 ref: 0040637B
#2379.MFC42(?,00000000,?,00000402,?,00000000,?,?,00000408,00000000,00000000), ref: 00406383
KillTimer.USER32(?,00000001), ref: 00406394
GetPrivateProfileIntA.KERNEL32(0040D0D8,0040D0E4,00000000,0040D090), ref: 004063B1
GetPrivateProfileIntA.KERNEL32(0040D0D8,0040D0CC,00000000,0040D090), ref: 004063C6
GetPrivateProfileIntA.KERNEL32(0040D0D8,0040D0B0,00000000,0040D090), ref: 004063DF
#2379.MFC42(?,00000001), ref: 0040642A

Part of subcall function 00402E20: malloc.MSVCRT ref: 00402E46
Part of subcall function 00402E20: GetTempPathA.KERNEL32(000001F4), ref: 00402E5B
Part of subcall function 00402E20: #540.MFC42 ref: 00402E65
Part of subcall function 00402E20: #540.MFC42 ref: 00402E77
Part of subcall function 00402E20: #2818.MFC42(?,0040D0FC), ref: 00402E8F
Part of subcall function 00402E20: #2818.MFC42(?,0040D0F0,?,?,0040D0FC), ref: 00402E9F
Part of subcall function 00402E20: WritePrivateProfileStringA.KERNEL32(0040D0D8,0040D0E4,0040D0EC,?), ref: 00402EBB
Part of subcall function 00402E20: #6675.MFC42(00000000,00000001), ref: 00402EE7
Part of subcall function 00402E20: #540.MFC42(00000001), ref: 00402F0C
Part of subcall function 00402E20: #540.MFC42(00000001), ref: 00402F1D
Part of subcall function 00402E20: #540.MFC42(00000001), ref: 00402F2E
Part of subcall function 00402E20: #540.MFC42(00000001), ref: 00402F3F
Part of subcall function 00402E20: #2818.MFC42(?,0040D044,?,00000001), ref: 00402F5D
Part of subcall function 00402E20: #540.MFC42(?,?,00000001), ref: 00402F9B
Part of subcall function 00402E20: #2818.MFC42(?,0040D0D4,?,?,?,00000001), ref: 00402FB3
Part of subcall function 00402E20: WritePrivateProfileStringA.KERNEL32(0040D0D8,0040D0CC,?,?), ref: 00402FCF
Part of subcall function 00402E20: #800.MFC42(?,?,?,?,?,00000001), ref: 00402FE1
Part of subcall function 00402E20: #2818.MFC42(?,0040D064,?,?,?,00000001), ref: 00402FF9
Part of subcall function 00402E20: #2919.MFC42(000001F4,000001F4,?,?,?,?,?,?,00000001), ref: 0040301E
Part of subcall function 00402E20: GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,000001F4,000001F4), ref: 00403028
Part of subcall function 00402E20: #2818.MFC42(?,0040D0C4,?,?,?,?,?,00000000,?,000001F4,000001F4,?), ref: 0040304B
Part of subcall function 00402E20: #858.MFC42(?,?,?,00000001), ref: 00403061
Part of subcall function 00402E20: #2818.MFC42(?,0040D0BC,?,?,?,?,?,00000001), ref: 0040307A
Part of subcall function 00402E20: #6675.MFC42(?,?,?,?,?,?,?,00000001), ref: 0040308B
Part of subcall function 00402E20: #4224.MFC42(?,?,00000001,?,?,?,?,?,?,?,00000001), ref: 004030AF
Part of subcall function 00402E20: #540.MFC42(?,?,00000001,?,?,?,?,?,?,?,00000001), ref: 004030CE
Part of subcall function 00402E20: #2818.MFC42(?,0040D0D4,?,?,?,00000001,?,?,?,?,?,?,?,00000001), ref: 004030EC
Part of subcall function 00402E20: WritePrivateProfileStringA.KERNEL32(0040D0D8,0040D0B0,?,?), ref: 00403108
Part of subcall function 00402E20: #535.MFC42(?,?,00000000,?,?,?,?,?,?,?,00000001), ref: 0040312D
Part of subcall function 00402E20: PathFileExistsA.SHLWAPI ref: 00403141
Part of subcall function 00402E20: _mbscmp.MSVCRT(?,0040D0A8,?,?,?,?,?,?,?,?,00000001), ref: 004031A0
Part of subcall function 00402E20: CopyFileA.KERNEL32(?,?,00000000), ref: 004031B4
Part of subcall function 00402E20: ShellExecuteExA.SHELL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004031C7
Part of subcall function 00402E20: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004031DD
Part of subcall function 00402E20: GetForegroundWindow.USER32 ref: 004031E7
Part of subcall function 00402E20: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00403204
Part of subcall function 00402E20: DispatchMessageA.USER32(?), ref: 0040320F
Part of subcall function 00402E20: _mbscmp.MSVCRT(?,0040D0A4,?,?,00000001,?,?,?,?,?,?,?,?,00000001), ref: 00403220
Part of subcall function 00402E20: #4224.MFC42(?,?,00000000,?,?,?,?,?,?,?,?,00000001), ref: 0040324C
Part of subcall function 00402E20: #4224.MFC42(?,?,00000001,?,?,?,?,?,?,?,?,00000001), ref: 0040326E
Part of subcall function 00402E20: _mbscmp.MSVCRT(?,0040D0A8,?,?,00000001,?,?,?,?,?,?,?,?,00000001), ref: 0040328B
Part of subcall function 00402E20: CopyFileA.KERNEL32(?,?,00000000), ref: 0040329F
Part of subcall function 00402E20: ShellExecuteExA.SHELL32(?,?,?,00000001,?,?,?,?,?,?,?,?,00000001), ref: 004032B2
Part of subcall function 00402E20: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004032C8
Part of subcall function 00402E20: GetForegroundWindow.USER32 ref: 004032D2
Part of subcall function 00402E20: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004032F3
Part of subcall function 00402E20: DispatchMessageA.USER32(?), ref: 00403301
Part of subcall function 00402E20: #1200.MFC42(?,00000010,00000000,?,?,?,?,?,?,?,?,00000001), ref: 00403313
Part of subcall function 00402E20: #800.MFC42(?,00000010,00000000,?,?,?,?,?,?,?,?,00000001), ref: 00403324
Part of subcall function 00402E20: #535.MFC42(?,?,00000000,?,?,?,?,?,?,?,00000001), ref: 00403349
Part of subcall function 00402E20: #535.MFC42(?,?,?,?,00000000,?,?,?,?,?,?,?,00000001), ref: 00403361
Part of subcall function 00402E20: #4224.MFC42(?,0040D0A0,00000001,?,?,?,?,00000000,?,?,?,?,?,?,?,00000001), ref: 0040337D
Part of subcall function 00402E20: #800.MFC42(?,?,00000001), ref: 004033B0
Part of subcall function 00402E20: #800.MFC42(?,?,00000001), ref: 004033C1
Part of subcall function 00402E20: #800.MFC42(?,?,00000001), ref: 004033D2
Part of subcall function 00402E20: #800.MFC42(?,?,00000001), ref: 004033E3
Part of subcall function 00402E20: #1200.MFC42(?,00000010,00000000,00000001), ref: 004033F4
Part of subcall function 00402E20: #535.MFC42(?,?,?,00000010,00000000,00000001), ref: 00403405
Part of subcall function 00402E20: #535.MFC42(?,?,?,?,?,00000010,00000000,00000001), ref: 0040341D
Part of subcall function 00402E20: free.MSVCRT ref: 0040342A
Part of subcall function 00402E20: #800.MFC42(00000000), ref: 00403448
Part of subcall function 00402E20: #800.MFC42(00000000), ref: 0040345C

#2379.MFC42(?,00000001), ref: 00406411
#2379.MFC42(?,00000001), ref: 0040644B

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00407AB0, Relevance: 22.6, APIs: 15, Instructions: 142

APIs

#4297.MFC42(?), ref: 00407B21
#5788.MFC42(?,?), ref: 00407B36
#4133.MFC42(?,?,?,?), ref: 00407B49
#5788.MFC42(?,?,?,?,?), ref: 00407B55
#4297.MFC42(?,?,?,?,?,?,?,?), ref: 00407B6B
#4133.MFC42(?,?,?,?,?,?,?,?,?,?), ref: 00407B7B
#5788.MFC42(?,?,?,?,?,?,?,?,?,?,?), ref: 00407B87
#4297.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407B9B
#4133.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407BAB
#5788.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407BB7
#4297.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407BCA
#4133.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407BDA
#5788.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407BE6
#4297.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407BF8
DrawFocusRect.USER32(?,?), ref: 00407C17

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00412FC2, Relevance: 22.5, APIs: 10, Strings: 1, Instructions: 97

APIs

ShowWindow.USER32(?,00000005), ref: 00412FDE
ShowWindow.USER32 ref: 00412FF0
ShowWindow.USER32 ref: 00413002
ShowWindow.USER32 ref: 00413014
ShowWindow.USER32 ref: 00413026
ShowWindow.USER32 ref: 00413038
ShowWindow.USER32 ref: 0041304A
ShowWindow.USER32 ref: 0041305A
DestroyWindow.USER32(00000000), ref: 00413070
CreateWindowExW.USER32 ref: 004130A1

Strings

LogsList_Class, xrefs: 00413097

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00404400, Relevance: 21.1, APIs: 14, Instructions: 103

APIs

#540.MFC42(0000C6CE,?,?,00000000,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 00404422
#540.MFC42(0000C6CE,?,?,00000000,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 00404433
#540.MFC42(0000C6CE,?,?,00000000,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 00404441
#540.MFC42(0000C6CE,?,?,00000000,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 0040444F
#2818.MFC42(?,0040D188,?,?,0000C6CE,?,?,00000000,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 00404471
#2818.MFC42(?,0040D064,00000000,0000C6CE,?,?,00000000,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 004044A5
#2818.MFC42(?,0040D180,?,?,0040D064,00000000,0000C6CE,?,?,00000000,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 004044B7
#2919.MFC42(000001F4,000001F4,?,?,?,?,?,?,?,0000C6CE,?,?,00000000,00000000,00FFF7F7), ref: 004044DA
GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,000001F4,000001F4), ref: 004044E4
#535.MFC42(?,?,?,000001F4,000001F4,?,?,?,?,?,?,?,0000C6CE,?,?,00000000), ref: 004044F6

Part of subcall function 00404570: #540.MFC42(?,?,?), ref: 00404599
Part of subcall function 00404570: #6663.MFC42(0040D17C,00000002,?,?,?), ref: 004045B9
Part of subcall function 00404570: #5710.MFC42(?,?,0040D17C,00000002,?,?,?), ref: 004045CB
Part of subcall function 00404570: #2818.MFC42 ref: 004045E9
Part of subcall function 00404570: #800.MFC42(00000002,?,?,?), ref: 004045F9
Part of subcall function 00404570: #6663.MFC42(0040D17C,00000001,00000002,?,?,?), ref: 00404608
Part of subcall function 00404570: #4129.MFC42(?,?,0040D17C,00000001,00000002,?,?,?), ref: 00404617
Part of subcall function 00404570: #858.MFC42(?,?,?,0040D17C,00000001,00000002,?,?,?), ref: 00404629
Part of subcall function 00404570: #800.MFC42(?,?,?,0040D17C,00000001,00000002,?,?,?), ref: 00404636
Part of subcall function 00404570: #6663.MFC42(0040D17C,00000001,?,?,?,0040D17C,00000001,00000002,?,?,?), ref: 0040464C
Part of subcall function 00404570: #5710.MFC42(?,?,0040D17C,00000001,?,?,?,0040D17C,00000001,00000002,?,?,?), ref: 0040465E
Part of subcall function 00404570: #858.MFC42(?,?), ref: 0040466D
Part of subcall function 00404570: #800.MFC42(?,?), ref: 0040467A
Part of subcall function 00404570: #6663.MFC42(0040D17C,00000001,?,?), ref: 00404689
Part of subcall function 00404570: #4129.MFC42(?,?,0040D17C,00000001,?,?), ref: 00404698
Part of subcall function 00404570: #858.MFC42(?,?,?,0040D17C,00000001,?,?), ref: 004046A6
Part of subcall function 00404570: #800.MFC42(?,?,?,0040D17C,00000001,?,?), ref: 004046B3
Part of subcall function 00404570: #6663.MFC42(0040D17C,00000001,?,?,?,0040D17C,00000001,?,?), ref: 004046C9

#800.MFC42(0000C6CE,?,?,00000000,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 00404529
#800.MFC42(0000C6CE,?,?,00000000,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 00404537
#800.MFC42(0000C6CE,?,?,00000000,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 00404545
#800.MFC42(0000C6CE,?,?,00000000,00000000,00FFF7F7,?,00001036,00000000,00000027), ref: 00404556

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00404F00, Relevance: 21.1, APIs: 14, Instructions: 97

APIs

#6675.MFC42(00000000), ref: 00404F38
#540.MFC42 ref: 00404F58
#540.MFC42 ref: 00404F69
#540.MFC42 ref: 00404F77
#4160.MFC42(00000066), ref: 00404F87
#4160.MFC42(00000067,00000066), ref: 00404F92
#6888.MFC42(00000000,00000001,?,00000067,00000066), ref: 00404FB6
#6199.MFC42(00000066,00000000,00000001,?,00000067,00000066), ref: 00404FC6
#6888.MFC42(00000000,00000000,?,00000067,00000066), ref: 00404FDA
#6199.MFC42(00000067,00000000,00000000,?,00000067,00000066), ref: 00404FEA
SetDlgItemTextA.USER32(?,000003F3,00000067), ref: 00404FFD
#800.MFC42(00000067,00000066), ref: 00405013
#800.MFC42(00000067,00000066), ref: 00405021
#800.MFC42(00000067,00000066), ref: 00405032

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 004067A0, Relevance: 19.5, APIs: 11, Instructions: 68

APIs

#540.MFC42 ref: 004067CF
#535.MFC42(?), ref: 004067E5

Part of subcall function 00405A20: #540.MFC42 ref: 00405A56
Part of subcall function 00405A20: #540.MFC42 ref: 00405A67
Part of subcall function 00405A20: #540.MFC42 ref: 00405A78
Part of subcall function 00405A20: #4129.MFC42(?,00000003), ref: 00405A93
Part of subcall function 00405A20: #858.MFC42(?,?,00000003), ref: 00405AA5
Part of subcall function 00405A20: #800.MFC42(?,?,00000003), ref: 00405AB6
Part of subcall function 00405A20: _mbscmp.MSVCRT(?,0040D398,?,?,00000003), ref: 00405ACB
Part of subcall function 00405A20: #4129.MFC42(?,0000000C), ref: 00405AE2
Part of subcall function 00405A20: #858.MFC42(?,?,0000000C), ref: 00405AF4
Part of subcall function 00405A20: #5710.MFC42(?), ref: 00405B2A
Part of subcall function 00405A20: #858.MFC42(?,?), ref: 00405B3C
Part of subcall function 00405A20: #800.MFC42(?,?), ref: 00405B4D
Part of subcall function 00405A20: #6663.MFC42(?,00000001,?,?), ref: 00405B5D
Part of subcall function 00405A20: #4129.MFC42(?,?,?,00000001,?,?), ref: 00405B6C
Part of subcall function 00405A20: #922.MFC42(?,?,?,?,?,?,00000001,?,?), ref: 00405B85
Part of subcall function 00405A20: #858.MFC42(?,?,?,?,?,?,?,00000001,?,?), ref: 00405B97
Part of subcall function 00405A20: #800.MFC42(?,?,?,?,?,?,?,00000001,?,?), ref: 00405BA7
Part of subcall function 00405A20: #800.MFC42(?,?,?,?,?,?,?,00000001,?,?), ref: 00405BB8
Part of subcall function 00405A20: _mbscmp.MSVCRT(00000001,0040D534,?,?,?,?,?,?,?,00000001,?,?), ref: 00405BC7
Part of subcall function 00405A20: #4129.MFC42(?,0000000C,?), ref: 00405BDE
Part of subcall function 00405A20: #858.MFC42(?,?,0000000C,?), ref: 00405BF0
Part of subcall function 00405A20: #800.MFC42(?,?,0000000C,?), ref: 00405C01
Part of subcall function 00405A20: #5710.MFC42(?,?,?), ref: 00405C26
Part of subcall function 00405A20: #858.MFC42(?,?,?,?), ref: 00405C3B
Part of subcall function 00405A20: #800.MFC42(?,?,?,?), ref: 00405C4C
Part of subcall function 00405A20: _mbscmp.MSVCRT(?,0040D534,?,?,?,?), ref: 00405C5B
Part of subcall function 00405A20: RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00405CE9
Part of subcall function 00405A20: RegQueryValueExA.ADVAPI32(?,0040D36C,00000000,?,?,?), ref: 00405D0E
Part of subcall function 00405A20: #537.MFC42(?,?,?,?), ref: 00405D21
Part of subcall function 00405A20: #800.MFC42(?,?,?,?), ref: 00405D2A
Part of subcall function 00405A20: RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00405D52
Part of subcall function 00405A20: RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00405D99
Part of subcall function 00405A20: RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00405E13
Part of subcall function 00405A20: RegQueryValueExA.ADVAPI32(?,0040D36C,00000000,?,?,?), ref: 00405E34
Part of subcall function 00405A20: #537.MFC42(?,?,?,?), ref: 00405E47
Part of subcall function 00405A20: _mbscmp.MSVCRT(?,0040D534,?,?,?,?), ref: 00405E5E
Part of subcall function 00405A20: #800.MFC42(?,?,?,?,?), ref: 00405E7B
Part of subcall function 00405A20: RegCloseKey.ADVAPI32(?), ref: 00405E85
Part of subcall function 00405A20: RegCloseKey.ADVAPI32(?), ref: 00405EA3
Part of subcall function 00405A20: #5710.MFC42(?,?,?,?,?), ref: 00405EC9
Part of subcall function 00405A20: #858.MFC42(?,?,?,?,?,?), ref: 00405EDB
Part of subcall function 00405A20: #800.MFC42(?,?,?,?,?,?), ref: 00405EEC
Part of subcall function 00405A20: #6663.MFC42(?,00000001,?,?,?,?,?,?), ref: 00405EFC
Part of subcall function 00405A20: #4129.MFC42(?,?,?,00000001,?,?,?,?,?,?), ref: 00405F0B
Part of subcall function 00405A20: #858.MFC42(?,?,?,?,00000001,?,?,?,?,?,?), ref: 00405F1D
Part of subcall function 00405A20: #800.MFC42(?,?,?,?,00000001,?,?,?,?,?,?), ref: 00405F2E
Part of subcall function 00405A20: _mbscmp.MSVCRT(00000001,0040D534,?,?,?,?,00000001,?,?,?,?,?,?), ref: 00405F3D
Part of subcall function 00405A20: #858.MFC42(?,?,?,?,?,?), ref: 00405F52
Part of subcall function 00405A20: #922.MFC42(?,?,?,?,?,?,?,?), ref: 00405F68
Part of subcall function 00405A20: #858.MFC42(?,?,?,?,?,?,?,?,?), ref: 00405F7A
Part of subcall function 00405A20: #800.MFC42(?,?,?,?,?,?,?,?,?), ref: 00405F8B
Part of subcall function 00405A20: #5710.MFC42(?,?,?,?,?,?,?,?,?,?,?), ref: 00405FB0
Part of subcall function 00405A20: #858.MFC42(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405FC5
Part of subcall function 00405A20: #800.MFC42(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405FD6
Part of subcall function 00405A20: _mbscmp.MSVCRT(?,0040D534,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405FE5
Part of subcall function 00405A20: #535.MFC42(?,?,?,?), ref: 00406000
Part of subcall function 00405A20: #800.MFC42(?,?,?,?), ref: 00406019
Part of subcall function 00405A20: #800.MFC42(?,?,?,?), ref: 0040602A
Part of subcall function 00405A20: #800.MFC42(?,?,?,?), ref: 0040603B

#858.MFC42 ref: 00406800
#800.MFC42 ref: 0040680E
#6663.MFC42(0040D3E4,00000001), ref: 00406825
#5710.MFC42(?,?,0040D3E4,00000001), ref: 00406837
#858.MFC42(?,?,?,0040D3E4,00000001), ref: 00406846
#800.MFC42(?,?,?,0040D3E4,00000001), ref: 00406854
#535.MFC42(?,?,?,?,0040D3E4,00000001), ref: 00406864
#800.MFC42(?,?,?,?,0040D3E4,00000001), ref: 0040687A
#800.MFC42(?,?,?,?,0040D3E4,00000001), ref: 00406888

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00438AC7, Relevance: 16.7, APIs: 4, Strings: 4, Instructions: 306

APIs

GetModuleFileNameW.KERNEL32(00000000,004AB9D2,00000104,?,00000001,00000000), ref: 00438B59

Part of subcall function 0043E686: RtlEncodePointer.NTDLL(00000000), ref: 0043E6AE
Part of subcall function 0043E686: LoadLibraryExW.KERNEL32(USER32.DLL,00000000,00000800), ref: 0043E6D4
Part of subcall function 0043E686: RtlGetLastWin32Error.NTDLL ref: 0043E6E0
Part of subcall function 0043E686: LoadLibraryW.KERNEL32(USER32.DLL), ref: 0043E6F4
Part of subcall function 0043E686: GetProcAddress.KERNEL32(?,MessageBoxW), ref: 0043E70A
Part of subcall function 0043E686: RtlEncodePointer.NTDLL ref: 0043E719
Part of subcall function 0043E686: GetProcAddress.KERNEL32(?,GetActiveWindow), ref: 0043E726
Part of subcall function 0043E686: RtlEncodePointer.NTDLL ref: 0043E72D
Part of subcall function 0043E686: GetProcAddress.KERNEL32(?,GetLastActivePopup), ref: 0043E73A
Part of subcall function 0043E686: RtlEncodePointer.NTDLL ref: 0043E741
Part of subcall function 0043E686: GetProcAddress.KERNEL32(?,GetUserObjectInformationW), ref: 0043E74E
Part of subcall function 0043E686: RtlEncodePointer.NTDLL ref: 0043E755
Part of subcall function 0043E686: GetProcAddress.KERNEL32(?,GetProcessWindowStation), ref: 0043E766
Part of subcall function 0043E686: RtlEncodePointer.NTDLL ref: 0043E76D
Part of subcall function 0043E686: IsDebuggerPresent.KERNEL32 ref: 0043E777
Part of subcall function 0043E686: OutputDebugStringW.KERNEL32(?), ref: 0043E789
Part of subcall function 0043E686: RtlDecodePointer.NTDLL(?,004AB9A0,00000000,?,?,?,?,?,00438C0C,004AB9A0,Microsoft Visual C++ Runtime Library,00012010), ref: 0043E7A7
Part of subcall function 0043E686: RtlDecodePointer.NTDLL(?,?,004AB9A0,00000000,?,?,?,?,?,00438C0C,004AB9A0,Microsoft Visual C++ Runtime Library,00012010), ref: 0043E7C9
Part of subcall function 0043E686: RtlDecodePointer.NTDLL(?,?,004AB9A0,00000000,?,?,?,?,?,00438C0C,004AB9A0,Microsoft Visual C++ Runtime Library,00012010), ref: 0043E7D4
Part of subcall function 0043E686: RtlDecodePointer.NTDLL(?,?,004AB9A0,00000000,?,?,?,?,?,00438C0C,004AB9A0,Microsoft Visual C++ Runtime Library,00012010), ref: 0043E819
Part of subcall function 0043E686: RtlDecodePointer.NTDLL(?,?,?,004AB9A0,00000000,?,?,?,?,?,00438C0C,004AB9A0,Microsoft Visual C++ Runtime Library,00012010), ref: 0043E831
Part of subcall function 0043E686: RtlDecodePointer.NTDLL(?,004AB9A0,00000000,?,?,?,?,?,00438C0C,004AB9A0,Microsoft Visual C++ Runtime Library,00012010), ref: 0043E845

GetStdHandle.KERNEL32(000000F4), ref: 00438C13
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00438C62

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Part of subcall function 00439659: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043965B

RtlGetLastWin32Error.NTDLL ref: 00438CE6

Part of subcall function 00437D2A: Sleep.KERNEL32(00000000), ref: 00437D50

Part of subcall function 004355F3: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00435607
Part of subcall function 004355F3: RtlGetLastWin32Error.NTDLL ref: 00435619

Part of subcall function 00438863: GetLocaleInfoW.KERNEL32(?,?,00000002,?), ref: 0043888A

Strings

Runtime Error!Program: , xrefs: 00438B27
<program name unknown>, xrefs: 00438B68
..., xrefs: 00438BB0
Microsoft Visual C++ Runtime Library, xrefs: 00438C01

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 004082D4, Relevance: 16.6, APIs: 11, Instructions: 111

APIs

__set_app_type.MSVCRT ref: 00408301
__p__fmode.MSVCRT ref: 00408316
__p__commode.MSVCRT ref: 00408324
__setusermatherr.MSVCRT ref: 00408350

Part of subcall function 00408450: _controlfp.MSVCRT ref: 0040845A

_initterm.MSVCRT ref: 00408366
__getmainargs.MSVCRT ref: 00408389
_initterm.MSVCRT ref: 00408399
GetStartupInfoA.KERNEL32(?), ref: 004083D8
GetModuleHandleA.KERNEL32(00000000), ref: 004083FC

Part of subcall function 0040847E: #1576.MFC42(00408408,00408408,00408408,00408408,00408408,?,?,0000000A), ref: 0040848E

exit.MSVCRT ref: 0040840C
_XcptFilter.MSVCRT ref: 0040841E

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 0042C274, Relevance: 16.2, APIs: 4, Strings: 4, Instructions: 47

APIs

Part of subcall function 0042C700: RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Internet Explorer,00000000,00000000,00000000,00000002,00000000,?,?), ref: 0042C73C
Part of subcall function 0042C700: RegCreateKeyExW.ADVAPI32(?,Download,00000000,00000000,00000000,00000002,00000000,?,?), ref: 0042C754
Part of subcall function 0042C700: RegSetValueExW.ADVAPI32(0042C28F,CheckExeSignatures,00000000,00000001,00472620,00000006), ref: 0042C76E
Part of subcall function 0042C700: RegCloseKey.ADVAPI32(0042C28F), ref: 0042C779
Part of subcall function 0042C700: RegCreateKeyExW.ADVAPI32(?,Extensions,00000000,00000000,00000000,00000002,00000000,?,?), ref: 0042C793
Part of subcall function 0042C700: RegCloseKey.ADVAPI32(0042C28F), ref: 0042C798
Part of subcall function 0042C700: RegCreateKeyExW.ADVAPI32(?,LowRegistry\DontShowMeThisDialogAgain,00000000,00000000,00000000,00000002,00000000,?,?), ref: 0042C7B2
Part of subcall function 0042C700: RegCloseKey.ADVAPI32(0042C28F), ref: 0042C7B7
Part of subcall function 0042C700: RegCreateKeyExW.ADVAPI32(?,Main,00000000,00000000,00000000,00000002,00000000,?,?), ref: 0042C7D1
Part of subcall function 0042C700: RegSetValueExW.ADVAPI32(0042C28F,Play_Animations,00000000,00000001,00472620,00000006), ref: 0042C7E6

LoadIconW.USER32(00000000,00007F00), ref: 0042C2BB
LoadCursorW.USER32(00000000,00007F00), ref: 0042C2C2
LoadIconW.USER32(00000000,00007F00), ref: 0042C2DE
RegisterClassExW.USER32(?), ref: 0042C2E7

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Strings

Antivirus Security Pro, xrefs: 0042C285
Browser_Class, xrefs: 0042C289
0, xrefs: 0042C2A4
BASEWND, xrefs: 0042C2D7

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00436B1D, Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 386

APIs

Part of subcall function 0043B39C: RtlDecodePointer.NTDLL(00480FB0,00000008,00436B58,19930522,00000000,E06D7363), ref: 0043B3AE

Part of subcall function 004334B0: RaiseException.KERNEL32(?,?,?,?), ref: 00433501

Part of subcall function 004338CC: RtlUnwind.NTDLL(00000000,004338F6,19930522,00000000,?,?,00000000,?,?,?,00436E9E,?,?,00480E0C,?,19930522), ref: 004338F0

RtlEncodePointer.NTDLL(00000000), ref: 00436EE2

Strings

csm, xrefs: 00436B5B
csm, xrefs: 00436BDA
KG, xrefs: 00436C55
csm, xrefs: 00436C89
bad exception, xrefs: 00436E75
"hC, xrefs: 00436E8A
MOC, xrefs: 00436EF7
RCC, xrefs: 00436EFF

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00402CC0, Relevance: 15.1, APIs: 10, Instructions: 114

APIs

Part of subcall function 00405390: GetModuleFileNameA.KERNEL32(00000000,?,000001F4), ref: 004053D0
Part of subcall function 00405390: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F013F,?), ref: 00405417
Part of subcall function 00405390: RegDeleteValueA.ADVAPI32(?,0040D0D8), ref: 00405452
Part of subcall function 00405390: RegCreateKeyA.ADVAPI32(80000002,?,?), ref: 00405470
Part of subcall function 00405390: RegSetValueExA.ADVAPI32(?,0040D0D8,?,00000001,?,00000100), ref: 00405491
Part of subcall function 00405390: RegCloseKey.ADVAPI32 ref: 0040549C

#6675.MFC42(00000000,00000001), ref: 00402CFB
_mbscmp.MSVCRT(?,0040D534,00000001), ref: 00402D42
#4224.MFC42(?,?,00000001), ref: 00402D83
#6215.MFC42(00000000,?,?,00000001), ref: 00402D91
#6215.MFC42(00000005,?,?,00000001), ref: 00402DA6
#4224.MFC42(?,?,00000001,00000001), ref: 00402DBF
#6215.MFC42(00000000,?,?,00000001,00000001), ref: 00402DCD
#6215.MFC42(00000005,?,?,00000001,00000001), ref: 00402DE2
#1200.MFC42(?,00000010,00000000,00000001), ref: 00402DF3
#537.MFC42(0040D090,?,?,00000010,00000000,00000001), ref: 00402E04

Part of subcall function 00406460: DeleteFileA.KERNEL32(?), ref: 00406465
Part of subcall function 00406460: #800.MFC42(?,?,00000010,00000000,00000001), ref: 0040646F

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 004061B4, Relevance: 15.1, APIs: 10, Instructions: 89

APIs

#540.MFC42 ref: 004061D2
#860.MFC42(0040D090), ref: 004061EB
#356.MFC42(0040D090), ref: 004061F4
#2770.MFC42(?,00000000,0040D090), ref: 0040620C
CreateFileA.KERNEL32(?,40000000,00000002,?,00000001,00000080), ref: 0040622D
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406277
CloseHandle.KERNEL32 ref: 0040627E
SetTimer.USER32(?,00000001,0000000A,00000000), ref: 00406291
#668.MFC42(?,00000001,0000000A,00000000,?,00000000,0040D090), ref: 004062A3
#800.MFC42(?,00000001,0000000A,00000000,?,00000000,0040D090), ref: 004062B7

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00410DB2, Relevance: 14.3, APIs: 4, Strings: 3, Instructions: 123

APIs

Part of subcall function 00435F62: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00435F6B

CreateFileW.KERNEL32(?,001F01FF,00000003,00000000,00000002,00000080,00000000), ref: 00410EAD
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00410EC9
CloseHandle.KERNEL32 ref: 00410ED0
ShellExecuteExW.SHELL32(?), ref: 00410F28

Strings

.exe, xrefs: 00410E12
<, xrefs: 00410F00
open, xrefs: 00410F0A

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00406B90, Relevance: 14.2, APIs: 8, Instructions: 71

APIs

GetSystemDirectoryA.KERNEL32 ref: 00406BD8
sprintf.MSVCRT ref: 00406BFA
LoadLibraryA.KERNEL32(?), ref: 00406C0F
LoadLibraryA.KERNEL32(0040D40C), ref: 00406C1C
GetProcAddress.KERNEL32(?,0040D3FC), ref: 00406C2A
GetCurrentProcess.KERNEL32 ref: 00406C3B
FreeLibrary.KERNEL32 ref: 00406C49
FreeLibrary.KERNEL32 ref: 00406C5F

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00439684, Relevance: 14.2, APIs: 8, Instructions: 58

APIs

InterlockedIncrement.KERNEL32(0043E9F5,?), ref: 00439694
InterlockedIncrement.KERNEL32(55CCCCCC,?,?), ref: 0043969F
InterlockedIncrement.KERNEL32(0043EA75,?,?), ref: 004396AC
InterlockedIncrement.KERNEL32(FE6AEC8B,?,?), ref: 004396B7
InterlockedIncrement.KERNEL32(0043EA7D,?,?), ref: 004396C4
InterlockedIncrement.KERNEL32(?,?,?), ref: 004396DF
InterlockedIncrement.KERNEL32(00FC7D80,?,?), ref: 004396F3
InterlockedIncrement.KERNEL32(0043E9E1,?,?), ref: 0043970D

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 004078B0, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 171

APIs

CreateSolidBrush.GDI32 ref: 004079D1
#1641.MFC42 ref: 004079D6
SetRect.USER32(?), ref: 00407A19
FillRect.USER32(?,?,?), ref: 00407A42
#2414.MFC42 ref: 00407A63

Strings

VUUU, xrefs: 00407944
VUUU, xrefs: 00407964
gfff, xrefs: 004079AB

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 004027CB, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 68

APIs

IsIconic.USER32(?), ref: 004027E7
GetClassNameW.USER32(?,?,00001000), ref: 00402804
GetWindowTextW.USER32(?,?,00001000), ref: 0040282E
IsWindowVisible.USER32(?), ref: 00402850
ShowWindow.USER32(?,00000000), ref: 0040285E

Part of subcall function 0040D50F: RtlEnterCriticalSection.NTDLL(004A94F8,?,?,00401DAC), ref: 0040D517
Part of subcall function 0040D50F: RtlLeaveCriticalSection.NTDLL(004A94F8,?,?,00401DAC), ref: 0040D524

PostMessageW.USER32(?,00000548,00000000,00000000), ref: 00402871

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Strings

CabinetWClass, xrefs: 00402814
Action Center, xrefs: 0040283E

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0041A39F, Relevance: 14.1, APIs: 7, Instructions: 58

APIs

KillTimer.USER32(?,00008104), ref: 0041A3BC
GetWindowLongW.USER32(?,000000EC), ref: 0041A3D6
SetWindowLongW.USER32(?,000000EC), ref: 0041A3E6
KillTimer.USER32 ref: 0041A3F1
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 0041A418
SetTimer.USER32(?,00008101,00000003,00000000), ref: 0041A430
DestroyWindow.USER32 ref: 0041A440

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00401FE0, Relevance: 13.6, APIs: 9, Instructions: 52

APIs

#2302.MFC42(?,000003F7), ref: 00401FF5
#2302.MFC42(?,000003F5,?,?,000003F7), ref: 00402007
#2302.MFC42(?,000003F4,?,?,000003F5,?,?,000003F7), ref: 00402019
#2302.MFC42(?,000003FC,?,?,000003F4,?,?,000003F5,?,?,000003F7), ref: 0040202B
#2302.MFC42(?,000003F2,?,?,000003FC,?,?,000003F4,?,?,000003F5,?,?,000003F7), ref: 0040203D
#2302.MFC42(?,000003F3,?,?,000003F2,?,?,000003FC,?,?,000003F4,?,?,000003F5,?,?), ref: 0040204F
#2302.MFC42(?,000003F9,?,?,000003F3,?,?,000003F2,?,?,000003FC,?,?,000003F4,?,?), ref: 00402061
#2302.MFC42(?,000003F1,?,?,000003F9,?,?,000003F3,?,?,000003F2,?,?,000003FC,?,?), ref: 00402073
#2302.MFC42(?,000003E8,?,?,000003F1,?,?,000003F9,?,?,000003F3,?,?,000003F2,?,?), ref: 00402085

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 004334A1, Relevance: 13.0, APIs: 1, Instructions: 59

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Part of subcall function 00435A88: IsDebuggerPresent.KERNEL32 ref: 00435A8B

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00439048, Relevance: 12.5, APIs: 7, Instructions: 89

APIs

Part of subcall function 004365F8: RtlEnterCriticalSection.NTDLL(00000000,?,0043A38C,0000000D), ref: 00436623

RtlDecodePointer.NTDLL(00480E68,0000001C,00438FBB,0043E9F5,00000001,00000000,?,00438EFC,000000FF,?,0043A2CF,00000010,?,004332C3,00000000), ref: 00439095
RtlDecodePointer.NTDLL(?,00438EFC,000000FF,?,0043A2CF,00000010,?,004332C3,00000000), ref: 004390A6
RtlEncodePointer.NTDLL(00000000), ref: 004390BF
RtlDecodePointer.NTDLL(?,?,00438EFC,000000FF,?,0043A2CF,00000010,?,004332C3,00000000), ref: 004390CF
RtlEncodePointer.NTDLL(00000000), ref: 004390D5
RtlDecodePointer.NTDLL(?,?,00438EFC,000000FF,?,0043A2CF,00000010,?,004332C3,00000000), ref: 004390EB
RtlDecodePointer.NTDLL(?,?,00438EFC,000000FF,?,0043A2CF,00000010,?,004332C3,00000000), ref: 004390F6

Part of subcall function 0043675C: RtlLeaveCriticalSection.NTDLL(?,00436725,0000000A,00436715), ref: 00436769

Part of subcall function 00438ECB: ExitProcess.KERNEL32(0043E9F5,?,00439162,0043E9F5,00480E68,0000001C,00438FBB,0043E9F5,00000001,00000000,?,00438EFC,000000FF,?,0043A2CF,00000010), ref: 00438EDA

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0041BE29, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102

APIs

GetWindowRect.USER32(?,?), ref: 0041BE50
GetDesktopWindow.USER32(?,?,?), ref: 0041BE56
GetWindowRect.USER32 ref: 0041BE5D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0041BE67
GetWindowRect.USER32(?,?), ref: 0041BE7A
SetWindowPos.USER32(?,?,?,?,00000000,00000000,00000001), ref: 0041BF0A

Part of subcall function 0041BBC9: GetDesktopWindow.USER32(?), ref: 0041BBE0
Part of subcall function 0041BBC9: GetWindowRect.USER32 ref: 0041BBE7
Part of subcall function 0041BBC9: SetWindowPos.USER32(?,00000000,?,?,?,?,?), ref: 0041BC54

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Strings

Shell_TrayWnd, xrefs: 0041BE62

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0042BFCC, Relevance: 12.2, APIs: 4, Strings: 2, Instructions: 50

APIs

GetWindowRect.USER32(?,?), ref: 0042C007
CreateWindowExW.USER32 ref: 0042C03D
ShowWindow.USER32(?,00000001), ref: 0042C049
UpdateWindow.USER32(?), ref: 0042C052

Strings

Security Window, xrefs: 0042C031
BASEWND, xrefs: 0042C036

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0041DAD2, Relevance: 12.1, APIs: 8, Instructions: 99

APIs

FindResourceW.KERNEL32(?,?,?), ref: 0041DAE8
SizeofResource.KERNEL32(?), ref: 0041DAFD
LoadResource.KERNEL32(?), ref: 0041DB11
LockResource.KERNEL32 ref: 0041DB18
GlobalAlloc.KERNEL32(00000002), ref: 0041DB2C
GlobalLock.KERNEL32 ref: 0041DB40
CreateStreamOnHGlobal.OLE32(?,00000000,?), ref: 0041DB60
GlobalUnlock.KERNEL32 ref: 0041DBB2

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0043986E, Relevance: 12.1, APIs: 8, Instructions: 61

APIs

InterlockedDecrement.KERNEL32(0043E9F5,?,?), ref: 00439886
InterlockedDecrement.KERNEL32(55CCCCCC), ref: 00439891
InterlockedDecrement.KERNEL32(0043EA75), ref: 0043989E
InterlockedDecrement.KERNEL32(FE6AEC8B), ref: 004398A9
InterlockedDecrement.KERNEL32(0043EA7D), ref: 004398B6
InterlockedDecrement.KERNEL32 ref: 004398D1
InterlockedDecrement.KERNEL32(00FC7D80), ref: 004398E5
InterlockedDecrement.KERNEL32(0043E9E1), ref: 00439900

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00405390, Relevance: 11.8, APIs: 6, Instructions: 92

APIs

GetModuleFileNameA.KERNEL32(00000000,?,000001F4), ref: 004053D0
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F013F,?), ref: 00405417
RegDeleteValueA.ADVAPI32(?,0040D0D8), ref: 00405452
RegCreateKeyA.ADVAPI32(80000002,?,?), ref: 00405470
RegSetValueExA.ADVAPI32(?,0040D0D8,?,00000001,?,00000100), ref: 00405491
RegCloseKey.ADVAPI32 ref: 0040549C

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 004203A0, Relevance: 11.0, APIs: 6, Instructions: 111

APIs

InvalidateRect.USER32(?,?,00000001), ref: 004203F1
PtInRect.USER32(?,01D17A38,?), ref: 00420418
PtInRect.USER32(?,01D17A38,?), ref: 0042044C
InvalidateRect.USER32(?,?,00000001), ref: 00420481
InvalidateRect.USER32(?,?,00000001), ref: 004204A5
PtInRect.USER32(?,01D17A38,?), ref: 004204BC

Part of subcall function 0041FADB: PtInRect.USER32(?,01D17A38,?), ref: 0041FB07
Part of subcall function 0041FADB: PtInRect.USER32(?,01D17A38,?), ref: 0041FB33

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00439220, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 226

APIs

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Part of subcall function 0043EC92: RtlUnwind.NTDLL(00000001,0043ECA6,?,00000000,?,?,?,?,004392FD), ref: 0043ECA1

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004393CE

Strings

csm, xrefs: 004392C2
qgC, xrefs: 004392CA 004392D3 004392E9
Genu, xrefs: 0043947F
ineI, xrefs: 00439488
ntel, xrefs: 00439491

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0042C060, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71

APIs

CoInitialize.OLE32(00000000), ref: 0042C077
OleCreate.OLE32(0047A13C,0047226C,00000001,00000000), ref: 0042C097
OleSetContainedObject.OLE32(?,00000001), ref: 0042C0B3
GetClientRect.USER32(?,?), ref: 0042C0E3

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Strings

Web View, xrefs: 0042C09F
Web Host, xrefs: 0042C0A6

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00401F50, Relevance: 10.5, APIs: 7, Instructions: 35

APIs

#540.MFC42(?,?,?,00408C82,000000FF), ref: 00401F70
#540.MFC42(?,?,?,00408C82,000000FF), ref: 00401F80
#540.MFC42(?,?,?,00408C82,000000FF), ref: 00401F8D
#540.MFC42(?,?,?,00408C82,000000FF), ref: 00401F9A
#540.MFC42(?,?,?,00408C82,000000FF), ref: 00401FA7
#540.MFC42(?,?,?,00408C82,000000FF), ref: 00401FB4
#540.MFC42(?,?,?,00408C82,000000FF), ref: 00401FC1

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00401AB0, Relevance: 10.5, APIs: 7, Instructions: 35

APIs

#800.MFC42(?,?,?,00408A32,000000FF), ref: 00401AD8
#800.MFC42(?,?,?,00408A32,000000FF), ref: 00401AE5
#800.MFC42(?,?,?,00408A32,000000FF), ref: 00401AF2
#800.MFC42(?,?,?,00408A32,000000FF), ref: 00401AFF
#800.MFC42(?,?,?,00408A32,000000FF), ref: 00401B0C
#800.MFC42(?,?,?,00408A32,000000FF), ref: 00401B19
#800.MFC42(?,?,?,00408A32,000000FF), ref: 00401B29

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00427414, Relevance: 10.3, APIs: 3, Strings: 2, Instructions: 107

APIs

Part of subcall function 0041DA0B: InvalidateRect.USER32(0000024C,00000250,00000001), ref: 0041DA26

Part of subcall function 0041E626: InvalidateRect.USER32(000000AC,000000B0,00000001), ref: 0041E642

DestroyWindow.USER32(000000B0), ref: 004274A3
SendMessageW.USER32(000000B0,00000439,00000000,?), ref: 00427513
SendMessageW.USER32(000000B4,00000439,00000000,?), ref: 00427570

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Strings

0, xrefs: 0042750C
0, xrefs: 00427548

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0040D3FB, Relevance: 10.3, APIs: 4, Strings: 1, Instructions: 85

APIs

GetDesktopWindow.USER32(?,00000000), ref: 0040D411
GetWindowRect.USER32 ref: 0040D41E
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0040D427
GetWindowRect.USER32(?,?), ref: 0040D43B

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Strings

Shell_TrayWnd, xrefs: 0040D422

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 004355F3, Relevance: 9.3, APIs: 2, Instructions: 21

APIs

RtlFreeHeap.NTDLL(00000000,00000000), ref: 00435607
RtlGetLastWin32Error.NTDLL ref: 00435619

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0041B6FC, Relevance: 9.2, APIs: 4, Instructions: 409

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 004066F0, Relevance: 9.2, APIs: 5, Instructions: 51

APIs

#535.MFC42(?,?,?,?,?,?,?,00409290,000000FF,00403907,?,?,?,?,?,00000000), ref: 0040671F

Part of subcall function 004070E0: #6199.MFC42(?,?,004093E8,000000FF,0040672E,?,?,?,?,?,?,?,00409290,000000FF,00403907), ref: 00407102
Part of subcall function 004070E0: #800.MFC42(?,?,004093E8,000000FF,0040672E,?,?,?,?,?,?,?,00409290,000000FF,00403907), ref: 00407113

#535.MFC42(?,?,?,?,?,?,?,?,?,00409290,000000FF,00403907,?,?,?), ref: 0040673A

Part of subcall function 00407010: #5953.MFC42(00000401,?,?,004093A8,000000FF,0040373C,?,?,?,?,00000000), ref: 00407037
Part of subcall function 00407010: #800.MFC42(00000401,?,?,004093A8,000000FF,0040373C,?,?,?,?,00000000), ref: 00407048

Part of subcall function 00407060: #540.MFC42(?,?,?,004093C8,000000FF,00403524), ref: 0040707D
Part of subcall function 00407060: #2818.MFC42(?,0040D454,?), ref: 0040709E
Part of subcall function 00407060: #5953.MFC42(00000402,?,004093C8,000000FF,00403524), ref: 004070B2
Part of subcall function 00407060: #800.MFC42(00000402,?,004093C8,000000FF,00403524), ref: 004070C3

SendMessageA.USER32(?,00000402,?,00000000), ref: 00406761
#800.MFC42(?,00000402,?,00000000,?,?,?,?,?,?,?,?,?,?,00409290,000000FF), ref: 00406770
#800.MFC42(?,00000402,?,00000000,?,?,?,?,?,?,?,?,?,?,00409290,000000FF), ref: 00406781

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00440E36, Relevance: 9.1, APIs: 5, Instructions: 188

APIs

Part of subcall function 00440917: EnumSystemLocalesW.KERNEL32(00440B8D,00000001), ref: 0044095C

Part of subcall function 0044089A: EnumSystemLocalesW.KERNEL32(0044099A,00000001), ref: 004408F5

GetUserDefaultLCID.KERNEL32 ref: 00440F4F
IsValidCodePage.KERNEL32 ref: 00440FA3
IsValidLocale.KERNEL32(?,00000001), ref: 00440FB6
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040), ref: 00441009
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00441020

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Part of subcall function 00440CB5: GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00440CF9
Part of subcall function 00440CB5: GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 00440D23

Part of subcall function 0044085A: EnumSystemLocalesW.KERNEL32(004407AC,00000001), ref: 00440886

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00403C90, Relevance: 9.0, APIs: 6, Instructions: 46

APIs

#540.MFC42 ref: 00403CAF
#2818.MFC42(?,0040D12C), ref: 00403CCD
ShellExecuteA.SHELL32(?,0040D124,00000000,00000000,00000003), ref: 00403CE9
#537.MFC42(0040D110,?,?,0040D124,00000000,00000000,00000003), ref: 00403CFB

Part of subcall function 00405A20: #540.MFC42 ref: 00405A56
Part of subcall function 00405A20: #540.MFC42 ref: 00405A67
Part of subcall function 00405A20: #540.MFC42 ref: 00405A78
Part of subcall function 00405A20: #4129.MFC42(?,00000003), ref: 00405A93
Part of subcall function 00405A20: #858.MFC42(?,?,00000003), ref: 00405AA5
Part of subcall function 00405A20: #800.MFC42(?,?,00000003), ref: 00405AB6
Part of subcall function 00405A20: _mbscmp.MSVCRT(?,0040D398,?,?,00000003), ref: 00405ACB
Part of subcall function 00405A20: #4129.MFC42(?,0000000C), ref: 00405AE2
Part of subcall function 00405A20: #858.MFC42(?,?,0000000C), ref: 00405AF4
Part of subcall function 00405A20: #5710.MFC42(?), ref: 00405B2A
Part of subcall function 00405A20: #858.MFC42(?,?), ref: 00405B3C
Part of subcall function 00405A20: #800.MFC42(?,?), ref: 00405B4D
Part of subcall function 00405A20: #6663.MFC42(?,00000001,?,?), ref: 00405B5D
Part of subcall function 00405A20: #4129.MFC42(?,?,?,00000001,?,?), ref: 00405B6C
Part of subcall function 00405A20: #922.MFC42(?,?,?,?,?,?,00000001,?,?), ref: 00405B85
Part of subcall function 00405A20: #858.MFC42(?,?,?,?,?,?,?,00000001,?,?), ref: 00405B97
Part of subcall function 00405A20: #800.MFC42(?,?,?,?,?,?,?,00000001,?,?), ref: 00405BA7
Part of subcall function 00405A20: #800.MFC42(?,?,?,?,?,?,?,00000001,?,?), ref: 00405BB8
Part of subcall function 00405A20: _mbscmp.MSVCRT(00000001,0040D534,?,?,?,?,?,?,?,00000001,?,?), ref: 00405BC7
Part of subcall function 00405A20: #4129.MFC42(?,0000000C,?), ref: 00405BDE
Part of subcall function 00405A20: #858.MFC42(?,?,0000000C,?), ref: 00405BF0
Part of subcall function 00405A20: #800.MFC42(?,?,0000000C,?), ref: 00405C01
Part of subcall function 00405A20: #5710.MFC42(?,?,?), ref: 00405C26
Part of subcall function 00405A20: #858.MFC42(?,?,?,?), ref: 00405C3B
Part of subcall function 00405A20: #800.MFC42(?,?,?,?), ref: 00405C4C
Part of subcall function 00405A20: _mbscmp.MSVCRT(?,0040D534,?,?,?,?), ref: 00405C5B
Part of subcall function 00405A20: RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00405CE9
Part of subcall function 00405A20: RegQueryValueExA.ADVAPI32(?,0040D36C,00000000,?,?,?), ref: 00405D0E
Part of subcall function 00405A20: #537.MFC42(?,?,?,?), ref: 00405D21
Part of subcall function 00405A20: #800.MFC42(?,?,?,?), ref: 00405D2A
Part of subcall function 00405A20: RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00405D52
Part of subcall function 00405A20: RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00405D99
Part of subcall function 00405A20: RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00405E13
Part of subcall function 00405A20: RegQueryValueExA.ADVAPI32(?,0040D36C,00000000,?,?,?), ref: 00405E34
Part of subcall function 00405A20: #537.MFC42(?,?,?,?), ref: 00405E47
Part of subcall function 00405A20: _mbscmp.MSVCRT(?,0040D534,?,?,?,?), ref: 00405E5E
Part of subcall function 00405A20: #800.MFC42(?,?,?,?,?), ref: 00405E7B
Part of subcall function 00405A20: RegCloseKey.ADVAPI32(?), ref: 00405E85
Part of subcall function 00405A20: RegCloseKey.ADVAPI32(?), ref: 00405EA3
Part of subcall function 00405A20: #5710.MFC42(?,?,?,?,?), ref: 00405EC9
Part of subcall function 00405A20: #858.MFC42(?,?,?,?,?,?), ref: 00405EDB
Part of subcall function 00405A20: #800.MFC42(?,?,?,?,?,?), ref: 00405EEC
Part of subcall function 00405A20: #6663.MFC42(?,00000001,?,?,?,?,?,?), ref: 00405EFC
Part of subcall function 00405A20: #4129.MFC42(?,?,?,00000001,?,?,?,?,?,?), ref: 00405F0B
Part of subcall function 00405A20: #858.MFC42(?,?,?,?,00000001,?,?,?,?,?,?), ref: 00405F1D
Part of subcall function 00405A20: #800.MFC42(?,?,?,?,00000001,?,?,?,?,?,?), ref: 00405F2E
Part of subcall function 00405A20: _mbscmp.MSVCRT(00000001,0040D534,?,?,?,?,00000001,?,?,?,?,?,?), ref: 00405F3D
Part of subcall function 00405A20: #858.MFC42(?,?,?,?,?,?), ref: 00405F52
Part of subcall function 00405A20: #922.MFC42(?,?,?,?,?,?,?,?), ref: 00405F68
Part of subcall function 00405A20: #858.MFC42(?,?,?,?,?,?,?,?,?), ref: 00405F7A
Part of subcall function 00405A20: #800.MFC42(?,?,?,?,?,?,?,?,?), ref: 00405F8B
Part of subcall function 00405A20: #5710.MFC42(?,?,?,?,?,?,?,?,?,?,?), ref: 00405FB0
Part of subcall function 00405A20: #858.MFC42(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405FC5
Part of subcall function 00405A20: #800.MFC42(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405FD6
Part of subcall function 00405A20: _mbscmp.MSVCRT(?,0040D534,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405FE5
Part of subcall function 00405A20: #535.MFC42(?,?,?,?), ref: 00406000
Part of subcall function 00405A20: #800.MFC42(?,?,?,?), ref: 00406019
Part of subcall function 00405A20: #800.MFC42(?,?,?,?), ref: 0040602A
Part of subcall function 00405A20: #800.MFC42(?,?,?,?), ref: 0040603B

#800.MFC42(?,0040D110,?,?,0040D124,00000000,00000000,00000003), ref: 00403D10
#800.MFC42(?,0040D110,?,?,0040D124,00000000,00000000,00000003), ref: 00403D21

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00403D40, Relevance: 9.0, APIs: 5, Instructions: 107

APIs

RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F013F,?), ref: 00403E02
RegQueryValueExA.ADVAPI32(?,0040D140,00000000,?,?,?), ref: 00403E2A
#537.MFC42(?,?,?,0000C3F2,00000000), ref: 00403E40
#858.MFC42(?,?,?,?,0000C3F2,00000000), ref: 00403E58
#800.MFC42(?,?,?,?,0000C3F2,00000000), ref: 00403E6C

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00432365, Relevance: 9.0, APIs: 5, Instructions: 73

APIs

RtlEncodePointer.NTDLL ref: 00432378
RtlEncodePointer.NTDLL ref: 00432383

Part of subcall function 0043918B: RtlSizeHeap.NTDLL(00000000,00000000), ref: 004391B4

Part of subcall function 00437DBD: Sleep.KERNEL32(00000000), ref: 00437DE5

RtlEncodePointer.NTDLL ref: 004323EA
RtlEncodePointer.NTDLL(?), ref: 004323F8
RtlEncodePointer.NTDLL ref: 00432404

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00406D80, Relevance: 9.0, APIs: 5, Instructions: 44

APIs

#540.MFC42(?,?,?,00000064,0000C5E4), ref: 00406DA8
VerQueryValueA.VERSION(?,0040D42C,?,?,?,?,?,00000064,0000C5E4), ref: 00406DC6
#2818.MFC42(?,0040D12C,?,?,0040D42C,?,?,?,?,?,00000064,0000C5E4), ref: 00406DD8
#535.MFC42(?,?,?,?,?,00000064,0000C5E4), ref: 00406DEB
#800.MFC42(?,?,?,?,?,00000064,0000C5E4), ref: 00406E01

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 0040E3C4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35

APIs

CreateSolidBrush.GDI32(00BCAE9B), ref: 0040E403
LoadIconW.USER32(?,00000085), ref: 0040E41E
RegisterClassExW.USER32(?), ref: 0040E42B

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Strings

0, xrefs: 0040E3DF
MainAntivirus_Class, xrefs: 0040E417

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0040E43E, Relevance: 8.4, APIs: 2, Strings: 2, Instructions: 42

APIs

ShellExecuteW.SHELL32(00000000,open,?,?,00000000,00000001), ref: 0040E49C
CoInitialize.OLE32(00000000), ref: 0040E4A3

Strings

iexplore, xrefs: 0040E451 0040E45C 0040E472
open, xrefs: 0040E496

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00440CB5, Relevance: 8.3, APIs: 2, Strings: 2, Instructions: 56

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00440CF9
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 00440D23

Strings

ACP, xrefs: 00440CC6
OCP, xrefs: 00440CD7

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00438E99, Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 19

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?), ref: 00438EA8
GetProcAddress.KERNEL32(FFFFFFFE,CorExitProcess), ref: 00438EBA

Strings

mscoree.dll, xrefs: 00438EA1
CorExitProcess, xrefs: 00438EB2

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00407060, Relevance: 7.9, APIs: 4, Instructions: 32

APIs

#540.MFC42(?,?,?,004093C8,000000FF,00403524), ref: 0040707D
#2818.MFC42(?,0040D454,?), ref: 0040709E
#5953.MFC42(00000402,?,004093C8,000000FF,00403524), ref: 004070B2
#800.MFC42(00000402,?,004093C8,000000FF,00403524), ref: 004070C3

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 0043D4F0, Relevance: 7.7, APIs: 5, Instructions: 214

APIs

WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,00000000,00000000,?), ref: 0043D5D0
WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,?,00000000,00000000,?), ref: 0043D60C
RtlGetLastWin32Error.NTDLL ref: 0043D632
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,?,00000000,?), ref: 0043D662
WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 0043D715

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00406F80, Relevance: 7.5, APIs: 5, Instructions: 28

APIs

KillTimer.USER32(?,00000000), ref: 00406F89
UpdateWindow.USER32 ref: 00406F9F
#2379.MFC42(?,?,00000000), ref: 00406FA7
PostMessageA.USER32(?,00000312,0000806C,00000000), ref: 00406FC0
#2379.MFC42(?,00000312,0000806C,00000000,?,00000000), ref: 00406FC8

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 0041F408, Relevance: 7.4, APIs: 4, Instructions: 77

APIs

PtInRect.USER32(?,01D17A38,?), ref: 0041F424
InvalidateRect.USER32(?,?,00000001), ref: 0041F456
PtInRect.USER32(?,01D17A38,?), ref: 0041F491
InvalidateRect.USER32(?,?,00000001), ref: 0041F4AC

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00406E20, Relevance: 7.2, APIs: 4, Instructions: 32

APIs

malloc.MSVCRT ref: 00406E3D
GetFileVersionInfoSizeA.VERSION(?,?,00000064,0000C5E4), ref: 00406E4A
malloc.MSVCRT ref: 00406E53
GetFileVersionInfoA.VERSION(?,00000000,?,?,?,00000064,0000C5E4), ref: 00406E66

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 0040DF2E, Relevance: 7.2, APIs: 4, Instructions: 29

APIs

RtlEnterCriticalSection.NTDLL(004AA75C), ref: 0040DF39
RtlLeaveCriticalSection.NTDLL(004AA75C), ref: 0040DF6B
ShowWindow.USER32(00000000), ref: 0040DF79
SetCursor.USER32 ref: 0040DF85

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0040DF0E, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 12

APIs

RtlEnterCriticalSection.NTDLL(004A9510,00000000,vmware,00401910), ref: 0040DF16
RtlLeaveCriticalSection.NTDLL(004A9510,?,windir), ref: 0040DF23

Strings

vmware, xrefs: 0040DF0E

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00406D60, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 11

APIs

free.MSVCRT ref: 00406D6D
#800.MFC42(00403C22,?,?,00000064,0000C5E4), ref: 00406D79

Strings

l@, xrefs: 00406D66

Memory Dump Source

Source File: 00000000.00000000.678144333.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.678124007.00400000.00000002.sdmp
Associated: 00000000.00000000.678194160.0040A000.00000002.sdmp
Associated: 00000000.00000000.678269672.0040D000.00000008.sdmp

Function 00439AFD, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 129

APIs

GetCPInfo.KERNEL32(?,?), ref: 00439B20

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Strings

, xrefs: 00439B49
, xrefs: 00439B65

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0042C91A, Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 37

APIs

Part of subcall function 0042BFCC: GetWindowRect.USER32(?,?), ref: 0042C007
Part of subcall function 0042BFCC: CreateWindowExW.USER32 ref: 0042C03D
Part of subcall function 0042BFCC: ShowWindow.USER32(?,00000001), ref: 0042C049
Part of subcall function 0042BFCC: UpdateWindow.USER32(?), ref: 0042C052

UpdateWindow.USER32 ref: 0042C932
ShowWindow.USER32(?,00000001), ref: 0042C96B

Strings

Antivirus Security Pro, xrefs: 0042C91D

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0043ABB7, Relevance: 6.2, APIs: 4, Instructions: 167

APIs

Part of subcall function 00437D74: Sleep.KERNEL32(00000000), ref: 00437D96

InterlockedDecrement.KERNEL32 ref: 0043B2F2

Part of subcall function 004355F3: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00435607
Part of subcall function 004355F3: RtlGetLastWin32Error.NTDLL ref: 00435619

Part of subcall function 00439659: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043965B

Part of subcall function 0043ABB7: InterlockedDecrement.KERNEL32 ref: 0043AC8A
Part of subcall function 0043ABB7: InterlockedDecrement.KERNEL32 ref: 0043ACA6
Part of subcall function 0043ABB7: InterlockedDecrement.KERNEL32 ref: 0043ACE4
Part of subcall function 0043ABB7: InterlockedDecrement.KERNEL32 ref: 0043ACFC

Part of subcall function 0043A706: GetACP.KERNEL32 ref: 0043A8EA

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0043D297, Relevance: 6.1, APIs: 4, Instructions: 128

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000001,?), ref: 0043D32C
RtlGetLastWin32Error.NTDLL ref: 0043D33A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000001,?), ref: 0043D38D
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0043D3C8

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0042C64C, Relevance: 6.1, APIs: 4, Instructions: 71

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0042C67C
GetWindowLongW.USER32(?,000000EB), ref: 0042C691
SetWindowLongW.USER32(?,000000EB,00000000), ref: 0042C6C8
DefWindowProcW.USER32(?,00000002,00000000,00000002), ref: 0042C6E5

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0040C4A1, Relevance: 6.1, APIs: 4, Instructions: 58

APIs

RtlEnterCriticalSection.NTDLL(004AA75C), ref: 0040C4BD
EnumChildWindows.USER32(?,Function_0000C442,00000000), ref: 0040C51E
RtlLeaveCriticalSection.NTDLL(004AA75C), ref: 0040C529
ExitProcess.KERNEL32(00000000), ref: 0040C53B

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0043CC29, Relevance: 6.1, APIs: 4, Instructions: 52

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0043CC5D
GetCurrentThreadId.KERNEL32 ref: 0043CC6C
GetCurrentProcessId.KERNEL32 ref: 0043CC75
QueryPerformanceCounter.KERNEL32(?), ref: 0043CC82

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0041390D, Relevance: 6.0, APIs: 4, Instructions: 38

APIs

RtlEnterCriticalSection.NTDLL(004AA75C), ref: 00413918
RtlLeaveCriticalSection.NTDLL(004AA75C), ref: 0041395E
ShowWindow.USER32(00000005), ref: 0041396C
SetCursor.USER32 ref: 00413978

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0042DD1D, Relevance: 5.8, APIs: 3, Instructions: 226

APIs

Part of subcall function 0042DC80: CoCreateInstance.OLE32(0042D7D3,?,00000014,0046ECA4,?), ref: 0042DCBA
Part of subcall function 0042DC80: OleRun.OLE32(0042D7D3), ref: 0042DCC9
Part of subcall function 0042DC80: CoCreateInstance.OLE32(0042D7D3,?,00000014,0046F054,?), ref: 0042DCFB

IsWindow.USER32(00000000), ref: 0042DE68
GetWindowTextLengthW.USER32(00000000), ref: 0042DE75

Part of subcall function 0042D929: Sleep.KERNEL32(0000000A), ref: 0042DA21
Part of subcall function 0042D929: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0042DAA1
Part of subcall function 0042D929: TranslateMessage.USER32(?), ref: 0042DAB9
Part of subcall function 0042D929: IsWindow.USER32(?), ref: 0042DAC2
Part of subcall function 0042D929: DispatchMessageW.USER32(?), ref: 0042DAD0
Part of subcall function 0042D929: Sleep.KERNEL32(00000000), ref: 0042DAE6

GetWindowTextW.USER32(00000000), ref: 0042DE99

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0041F232, Relevance: 5.7, APIs: 3, Instructions: 73

APIs

PtInRect.USER32(?,00000000,00000000), ref: 0041F262
InvalidateRect.USER32(?,?,00000001), ref: 0041F294
PtInRect.USER32(?,00000000,00000000), ref: 0041F2CF

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0042DB28, Relevance: 5.6, APIs: 3, Instructions: 40

APIs

LoadResource.KERNEL32(?,?), ref: 0042DB31
LockResource.KERNEL32 ref: 0042DB3F
SizeofResource.KERNEL32(?,?), ref: 0042DB51

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 004256A7, Relevance: 5.5, APIs: 3, Instructions: 68

APIs

SetScrollInfo.USER32(?,00000001,?,00000001), ref: 004256E9
SetScrollInfo.USER32(?,00000001,?,00000001), ref: 00425730
EnableScrollBar.USER32(?,00000001,00000000), ref: 0042573F

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0043D172, Relevance: 5.5, APIs: 3, Instructions: 67

APIs

RtlGetLastWin32Error.NTDLL ref: 0043D1F2

Part of subcall function 004355F3: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00435607
Part of subcall function 004355F3: RtlGetLastWin32Error.NTDLL ref: 00435619

Part of subcall function 0043562B: RtlAllocateHeap.NTDLL(00140000,00000000,00000001), ref: 0043566E

RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 0043D1AF
RtlGetLastWin32Error.NTDLL ref: 0043D20A

Part of subcall function 00438E66: RtlDecodePointer.NTDLL(?,004356AC,?,?,?,004357F4,?,00000000,?,?,?,0043572E,004316F1), ref: 00438E6F

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0041BBC9, Relevance: 5.5, APIs: 3, Instructions: 61

APIs

GetDesktopWindow.USER32(?), ref: 0041BBE0
GetWindowRect.USER32 ref: 0041BBE7
SetWindowPos.USER32(?,00000000,?,?,?,?,?), ref: 0041BC54

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 00425611, Relevance: 5.5, APIs: 3, Instructions: 54

APIs

GetScrollInfo.USER32(?,00000001,?), ref: 00425649
SendMessageW.USER32(?,00000115,00000000,00000000), ref: 0042566F
SendMessageW.USER32(?,00000115,00000001,00000000), ref: 0042568D

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0043A2D4, Relevance: 5.5, APIs: 3, Instructions: 44

APIs

RtlGetLastWin32Error.NTDLL ref: 0043A2D6

Part of subcall function 00438141: TlsGetValue.KERNEL32(00000000,?,0043A2E9), ref: 00438158

RtlRestoreLastWin32Error.NTDLL ref: 0043A338

Part of subcall function 00437D2A: Sleep.KERNEL32(00000000), ref: 00437D50

Part of subcall function 00438160: TlsSetValue.KERNEL32(00000000,?), ref: 0043817A

GetCurrentThreadId.KERNEL32 ref: 0043A320

Part of subcall function 004355F3: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00435607
Part of subcall function 004355F3: RtlGetLastWin32Error.NTDLL ref: 00435619

Part of subcall function 0043A343: InterlockedIncrement.KERNEL32(?,00480F10,00000008), ref: 0043A394

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0044765F, Relevance: 5.5, APIs: 3, Instructions: 41

APIs

RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 00447682
RtlEnterCriticalSection.NTDLL(004AC4A8), ref: 00447694
RtlLeaveCriticalSection.NTDLL(004AC4A8), ref: 004476C0

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Function 0040B08A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37

APIs

CreateSolidBrush.GDI32(00F5F5F5), ref: 0040B0CF
RegisterClassExW.USER32(?), ref: 0040B0DF

Part of subcall function 004334A1: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00435AD0

Strings

0, xrefs: 0040B0B6

Memory Dump Source

Source File: 00000000.00000002.1579274033.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1579259960.00400000.00000004.sdmp
Associated: 00000000.00000002.1579673929.00502000.00000080.sdmp
Associated: 00000000.00000002.1579698459.00508000.00000040.sdmp
Associated: 00000000.00000002.1579752468.00521000.00000004.sdmp

Loading ...

Warning!

Error!

General Information

Detection

Signature Overview

Networking:

Boot Survival:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Virtual Machine Detection:

Language, Device and Operating System Detection:

Screenshot

Startup

Created / dropped Files

Contacted Domains

Contacted IPs

Static File Info

Static PE Info

Network Behavior

Code Manipulation Behavior

System Behavior

Analysis Process: g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe PID: 1352 Parent PID: 1060

Chronological Activities

Disassembly

Code Analysis

Analysis Process: g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe PID: 1352 Parent PID: 1060