Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PagefileConfig.exe

Overview

General Information

Sample name:PagefileConfig.exe
Analysis ID:1566859
MD5:df53b06d20092c35a0e594801c5ddf56
SHA1:93e19fe9e46baecbe6f104735b33b1ff004e8216
SHA256:390100a6f28c962f3f3db8026b216dbc8409d3467a4c130692ca2f4f4ec970a0
Infos:

Detection

Score:5
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PagefileConfig.exe (PID: 6496 cmdline: "C:\Users\user\Desktop\PagefileConfig.exe" MD5: DF53B06D20092C35A0E594801C5DDF56)
    • conhost.exe (PID: 2760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: PagefileConfig.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: PagefileConfig.exeStatic PE information: certificate valid
Source: PagefileConfig.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: PagefileConfig.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: PagefileConfig.exeString found in binary or memory: http://www.autoitscript.com/atools/
Source: PagefileConfig.exe, ConDrv.0.drString found in binary or memory: http://www.autoitscript.com/tools
Source: PagefileConfig.exeString found in binary or memory: http://www.autoitscript.com/tools:
Source: PagefileConfig.exeString found in binary or memory: http://www.autoitscript.com/toolsB
Source: PagefileConfig.exeString found in binary or memory: http://www.autoitscript.com/toolsThis
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: 0_2_0079F2600_2_0079F260
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: 0_2_007993620_2_00799362
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: 0_2_007997360_2_00799736
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: 0_2_007A27CF0_2_007A27CF
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: 0_2_00799B420_2_00799B42
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: 0_2_00798E8D0_2_00798E8D
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: 0_2_00799F620_2_00799F62
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: String function: 0079FEA0 appears 49 times
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: String function: 0079AF0E appears 37 times
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: String function: 00788591 appears 32 times
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: String function: 0079AEDB appears 182 times
Source: PagefileConfig.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: clean5.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2760:120:WilError_03
Source: PagefileConfig.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PagefileConfig.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\PagefileConfig.exe "C:\Users\user\Desktop\PagefileConfig.exe"
Source: C:\Users\user\Desktop\PagefileConfig.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PagefileConfig.exeSection loaded: apphelp.dllJump to behavior
Source: PagefileConfig.exeStatic PE information: certificate valid
Source: PagefileConfig.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: PagefileConfig.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PagefileConfig.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PagefileConfig.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PagefileConfig.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PagefileConfig.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: 0_2_007A6DF4 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_007A6DF4
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: 0_2_0079FEE5 push ecx; ret 0_2_0079FEF8
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: 0_2_0079AFB3 push ecx; ret 0_2_0079AFC6
Source: C:\Users\user\Desktop\PagefileConfig.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-24361
Source: C:\Users\user\Desktop\PagefileConfig.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-25300
Source: C:\Users\user\Desktop\PagefileConfig.exeAPI coverage: 9.7 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\PagefileConfig.exeAPI call chain: ExitProcess graph end nodegraph_0-25302
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: 0_2_007985B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_007985B2
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: 0_2_007A6DF4 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_007A6DF4
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: 0_2_007985B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_007985B2
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: 0_2_007A1742 SetUnhandledExceptionFilter,0_2_007A1742
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: 0_2_0079DC7A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0079DC7A
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: 0_2_00798D15 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00798D15
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: 0_2_0078BE8D _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0078BE8D
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: GetLocaleInfoA,0_2_0079F038
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,0_2_007A603D
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,0_2_007A6154
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: __crtGetLocaleInfoA_stat,0_2_007A711B
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,0_2_007A61EC
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,0_2_007A6260
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,0_2_007A52DF
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,0_2_007A1349
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,0_2_0079C3EE
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,0_2_007A6432
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_007A64F3
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_007A655A
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,0_2_007A6596
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,0_2_007A594D
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: GetLocaleInfoA,0_2_007A4AAF
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,0_2_007A5BA5
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,0_2_007A6FDC
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: GetLocaleInfoW,0_2_007A6FA8
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: GetLocaleInfoA,___ascii_strnicmp,__tolower_l,__tolower_l,0_2_007A7F85
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: 0_2_007A1EBA GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_007A1EBA
Source: C:\Users\user\Desktop\PagefileConfig.exeCode function: 0_2_007889E5 GetVersionExW,0_2_007889E5

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Native API		1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory1
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager13
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1566859 Sample: PagefileConfig.exe Startdate: 02/12/2024 Architecture: WINDOWS Score: 5 5 PagefileConfig.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
PagefileConfig.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.autoitscript.com/toolsBPagefileConfig.exefalse
    		high
    http://www.autoitscript.com/atools/PagefileConfig.exefalse
      		high
      http://www.autoitscript.com/tools:PagefileConfig.exefalse
        		high
        http://www.autoitscript.com/toolsPagefileConfig.exe, ConDrv.0.drfalse
          		high
          http://www.autoitscript.com/toolsThisPagefileConfig.exefalse
            		high

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1566859
            Start date and time:2024-12-02 18:58:28 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 1m 57s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:3
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:PagefileConfig.exe
            Detection:CLEAN
            Classification:clean5.winEXE@2/1@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 96%
            • Number of executed functions: 18
            • Number of non-executed functions: 52
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Stop behavior analysis, all processes terminated

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe
            • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net
            • Not all processes where analyzed, report is missing behavior information
            • VT rate limit hit for: PagefileConfig.exe

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            \Device\ConDrv

            Download File
            Process:C:\Users\user\Desktop\PagefileConfig.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):845
            Entropy (8bit):4.559172871464807
            Encrypted:false
            SSDEEP:24:zOFSOOOuP0oBECWxZt858X858sq8tdREq6RR:yFPhM0UsncFRET
            MD5:10B27BC3421249DA288A9872D9946736
            SHA1:BB69ADBAC704AC4CDF2EB76598456076B315ED02
            SHA-256:2CFD0AD67BC755EA227B2E6DAFC647DA4BF9F250F143D687BCD9F72147AF829E
            SHA-512:09E88C5C2549C3C11EFAD3C879039DBCE5F3A9E0AA8E81CFAEF646E8727C601BCA83190EF597A494BB174D1F95E7AF4DBD6D96C5F61342218A64407E166D082B
            Malicious:false
            Reputation:low
            Preview:..PagefileConfig v1.0.0 - Pagefile Configuration Utility..Copyright (C) 2009 Jonathan Bennett..http://www.autoitscript.com/tools....Options:.. -h [ --help ] This help message... -a [ --auto ] Let the system manage all page files... -s [ --set ] arg Set pagefile options for a drive... Where args are: driveletter: min max... Sizes are in megabytes (Mb)... -n [ --none ] Don't use any page files.....Examples:.. PagefileConfig.exe --set C: 1024 4096.. PagefileConfig.exe --set C: 1024 4096 --set D: 512 512.. PagefileConfig.exe --set C: 0 0 --set D: 512 512.. PagefileConfig.exe --auto.. PagefileConfig.exe --none....Notes:.. - Pagefile sizes are in megabytes (Mb)... - Setting min and max to 0 will let the system manage the pagefile for a given drive...

            Static File Info

            General

            File type:PE32 executable (console) Intel 80386, for MS Windows
            Entropy (8bit):6.390151828775151
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:PagefileConfig.exe
            File size:254'832 bytes
            MD5:df53b06d20092c35a0e594801c5ddf56
            SHA1:93e19fe9e46baecbe6f104735b33b1ff004e8216
            SHA256:390100a6f28c962f3f3db8026b216dbc8409d3467a4c130692ca2f4f4ec970a0
            SHA512:f576aeeb088c154fb6c54b77aa642b01c4c82dad6a308f0d4e0fab173ed1945c76065fe94bc3e1d8373cdcedc6aceab8da362b5e9940e45d52b49ede7fad22cf
            SSDEEP:3072:UY/hS35NexXsLTvbzOgtDZRxuz0uN1k59A8IAi0LLnEs+oO0wzlBNeun/TOEj2:UY/hL1m7zD8QUExLnElzlBNPKEa
            TLSH:6D447B227BD1C077C26325768CC8D7B9A6F9F8709D358A07BBD4076E9F316A38A11352
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Bxb..............a.......a..;....a..{...!.w.........g....a.......K.......a......Rich............PE..L...y..J...................

            File Icon

            Icon Hash:00928e8e8686b000

            Static PE Info

            General

            Entrypoint:0x41aa9f
            Entrypoint Section:.text
            Digitally signed:true
            Imagebase:0x400000
            Subsystem:windows cui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Time Stamp:0x4A1CEB79 [Wed May 27 07:27:53 2009 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:0
            File Version Major:5
            File Version Minor:0
            Subsystem Version Major:5
            Subsystem Version Minor:0
            Import Hash:ff3580dc3e267752241c0cf58e513fd5

            Authenticode Signature

            Signature Valid:true
            Signature Issuer:CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US
            Signature Validation Error:The operation completed successfully
            Error Number:0
            Not Before, Not After
            • 08/02/2009 19:00:00 09/02/2012 18:59:59
            Subject Chain
            • CN=Jonathan Bennett, O=Jonathan Bennett, STREET=19 Linnet Close, L=Birmingham, S=West Midlands, PostalCode=B30 1XB, C=GB
            Version:3
            Thumbprint MD5:5FE91C20B3DE6BA483BF3C8D461FAB8B
            Thumbprint SHA-1:B1B968D50B0BED69315EFCE51D307D8DCBEBD584
            Thumbprint SHA-256:771CA562615F9F128FF3993D079825DA87F8800358B67E52172DEA5691E6E4A4
            Serial:00FF3628AC973FD4AF789D25697A20B243

            Entrypoint Preview

            Instruction
            call 00007F8C545FE40Bh
            jmp 00007F8C545F6E9Ah
            mov edi, edi
            push ebp
            mov ebp, esp
            sub esp, 20h
            mov eax, dword ptr [ebp+08h]
            push esi
            push edi
            push 00000008h
            pop ecx
            mov esi, 0042BB5Ch
            lea edi, dword ptr [ebp-20h]
            rep movsd
            mov dword ptr [ebp-08h], eax
            mov eax, dword ptr [ebp+0Ch]
            pop edi
            mov dword ptr [ebp-04h], eax
            pop esi
            test eax, eax
            je 00007F8C545F6FFEh
            test byte ptr [eax], 00000008h
            je 00007F8C545F6FF9h
            mov dword ptr [ebp-0Ch], 01994000h
            lea eax, dword ptr [ebp-0Ch]
            push eax
            push dword ptr [ebp-10h]
            push dword ptr [ebp-1Ch]
            push dword ptr [ebp-20h]
            call dword ptr [0042B064h]
            leave
            retn 0008h
            mov edi, edi
            push ebp
            mov ebp, esp
            push ecx
            push ebx
            mov eax, dword ptr [ebp+0Ch]
            add eax, 0Ch
            mov dword ptr [ebp-04h], eax
            mov ebx, dword ptr fs:[00000000h]
            mov eax, dword ptr [ebx]
            mov dword ptr fs:[00000000h], eax
            mov eax, dword ptr [ebp+08h]
            mov ebx, dword ptr [ebp+0Ch]
            mov ebp, dword ptr [ebp-04h]
            mov esp, dword ptr [ebx-04h]
            jmp eax
            pop ebx
            leave
            retn 0008h
            pop eax
            pop ecx
            xchg dword ptr [esp], eax
            jmp eax
            mov edi, edi
            push ebp
            mov ebp, esp
            push ecx
            push ecx
            push ebx
            push esi
            push edi
            mov esi, dword ptr fs:[00000000h]
            mov dword ptr [ebp-04h], esi
            mov dword ptr [ebp-08h], 0041AB59h
            push 00000000h
            push dword ptr [ebp+0Ch]
            push dword ptr [ebp-08h]
            push dword ptr [ebp+08h]
            call 00007F8C5460496Ah
            mov eax, dword ptr [ebp+0Ch]
            mov eax, dword ptr [eax+04h]
            and eax, FFFFFFFDh
            mov ecx, dword ptr [ebp+0Ch]
            mov dword ptr [ecx+00h], eax

            Rich Headers

            Programming Language:
            • [ASM] VS2008 SP1 build 30729
            • [C++] VS2008 SP1 build 30729
            • [ C ] VS2008 SP1 build 30729
            • [IMP] VS2005 build 50727
            • [RES] VS2008 build 21022
            • [LNK] VS2008 SP1 build 30729

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x352200x3c.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c0000x59c.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x3ce000x1570
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x3d0000x2b3c.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2e9a80x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x14c.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x29ce10x29e0012d22b371ba2372c96dc5c938b47ca9bFalse0.5327308768656717MPEG-4 LOAS, single stream6.559673592043765IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x2b0000xa9980xaa004cadd83a9ce1421085fafb9012cca1b2False0.3262637867647059data4.507251096462881IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0x360000x56880x36001e391e4bac89d42de9ebf02f550d0707False0.15719039351851852OpenPGP Secret Key4.497366649401155IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0x3c0000x59c0x600c53884369cfd2c05043bc4f990f7f198False0.41015625data4.301412065725441IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x3d0000x44ea0x4600d27b7ce4c349bff4cb952f5ae69a31e7False0.452734375data4.861125957490916IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_VERSION0x3c0a00x394OpenPGP Secret KeyEnglishGreat Britain0.41375545851528384
            RT_MANIFEST0x3c4340x165ASCII text, with CRLF line terminatorsEnglishUnited States0.5434173669467787

            Imports

            DLLImport
            KERNEL32.dllGetVersionExW, GetFileAttributesW, CreateFileA, SetStdHandle, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, InterlockedCompareExchange, InterlockedExchange, MultiByteToWideChar, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RaiseException, RtlUnwind, GetLastError, HeapFree, GetCPInfo, LCMapStringA, LCMapStringW, GetStringTypeW, GetModuleHandleW, GetProcAddress, ExitProcess, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, HeapSize, HeapAlloc, GetACP, GetOEMCP, IsValidCodePage, WriteFile, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, VirtualAlloc, HeapReAlloc, GetConsoleCP, GetConsoleMode, FlushFileBuffers, ReadFile, SetFilePointer, CloseHandle, GetStringTypeA, GetLocaleInfoA, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, LoadLibraryA, InitializeCriticalSectionAndSpinCount, GetLocaleInfoW, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW
            ADVAPI32.dllRegOpenKeyExW, RegQueryValueExW, RegCloseKey, RegSetValueExW

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishGreat Britain
            EnglishUnited States

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:12:59:23
            Start date:02/12/2024
            Path:C:\Users\user\Desktop\PagefileConfig.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\PagefileConfig.exe"
            Imagebase:0x780000
            File size:254'832 bytes
            MD5 hash:DF53B06D20092C35A0E594801C5DDF56
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:1
            Start time:12:59:23
            Start date:02/12/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:8.4%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:0.5%
              Total number of Nodes:1538
              Total number of Limit Nodes:8
              execution_graph 24324 79a94e 24326 79a95a ___BuildCatchObject 24324->24326 24359 7a1e8a HeapCreate 24326->24359 24328 79a9b7 24361 79fc70 GetModuleHandleW 24328->24361 24332 79a9c8 __RTC_Initialize 24395 7a1bea 24332->24395 24335 79a9d7 24336 79a9e3 GetCommandLineW 24335->24336 24530 79f452 62 API calls 3 library calls 24335->24530 24410 7a1b8d GetEnvironmentStringsW 24336->24410 24339 79a9e2 24339->24336 24340 79a9f2 24417 7a1adf GetModuleFileNameW 24340->24417 24343 79aa07 24423 7a18b0 24343->24423 24347 79aa18 24436 79f511 24347->24436 24350 79aa20 24351 79aa2b 24350->24351 24533 79f452 62 API calls 3 library calls 24350->24533 24442 781318 24351->24442 24355 79aa5a 24534 79f6ee 62 API calls _doexit 24355->24534 24358 79aa5f ___BuildCatchObject 24360 79a9ab 24359->24360 24360->24328 24528 79a925 62 API calls 3 library calls 24360->24528 24362 79fc8b 24361->24362 24363 79fc84 24361->24363 24365 79fdf3 24362->24365 24366 79fc95 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 24362->24366 24535 79f422 Sleep GetModuleHandleW 24363->24535 24557 79f98a 65 API calls 2 library calls 24365->24557 24368 79fcde TlsAlloc 24366->24368 24367 79fc8a 24367->24362 24371 79a9bd 24368->24371 24372 79fd2c TlsSetValue 24368->24372 24371->24332 24529 79a925 62 API calls 3 library calls 24371->24529 24372->24371 24373 79fd3d 24372->24373 24536 79f70c 6 API calls 4 library calls 24373->24536 24375 79fd42 24537 79f860 TlsGetValue 24375->24537 24378 79f860 __encode_pointer 6 API calls 24379 79fd5d 24378->24379 24380 79f860 __encode_pointer 6 API calls 24379->24380 24381 79fd6d 24380->24381 24382 79f860 __encode_pointer 6 API calls 24381->24382 24383 79fd7d 24382->24383 24547 7a2122 InitializeCriticalSectionAndSpinCount __ioinit 24383->24547 24385 79fd8a 24385->24365 24548 79f8db 6 API calls __crt_waiting_on_module_handle 24385->24548 24387 79fd9e 24387->24365 24549 79dbe0 24387->24549 24391 79fdd1 24391->24365 24392 79fdd8 24391->24392 24556 79f9c7 62 API calls 5 library calls 24392->24556 24394 79fde0 GetCurrentThreadId 24394->24371 24586 79fea0 24395->24586 24397 7a1bf6 GetStartupInfoA 24398 79dbe0 __calloc_crt 62 API calls 24397->24398 24405 7a1c17 24398->24405 24399 7a1e35 ___BuildCatchObject 24399->24335 24400 7a1db2 GetStdHandle 24404 7a1d7c 24400->24404 24401 79dbe0 __calloc_crt 62 API calls 24401->24405 24402 7a1e17 SetHandleCount 24402->24399 24403 7a1dc4 GetFileType 24403->24404 24404->24399 24404->24400 24404->24402 24404->24403 24588 7a6a2b InitializeCriticalSectionAndSpinCount ___BuildCatchObject 24404->24588 24405->24399 24405->24401 24405->24404 24407 7a1cff 24405->24407 24406 7a1d28 GetFileType 24406->24407 24407->24399 24407->24404 24407->24406 24587 7a6a2b InitializeCriticalSectionAndSpinCount ___BuildCatchObject 24407->24587 24411 7a1b9e 24410->24411 24412 7a1ba2 24410->24412 24411->24340 24589 79db9b 62 API calls _malloc 24412->24589 24415 7a1bca FreeEnvironmentStringsW 24415->24340 24416 7a1bc3 ___init_ctype 24416->24415 24418 7a1b14 _wparse_cmdline 24417->24418 24419 79a9fc 24418->24419 24420 7a1b51 24418->24420 24419->24343 24531 79f452 62 API calls 3 library calls 24419->24531 24590 79db9b 62 API calls _malloc 24420->24590 24422 7a1b57 _wparse_cmdline 24422->24419 24424 7a18c8 _wcslen 24423->24424 24428 79aa0d 24423->24428 24425 79dbe0 __calloc_crt 62 API calls 24424->24425 24431 7a18ec _wcslen 24425->24431 24426 7a1951 24593 79b06a 62 API calls 2 library calls 24426->24593 24428->24347 24532 79f452 62 API calls 3 library calls 24428->24532 24429 79dbe0 __calloc_crt 62 API calls 24429->24431 24430 7a1977 24594 79b06a 62 API calls 2 library calls 24430->24594 24431->24426 24431->24428 24431->24429 24431->24430 24434 7a1936 24431->24434 24591 79a537 62 API calls 2 library calls 24431->24591 24434->24431 24592 798d15 10 API calls 3 library calls 24434->24592 24437 79f51f __IsNonwritableInCurrentImage 24436->24437 24595 7a6890 24437->24595 24439 79f53d __initterm_e 24441 79f55c __IsNonwritableInCurrentImage __initterm 24439->24441 24599 7986e8 73 API calls _AtModuleExit 24439->24599 24441->24350 24443 781339 __EH_prolog3_catch 24442->24443 24600 781729 24443->24600 24446 78135d 24638 788591 24446->24638 24447 781353 24829 78183e 115 API calls 2 library calls 24447->24829 24452 781385 24652 78895b 24452->24652 24455 781399 24658 78e424 24455->24658 24456 781659 24456->24355 24525 79f6c2 24456->24525 24458 7813a4 24664 7987a2 24458->24664 24460 7813af 24676 7922d6 24460->24676 24462 7813e2 24463 7922d6 75 API calls 24462->24463 24464 7813f3 24463->24464 24688 792364 24464->24688 24466 781405 24467 7922d6 75 API calls 24466->24467 24468 781416 24467->24468 24698 7843bb 24468->24698 24470 781439 24708 78e40d 24470->24708 24477 788591 std::locale::_Locimp::_Locimp 75 API calls 24478 781475 24477->24478 24731 782c2f 24478->24731 24481 78895b codecvt 63 API calls 24482 781498 24481->24482 24483 78149c 24482->24483 24484 788591 std::locale::_Locimp::_Locimp 75 API calls 24482->24484 24736 78e4f4 24483->24736 24486 7814d0 24484->24486 24488 782c2f 75 API calls 24486->24488 24490 7814e3 24488->24490 24492 78895b codecvt 63 API calls 24490->24492 24491 7814b7 24753 7818ce 24491->24753 24495 7814f3 24492->24495 24496 781506 24495->24496 24497 7814f7 24495->24497 24500 788591 std::locale::_Locimp::_Locimp 75 API calls 24496->24500 24830 78200f 121 API calls 7 library calls 24497->24830 24503 781513 24500->24503 24501 7815f5 24836 78165e 63 API calls 3 library calls 24501->24836 24502 781503 24524 78153f 24502->24524 24505 782c2f 75 API calls 24503->24505 24507 781526 24505->24507 24506 781358 24821 7985b2 24506->24821 24508 78895b codecvt 63 API calls 24507->24508 24510 781536 24508->24510 24512 781568 24510->24512 24513 78153a 24510->24513 24511 781555 24833 78165e 63 API calls 3 library calls 24511->24833 24516 788591 std::locale::_Locimp::_Locimp 75 API calls 24512->24516 24831 781aae 127 API calls 3 library calls 24513->24831 24517 781575 24516->24517 24518 782c2f 75 API calls 24517->24518 24519 781588 24518->24519 24520 78895b codecvt 63 API calls 24519->24520 24521 781598 24520->24521 24521->24483 24522 7815a0 24521->24522 24834 781ef8 119 API calls 24522->24834 24832 7816ad 75 API calls 3 library calls 24524->24832 26342 79f596 24525->26342 24527 79f6d3 24527->24355 24528->24328 24529->24332 24530->24339 24531->24343 24532->24347 24533->24351 24534->24358 24535->24367 24536->24375 24538 79f899 GetModuleHandleW 24537->24538 24539 79f878 24537->24539 24541 79f8a9 24538->24541 24542 79f8b4 GetProcAddress 24538->24542 24539->24538 24540 79f882 TlsGetValue 24539->24540 24544 79f88d 24540->24544 24558 79f422 Sleep GetModuleHandleW 24541->24558 24546 79f891 24542->24546 24544->24538 24544->24546 24545 79f8af 24545->24542 24545->24546 24546->24378 24547->24385 24548->24387 24551 79dbe9 24549->24551 24552 79dc26 24551->24552 24553 79dc07 Sleep 24551->24553 24559 7a4d94 24551->24559 24552->24365 24555 79f8db 6 API calls __crt_waiting_on_module_handle 24552->24555 24554 79dc1c 24553->24554 24554->24551 24554->24552 24555->24391 24556->24394 24557->24371 24558->24545 24560 7a4da0 ___BuildCatchObject 24559->24560 24561 7a4db8 24560->24561 24566 7a4dd7 _memset 24560->24566 24572 79ef5a 62 API calls __getptd_noexit 24561->24572 24563 7a4dbd 24573 798e3d 6 API calls 2 library calls 24563->24573 24565 7a4e49 HeapAlloc 24565->24566 24566->24565 24569 7a4dcd ___BuildCatchObject 24566->24569 24574 7a229e 24566->24574 24581 7a2ab0 5 API calls 2 library calls 24566->24581 24582 7a4e90 LeaveCriticalSection _doexit 24566->24582 24583 7a01b4 6 API calls __decode_pointer 24566->24583 24569->24551 24572->24563 24575 7a22b3 24574->24575 24576 7a22c6 EnterCriticalSection 24574->24576 24584 7a21db 62 API calls 10 library calls 24575->24584 24576->24566 24578 7a22b9 24578->24576 24585 79f452 62 API calls 3 library calls 24578->24585 24580 7a22c5 24580->24576 24581->24566 24582->24566 24583->24566 24584->24578 24585->24580 24586->24397 24587->24407 24588->24404 24589->24416 24590->24422 24591->24431 24592->24434 24593->24428 24594->24428 24596 7a6896 24595->24596 24597 79f860 __encode_pointer 6 API calls 24596->24597 24598 7a68ae 24596->24598 24597->24596 24598->24439 24599->24441 24601 781735 __EH_prolog3_GS ctype 24600->24601 24837 7828fe 24601->24837 24605 781768 24851 782f03 24605->24851 24607 781778 24608 7828fe 75 API calls 24607->24608 24609 781785 24608->24609 24610 788b22 75 API calls 24609->24610 24611 781795 24610->24611 24612 782f03 ctype 63 API calls 24611->24612 24613 7817a2 24612->24613 24614 7828fe 75 API calls 24613->24614 24615 7817af 24614->24615 24616 788b22 75 API calls 24615->24616 24617 7817bf 24616->24617 24618 782f03 ctype 63 API calls 24617->24618 24619 7817cc 24618->24619 24620 7828fe 75 API calls 24619->24620 24621 7817d9 24620->24621 24622 788b22 75 API calls 24621->24622 24623 7817e9 24622->24623 24624 782f03 ctype 63 API calls 24623->24624 24625 7817f6 24624->24625 24626 7828fe 75 API calls 24625->24626 24627 7817ff 24626->24627 24628 788b22 75 API calls 24627->24628 24629 78180f 24628->24629 24630 782f03 ctype 63 API calls 24629->24630 24631 78181c 24630->24631 24857 788b02 24631->24857 24634 782f03 ctype 63 API calls 24635 78182e 24634->24635 24861 79afc7 24635->24861 24637 781349 24637->24446 24637->24447 24639 7885a2 std::locale::_Locimp::_Locimp 24638->24639 25054 788574 24639->25054 24642 7916d9 24643 7916e5 __EH_prolog3 24642->24643 25118 7888f8 24643->25118 24647 791704 25128 7910ea 24647->25128 24649 791710 24650 7910b2 75 API calls 24649->24650 24651 79171c codecvt 24650->24651 24651->24452 24653 78898e std::locale::_Locimp::_Locimp 24652->24653 24654 788965 24652->24654 24653->24455 24654->24653 24655 788985 24654->24655 25169 78891e 62 API calls ctype 24654->25169 24656 7986ff ctype 63 API calls 24655->24656 24656->24653 24659 78e430 __EH_prolog3 24658->24659 25170 78e067 24659->25170 24663 78e458 codecvt 24663->24458 24666 7987ac 24664->24666 24667 7987c6 24666->24667 24671 7987c8 std::bad_alloc::bad_alloc 24666->24671 25267 7a00db 24666->25267 25285 7a01b4 6 API calls __decode_pointer 24666->25285 24667->24460 24669 7987ee 25287 7886a6 62 API calls std::exception::exception 24669->25287 24671->24669 25286 7986e8 73 API calls _AtModuleExit 24671->25286 24672 7987f8 25288 79aaa9 RaiseException 24672->25288 24675 798806 24677 7922e2 __EH_prolog3 24676->24677 24678 7987a2 codecvt 74 API calls 24677->24678 24679 7922eb 24678->24679 24680 7987a2 codecvt 74 API calls 24679->24680 24686 79231f 24679->24686 24682 7922fe 24680->24682 25304 791051 24682->25304 24683 792330 ctype 25315 791f3e 24683->25315 25312 78f7bf 24686->25312 24687 79234e codecvt ctype 24687->24462 24689 792370 __EH_prolog3 24688->24689 24690 7987a2 codecvt 74 API calls 24689->24690 24691 792379 24690->24691 24692 792396 24691->24692 24693 791051 75 API calls 24691->24693 24694 78f7bf 74 API calls 24692->24694 24693->24692 24695 7923a3 ctype 24694->24695 24696 791f3e 75 API calls 24695->24696 24697 7923c1 codecvt ctype 24696->24697 24697->24466 24699 7843ca __EH_prolog3 24698->24699 25343 784d91 24699->25343 24701 7843fd 25358 794a66 24701->25358 24703 784417 25362 784e36 24703->25362 24707 784459 codecvt 24707->24470 25663 78e0a7 24708->25663 24711 7816e5 24712 78314a 63 API calls 24711->24712 24713 7816f3 24712->24713 24714 7986ff ctype 63 API calls 24713->24714 24715 7816fa 24714->24715 25765 783120 24715->25765 24718 7986ff ctype 63 API calls 24719 781454 24718->24719 24720 78d2c9 24719->24720 24721 78369f ctype 6 API calls 24720->24721 24722 78d2e1 24721->24722 24723 78cfc2 6 API calls 24722->24723 24724 78d2ec 24723->24724 24725 783e24 6 API calls 24724->24725 24726 78d2f5 24725->24726 24728 78cfc2 6 API calls 24726->24728 24729 783e24 6 API calls 24726->24729 24730 781460 24726->24730 25772 78cfdb 6 API calls 24726->25772 24728->24726 24729->24726 24730->24477 25773 7835d9 24731->25773 25794 792aab 24736->25794 24738 7814af 24739 78446e 24738->24739 24740 78447a __EH_prolog3_catch _strlen 24739->24740 24741 78829f 76 API calls 24740->24741 24744 7844ab 24741->24744 24742 7844f8 24747 7844b5 24742->24747 26337 7896c2 24742->26337 24743 78824b 75 API calls 24745 78453f 24743->24745 24744->24742 24746 787fac 111 API calls 24744->24746 24744->24747 24748 788030 75 API calls 24745->24748 24746->24744 24747->24743 24749 78454b codecvt 24748->24749 24749->24491 24750 787fac 111 API calls 24751 784514 24750->24751 24751->24747 24751->24750 24754 7818da __EH_prolog3_GS ctype 24753->24754 24755 7828fe 75 API calls 24754->24755 24756 7818fc 24755->24756 24757 788b22 75 API calls 24756->24757 24758 78190c 24757->24758 24759 782f03 ctype 63 API calls 24758->24759 24760 78191c 24759->24760 24761 7828fe 75 API calls 24760->24761 24762 781929 24761->24762 24763 788b22 75 API calls 24762->24763 24764 781939 24763->24764 24765 782f03 ctype 63 API calls 24764->24765 24766 781946 24765->24766 24767 7828fe 75 API calls 24766->24767 24768 781953 24767->24768 24769 788b22 75 API calls 24768->24769 24770 781963 24769->24770 24771 782f03 ctype 63 API calls 24770->24771 24772 781970 24771->24772 24773 7828fe 75 API calls 24772->24773 24774 78197d 24773->24774 24775 788b22 75 API calls 24774->24775 24776 78198d 24775->24776 24777 782f03 ctype 63 API calls 24776->24777 24778 78199a 24777->24778 24779 7828fe 75 API calls 24778->24779 24780 7819a7 24779->24780 24781 788b22 75 API calls 24780->24781 24782 7819b7 24781->24782 24783 782f03 ctype 63 API calls 24782->24783 24784 7819c4 24783->24784 24785 7828fe 75 API calls 24784->24785 24786 7819d1 24785->24786 24787 788b22 75 API calls 24786->24787 24788 7819e1 24787->24788 24789 782f03 ctype 63 API calls 24788->24789 24790 7819ee 24789->24790 24791 7828fe 75 API calls 24790->24791 24792 7819fb 24791->24792 24793 788b22 75 API calls 24792->24793 24794 781a0b 24793->24794 24795 782f03 ctype 63 API calls 24794->24795 24796 781a18 24795->24796 24797 7828fe 75 API calls 24796->24797 24798 781a25 24797->24798 24799 788b22 75 API calls 24798->24799 24800 781a35 24799->24800 24801 782f03 ctype 63 API calls 24800->24801 24802 781a42 24801->24802 24803 7828fe 75 API calls 24802->24803 24804 781a4f 24803->24804 24805 788b22 75 API calls 24804->24805 24806 781a5f 24805->24806 24807 782f03 ctype 63 API calls 24806->24807 24808 781a6c 24807->24808 24809 7828fe 75 API calls 24808->24809 24810 781a79 24809->24810 24811 788b22 75 API calls 24810->24811 24812 781a89 24811->24812 24813 782f03 ctype 63 API calls 24812->24813 24814 781a96 24813->24814 24815 788b02 115 API calls 24814->24815 24816 781a9e 24815->24816 24817 782f03 ctype 63 API calls 24816->24817 24818 781aa8 24817->24818 24819 79afc7 ctype 5 API calls 24818->24819 24820 7814be 24819->24820 24835 7816ad 75 API calls 3 library calls 24820->24835 24822 7985ba 24821->24822 24823 7985bc IsDebuggerPresent 24821->24823 24822->24456 26341 7a115d 24823->26341 24826 79f827 SetUnhandledExceptionFilter UnhandledExceptionFilter 24827 79f84c GetCurrentProcess TerminateProcess 24826->24827 24828 79f844 __invoke_watson 24826->24828 24827->24456 24828->24827 24829->24506 24830->24502 24831->24524 24832->24511 24833->24506 24834->24524 24835->24501 24836->24506 24838 782911 ctype 24837->24838 24864 782e77 24838->24864 24840 781758 24841 788b22 24840->24841 24842 788b2e __EH_prolog3 24841->24842 24876 783228 24842->24876 24844 788b3c 24845 7828fe 75 API calls 24844->24845 24846 788b49 24845->24846 24847 783228 75 API calls 24846->24847 24848 788b59 24847->24848 24849 782f03 ctype 63 API calls 24848->24849 24850 788b65 codecvt 24849->24850 24850->24605 24852 782f0d 24851->24852 24853 782f36 ctype 24851->24853 24852->24853 24856 782f2d 24852->24856 24890 788410 62 API calls _wmemcpy_s 24852->24890 24853->24607 24891 7986ff 24856->24891 24858 788b09 24857->24858 24898 7845ac 24858->24898 24860 781824 24860->24634 24862 7985b2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24861->24862 24863 79afd1 24862->24863 24863->24863 24865 782e81 _wcslen 24864->24865 24866 782eae 24865->24866 24867 782e90 24865->24867 24874 78378c 75 API calls 2 library calls 24866->24874 24873 78336c 75 API calls 3 library calls 24867->24873 24870 782eac ctype 24870->24840 24871 782eb8 24871->24870 24875 788410 62 API calls _wmemcpy_s 24871->24875 24873->24870 24874->24871 24875->24870 24877 78323b 24876->24877 24878 783240 24876->24878 24886 788f01 75 API calls 4 library calls 24877->24886 24881 783268 24878->24881 24887 788ec9 75 API calls 4 library calls 24878->24887 24882 7832b9 ctype 24881->24882 24888 78378c 75 API calls 2 library calls 24881->24888 24882->24844 24884 78327e 24884->24882 24889 788410 62 API calls _wmemcpy_s 24884->24889 24888->24884 24889->24882 24890->24856 24892 79b06a ___BuildCatchObject 24891->24892 24893 79b0f2 ___BuildCatchObject 24892->24893 24894 79b0c9 HeapFree 24892->24894 24893->24853 24894->24893 24895 79b0dc 24894->24895 24897 79ef5a 62 API calls __getptd_noexit 24895->24897 24897->24893 24900 7845b8 _wcslen __EH_prolog3_catch 24898->24900 24899 7845fa 24904 784617 24899->24904 24921 787f4c 75 API calls 24899->24921 24900->24899 24920 78bc65 EnterCriticalSection std::_Lockit::_Lockit 24900->24920 24905 784631 24904->24905 24912 78abd0 24904->24912 24916 787f2f 24905->24916 24906 7846bd 24907 7846d7 24906->24907 24922 787e8a 75 API calls 2 library calls 24906->24922 24909 7846f0 codecvt 24907->24909 24923 78bc6e LeaveCriticalSection std::_Locinfo::~_Locinfo 24907->24923 24909->24860 24913 78abe3 24912->24913 24914 78ac4e 24912->24914 24913->24914 24924 78b60d 24913->24924 24914->24905 24917 787f48 24916->24917 24918 787f37 24916->24918 24917->24906 25053 787f15 75 API calls std::ios_base::_Init 24918->25053 24920->24899 24921->24904 24922->24907 24923->24909 24926 78b619 __EH_prolog3_GS 24924->24926 24925 78b628 24930 79afc7 ctype 5 API calls 24925->24930 24926->24925 24927 78b68e 24926->24927 24928 78b675 24926->24928 24958 789d8a 75 API calls 2 library calls 24927->24958 24955 78ad7f 24928->24955 24932 78b7b7 24930->24932 24932->24913 24933 78b69f 24959 789a85 6 API calls ctype 24933->24959 24935 78b6ae 24960 7891ad 6 API calls ctype 24935->24960 24937 78b6b5 24961 789a85 6 API calls ctype 24937->24961 24939 78b6c6 24962 7891ad 6 API calls ctype 24939->24962 24941 78b7a1 24943 78895b codecvt 63 API calls 24941->24943 24942 78b7ba 24942->24941 24944 78b7bf 24942->24944 24943->24925 24945 78ad7f _Fputc 100 API calls 24944->24945 24946 78b7ca 24945->24946 24947 78895b codecvt 63 API calls 24946->24947 24947->24925 24948 78b7ea 24950 78895b codecvt 63 API calls 24948->24950 24949 789a85 6 API calls ctype 24953 78b6cd 24949->24953 24950->24925 24953->24941 24953->24942 24953->24948 24953->24949 24954 7891ad 6 API calls ctype 24953->24954 24963 79b8b1 98 API calls 5 library calls 24953->24963 24964 789b5e 75 API calls 4 library calls 24953->24964 24954->24953 24965 79c143 24955->24965 24957 78ad8f 24957->24925 24958->24933 24959->24935 24960->24937 24961->24939 24962->24953 24963->24953 24964->24953 24966 79c14f ___BuildCatchObject 24965->24966 24967 79c15f 24966->24967 24968 79c17e 24966->24968 25019 79ef5a 62 API calls __getptd_noexit 24967->25019 24978 79bcbf 24968->24978 24971 79c164 25020 798e3d 6 API calls 2 library calls 24971->25020 24977 79c174 ___BuildCatchObject 24977->24957 24979 79bcd1 24978->24979 24980 79bcf3 EnterCriticalSection 24978->24980 24979->24980 24982 79bcd9 24979->24982 24981 79bce9 24980->24981 24984 79bfbc 24981->24984 24983 7a229e __lock 62 API calls 24982->24983 24983->24981 24985 79bfde 24984->24985 24986 79c114 24984->24986 25022 7a2ec0 24985->25022 25013 79c0d0 24986->25013 25052 7a45a4 96 API calls 7 library calls 24986->25052 24990 7985b2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24992 79c141 24990->24992 24991 79c011 24991->24986 24995 7a2ec0 __fileno 62 API calls 24991->24995 25021 79c1b2 LeaveCriticalSection LeaveCriticalSection _fgetwc 24992->25021 24993 7a2ec0 __fileno 62 API calls 24994 79bff5 24993->24994 24994->24991 24997 7a2ec0 __fileno 62 API calls 24994->24997 24996 79c032 24995->24996 24998 79c05a 24996->24998 25001 7a2ec0 __fileno 62 API calls 24996->25001 24999 79c001 24997->24999 24998->24986 25003 7a2ec0 __fileno 62 API calls 24998->25003 25000 7a2ec0 __fileno 62 API calls 24999->25000 25000->24991 25002 79c03e 25001->25002 25002->24998 25005 7a2ec0 __fileno 62 API calls 25002->25005 25004 79c07b 25003->25004 25007 7a2ec0 __fileno 62 API calls 25004->25007 25017 79c0a3 25004->25017 25006 79c04a 25005->25006 25008 7a2ec0 __fileno 62 API calls 25006->25008 25009 79c087 25007->25009 25008->24998 25012 7a2ec0 __fileno 62 API calls 25009->25012 25009->25017 25010 79c0b7 25028 7a4884 25010->25028 25014 79c093 25012->25014 25013->24990 25015 7a2ec0 __fileno 62 API calls 25014->25015 25015->25017 25016 79c0c9 25016->25013 25031 7a2ef5 25016->25031 25017->24986 25017->25010 25019->24971 25021->24977 25023 7a2ecf 25022->25023 25024 79bfe4 25022->25024 25025 79ef5a __fgetwc_nolock 62 API calls 25023->25025 25024->24991 25024->24993 25026 7a2ed4 25025->25026 25027 798e3d __wctomb_s_l 6 API calls 25026->25027 25027->25024 25029 7a4718 __wctomb_s_l 74 API calls 25028->25029 25030 7a489c 25029->25030 25030->25016 25032 7a2ec0 __fileno 62 API calls 25031->25032 25033 7a2f05 25032->25033 25034 7a2f10 25033->25034 25035 7a2f27 25033->25035 25037 79ef5a __fgetwc_nolock 62 API calls 25034->25037 25036 7a2f2b 25035->25036 25046 7a2f38 __flsbuf 25035->25046 25038 79ef5a __fgetwc_nolock 62 API calls 25036->25038 25045 7a2f15 25037->25045 25038->25045 25039 7a2f99 25040 7a3028 25039->25040 25041 7a2fa8 25039->25041 25042 7a37d5 __locking 96 API calls 25040->25042 25043 7a2fbf 25041->25043 25049 7a2fdc 25041->25049 25042->25045 25044 7a37d5 __locking 96 API calls 25043->25044 25044->25045 25045->25016 25046->25039 25046->25045 25047 7a7aec __write_nolock 62 API calls 25046->25047 25048 7a2f8e 25046->25048 25047->25048 25048->25039 25051 7a3059 __getbuf 62 API calls 25048->25051 25049->25045 25050 7a79d3 __lseeki64 66 API calls 25049->25050 25050->25045 25051->25039 25052->25013 25053->24917 25055 788580 _strlen 25054->25055 25058 7884fd 25055->25058 25057 78136d 25057->24642 25059 78850d std::_Locinfo::_Locinfo_ctor 25058->25059 25060 78852f 25059->25060 25061 788511 25059->25061 25080 7887fa 25060->25080 25067 788866 25061->25067 25064 78853b 25065 78852d std::locale::_Locimp::_Locimp 25064->25065 25089 78891e 62 API calls ctype 25064->25089 25065->25057 25068 788879 25067->25068 25069 78887e 25067->25069 25090 788f01 75 API calls 4 library calls 25068->25090 25071 7888ac 25069->25071 25072 788894 25069->25072 25074 7887fa std::runtime_error::runtime_error 75 API calls 25071->25074 25091 7885f1 75 API calls 3 library calls 25072->25091 25078 7888b4 25074->25078 25075 78889e 25092 7885f1 75 API calls 3 library calls 25075->25092 25077 7888aa std::locale::_Locimp::_Locimp 25077->25065 25078->25077 25093 78891e 62 API calls ctype 25078->25093 25081 78880c 25080->25081 25082 788807 25080->25082 25084 788811 25081->25084 25087 78881e 25081->25087 25102 788ec9 75 API calls 4 library calls 25082->25102 25094 788718 25084->25094 25086 78881c std::locale::_Locimp::_Locimp 25086->25064 25087->25086 25088 78895b codecvt 63 API calls 25087->25088 25088->25086 25089->25065 25091->25075 25092->25077 25093->25077 25095 788724 __EH_prolog3_catch 25094->25095 25103 7886be 25095->25103 25097 78876d 25100 7887bf 25097->25100 25115 78891e 62 API calls ctype 25097->25115 25098 78895b codecvt 63 API calls 25101 7887cd std::locale::_Locimp::_Locimp codecvt 25098->25101 25100->25098 25101->25086 25104 7886cb 25103->25104 25105 7886d6 25103->25105 25108 7987a2 codecvt 74 API calls 25104->25108 25105->25104 25106 7886e2 25105->25106 25116 798818 62 API calls 3 library calls 25106->25116 25110 7886d3 25108->25110 25109 7886f2 25117 79aaa9 RaiseException 25109->25117 25110->25097 25112 788707 25113 7886be std::runtime_error::runtime_error 74 API calls 25112->25113 25114 788713 25113->25114 25114->25097 25115->25100 25116->25109 25117->25112 25119 788909 std::locale::_Locimp::_Locimp 25118->25119 25120 788866 std::runtime_error::runtime_error 75 API calls 25119->25120 25121 788918 25120->25121 25122 7910b2 25121->25122 25123 7910be __EH_prolog3 25122->25123 25134 7940b6 25123->25134 25127 7910e2 codecvt 25127->24647 25129 7910f6 __EH_prolog3 25128->25129 25130 7940b6 74 API calls 25129->25130 25131 79110d 25130->25131 25164 790ce5 25131->25164 25133 79111a codecvt 25133->24649 25135 7940cc 25134->25135 25144 793f08 25135->25144 25137 7910d5 25138 790d29 25137->25138 25139 790d40 25138->25139 25140 790d44 25138->25140 25139->25127 25141 790d52 25140->25141 25162 790769 75 API calls 4 library calls 25140->25162 25163 78f17a 74 API calls 25141->25163 25147 783829 25144->25147 25146 793f15 ctype 25146->25137 25150 7848b5 25147->25150 25151 7848d2 25150->25151 25152 7848c2 25150->25152 25151->25152 25153 7848de 25151->25153 25154 7987a2 codecvt 74 API calls 25152->25154 25160 798818 62 API calls 3 library calls 25153->25160 25156 783834 25154->25156 25156->25146 25157 7848ee 25161 79aaa9 RaiseException 25157->25161 25159 784903 25160->25157 25161->25159 25163->25139 25165 790d00 25164->25165 25166 790cfc 25164->25166 25165->25166 25168 790769 75 API calls 4 library calls 25165->25168 25166->25133 25169->24655 25171 78e076 25170->25171 25178 78d559 25171->25178 25173 78e082 25174 78e087 25173->25174 25175 78e096 25174->25175 25221 78d597 25175->25221 25177 78e0a2 25177->24663 25179 78d565 __EH_prolog3 25178->25179 25184 78d427 25179->25184 25183 78d58d codecvt 25183->25173 25185 78d43d 25184->25185 25191 78d27b 25185->25191 25188 78cff3 25203 78ce1c 25188->25203 25190 78cffb 25190->25183 25192 78d291 25191->25192 25195 78d1db 25192->25195 25196 78d1f1 25195->25196 25199 78cf14 25196->25199 25200 78cf2a 25199->25200 25201 793f08 74 API calls 25200->25201 25202 78cf31 25201->25202 25202->25188 25206 78cd3a 25203->25206 25205 78ce2e 25205->25190 25209 78cad8 25206->25209 25210 78caf3 25209->25210 25211 78cae5 25209->25211 25210->25211 25212 78caff 25210->25212 25214 7987a2 codecvt 74 API calls 25211->25214 25219 788660 62 API calls std::exception::exception 25212->25219 25216 78caf0 25214->25216 25215 78cb09 25220 79aaa9 RaiseException 25215->25220 25216->25205 25218 78cb17 25219->25215 25220->25218 25222 78d5a3 __EH_prolog3 25221->25222 25227 78d44e 25222->25227 25226 78d5cb codecvt 25226->25177 25228 78d464 25227->25228 25234 78d2a2 25228->25234 25231 78d19c 25249 78ce92 25231->25249 25233 78d1a4 25233->25226 25235 78d2b8 25234->25235 25238 78d206 25235->25238 25239 78d21c 25238->25239 25242 78cf38 25239->25242 25243 78cf4e 25242->25243 25246 78349c 25243->25246 25247 7848b5 ctype 74 API calls 25246->25247 25248 7834a8 25247->25248 25248->25231 25252 78cbea 25249->25252 25251 78cea4 25251->25233 25255 78ca98 25252->25255 25256 78cab3 25255->25256 25257 78caa5 25255->25257 25256->25257 25258 78cabf 25256->25258 25259 7987a2 codecvt 74 API calls 25257->25259 25265 788660 62 API calls std::exception::exception 25258->25265 25261 78cab0 25259->25261 25261->25251 25262 78cac9 25266 79aaa9 RaiseException 25262->25266 25264 78cad7 25265->25262 25266->25264 25268 7a018e 25267->25268 25278 7a00ed 25267->25278 25298 7a01b4 6 API calls __decode_pointer 25268->25298 25270 7a0194 25299 79ef5a 62 API calls __getptd_noexit 25270->25299 25275 7a014a RtlAllocateHeap 25275->25278 25276 7a00fe 25276->25278 25289 7a1310 62 API calls 2 library calls 25276->25289 25290 7a1165 62 API calls 7 library calls 25276->25290 25291 79f4a6 25276->25291 25278->25275 25278->25276 25279 7a017a 25278->25279 25282 7a017f 25278->25282 25284 7a0186 25278->25284 25294 7a008c 62 API calls 4 library calls 25278->25294 25295 7a01b4 6 API calls __decode_pointer 25278->25295 25296 79ef5a 62 API calls __getptd_noexit 25279->25296 25297 79ef5a 62 API calls __getptd_noexit 25282->25297 25284->24666 25285->24666 25286->24669 25287->24672 25288->24675 25289->25276 25290->25276 25300 79f47b GetModuleHandleW 25291->25300 25294->25278 25295->25278 25296->25282 25297->25284 25298->25270 25299->25284 25301 79f48f GetProcAddress 25300->25301 25302 79f4a4 ExitProcess 25300->25302 25301->25302 25303 79f49f 25301->25303 25303->25302 25305 79105d std::_Locinfo::_Locinfo __EH_prolog3 25304->25305 25306 788591 std::locale::_Locimp::_Locimp 75 API calls 25305->25306 25307 79108b 25306->25307 25321 78f787 74 API calls __init_pointers 25307->25321 25309 79109a 25322 790ac9 75 API calls 3 library calls 25309->25322 25311 7910a8 codecvt 25311->24686 25323 78f224 25312->25323 25314 78f7d2 __init_pointers 25314->24683 25316 791f4a __EH_prolog3 25315->25316 25327 79192f 25316->25327 25318 791f5c 25333 791726 25318->25333 25320 791f6c codecvt ctype 25320->24687 25321->25309 25322->25311 25324 78f230 __EH_prolog3_catch 25323->25324 25325 7987a2 codecvt 74 API calls 25324->25325 25326 78f240 codecvt 25325->25326 25326->25314 25328 79193e 25327->25328 25329 79194d 25328->25329 25339 78faff 6 API calls 25328->25339 25329->25318 25331 791968 25340 791778 75 API calls 25331->25340 25334 791735 25333->25334 25337 791744 25334->25337 25341 78faff 6 API calls 25334->25341 25336 79175f 25342 791122 75 API calls 25336->25342 25337->25320 25339->25331 25340->25329 25341->25336 25342->25337 25385 78596d 25343->25385 25345 784dd9 25393 7859cd 25345->25393 25347 784dea 25402 795059 25347->25402 25349 784dfb 25408 783075 25349->25408 25352 7986ff ctype 63 API calls 25353 784e0d 25352->25353 25414 782ffc 25353->25414 25356 7986ff ctype 63 API calls 25357 784e20 25356->25357 25357->24701 25359 794a72 25358->25359 25464 7948a3 25359->25464 25361 794a7d 25361->24703 25474 785316 25362->25474 25364 784e71 25478 796441 25364->25478 25366 784e86 25546 78509c 25366->25546 25371 7986ff ctype 63 API calls 25372 784eac 25371->25372 25573 7975db 25372->25573 25374 784eba 25375 78314a 63 API calls 25374->25375 25376 784ec3 25375->25376 25377 7986ff ctype 63 API calls 25376->25377 25378 784447 25377->25378 25379 784a04 25378->25379 25380 784a10 __EH_prolog3 25379->25380 25381 783075 ctype 63 API calls 25380->25381 25382 784a35 25381->25382 25383 7986ff ctype 63 API calls 25382->25383 25384 784a3c codecvt 25383->25384 25384->24707 25386 785979 __EH_prolog3 25385->25386 25420 7829c4 25386->25420 25388 7859c4 codecvt 25388->25345 25389 7828fe 75 API calls 25390 78598b 25389->25390 25390->25388 25390->25389 25392 782f03 ctype 63 API calls 25390->25392 25424 785035 75 API calls ctype 25390->25424 25392->25390 25394 7859d9 __EH_prolog3 25393->25394 25395 7829c4 74 API calls 25394->25395 25396 7859eb 25395->25396 25398 785a48 codecvt 25396->25398 25401 78895b codecvt 63 API calls 25396->25401 25428 782af3 6 API calls ctype 25396->25428 25429 798207 75 API calls 25396->25429 25430 785fa1 75 API calls ctype 25396->25430 25398->25347 25401->25396 25403 795065 __EH_prolog3 25402->25403 25404 7829c4 74 API calls 25403->25404 25405 79506f ctype 25404->25405 25431 794f74 25405->25431 25407 795091 codecvt 25407->25349 25409 78307f 25408->25409 25410 783090 25408->25410 25462 7834bc 63 API calls ctype 25409->25462 25410->25352 25412 783088 25413 7986ff ctype 63 API calls 25412->25413 25413->25410 25415 783006 25414->25415 25419 783017 25414->25419 25463 782fe5 63 API calls 25415->25463 25417 78300f 25418 7986ff ctype 63 API calls 25417->25418 25418->25419 25419->25356 25421 7829d0 __EH_prolog3 25420->25421 25425 783026 25421->25425 25423 7829de codecvt 25423->25390 25424->25390 25426 78349c ctype 74 API calls 25425->25426 25427 783039 25426->25427 25427->25423 25428->25396 25429->25396 25430->25396 25434 786f82 25431->25434 25435 786f95 25434->25435 25440 786fb1 25434->25440 25436 786faa 25435->25436 25437 786fb6 25435->25437 25455 787086 75 API calls ctype 25436->25455 25438 786fcb 25437->25438 25443 786ff9 25437->25443 25456 787262 75 API calls 25438->25456 25440->25407 25442 786fd7 25457 7834bc 63 API calls ctype 25442->25457 25445 787023 25443->25445 25446 787005 25443->25446 25448 78703d 25445->25448 25459 7834bc 63 API calls ctype 25445->25459 25458 787262 75 API calls 25446->25458 25460 782f9f 75 API calls 2 library calls 25448->25460 25451 787035 25453 7986ff ctype 63 API calls 25451->25453 25452 787017 25452->25440 25461 78728a 75 API calls ctype 25452->25461 25453->25448 25455->25440 25456->25442 25457->25440 25458->25452 25459->25451 25460->25452 25461->25440 25462->25412 25463->25417 25465 7948af __EH_prolog3 25464->25465 25466 79490e codecvt 25465->25466 25467 788591 std::locale::_Locimp::_Locimp 75 API calls 25465->25467 25466->25361 25468 7948f0 25467->25468 25472 794795 75 API calls 25468->25472 25470 794900 25473 79aaa9 RaiseException 25470->25473 25472->25470 25473->25466 25475 785322 __EH_prolog3 25474->25475 25476 783026 ctype 74 API calls 25475->25476 25477 785330 codecvt 25476->25477 25477->25364 25479 796462 __EH_prolog3 25478->25479 25584 794a85 75 API calls 2 library calls 25479->25584 25481 79647a 25483 796498 25481->25483 25585 794efb 75 API calls 25481->25585 25484 7964dc ctype 25483->25484 25586 794efb 75 API calls 25483->25586 25485 796526 ctype 25484->25485 25587 794efb 75 API calls 25484->25587 25490 796573 ctype 25485->25490 25588 794efb 75 API calls 25485->25588 25488 796611 ctype 25591 794efb 75 API calls 25488->25591 25493 7965c2 ctype 25490->25493 25589 794efb 75 API calls 25490->25589 25493->25488 25590 794efb 75 API calls 25493->25590 25494 796655 ctype 25496 785316 74 API calls 25494->25496 25529 796669 25496->25529 25497 7967e3 25498 785316 74 API calls 25497->25498 25499 7967ee ctype 25498->25499 25501 79694f 25499->25501 25502 78ca0b 6 API calls 25499->25502 25544 792e05 6 API calls 25499->25544 25545 785fa1 75 API calls 25499->25545 25600 7959a2 75 API calls 25499->25600 25601 7942b6 6 API calls 25499->25601 25602 792cc4 75 API calls 3 library calls 25499->25602 25603 7959f4 75 API calls 2 library calls 25501->25603 25502->25499 25503 792e05 6 API calls 25503->25529 25509 7969f9 25607 781717 63 API calls ctype 25509->25607 25510 785fa1 75 API calls 25510->25529 25512 796a08 25608 794b52 63 API calls 2 library calls 25512->25608 25513 7829c4 74 API calls 25513->25529 25515 7959a2 75 API calls 25515->25529 25517 796a14 25519 7985b2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25517->25519 25523 796a2e 25519->25523 25520 781717 63 API calls 25520->25529 25522 78ca0b 6 API calls 25524 79695d 25522->25524 25523->25366 25524->25522 25526 79699d 25524->25526 25526->25509 25531 796a3f 25526->25531 25604 78ca0b 6 API calls ctype 25526->25604 25605 798242 6 API calls 25526->25605 25606 786f72 75 API calls std::runtime_error::runtime_error 25526->25606 25528 78ca0b 6 API calls 25528->25529 25529->25497 25529->25503 25529->25510 25529->25513 25529->25515 25529->25520 25529->25528 25530 7952af 75 API calls 25529->25530 25592 793acf 6 API calls ctype 25529->25592 25593 7958ea 75 API calls 3 library calls 25529->25593 25594 7942b6 6 API calls 25529->25594 25595 782ba4 63 API calls ctype 25529->25595 25596 794b78 74 API calls 3 library calls 25529->25596 25597 783040 6 API calls ctype 25529->25597 25598 794b0e 75 API calls ctype 25529->25598 25599 785ede 63 API calls 2 library calls 25529->25599 25530->25529 25534 788591 std::locale::_Locimp::_Locimp 75 API calls 25531->25534 25535 796a4c 25534->25535 25609 79477d 75 API calls 25535->25609 25538 796a5c 25610 79aaa9 RaiseException 25538->25610 25541 796a6a 25611 785d08 75 API calls 25541->25611 25543 796a77 25543->25366 25544->25499 25545->25499 25547 7850af 25546->25547 25561 784e95 25546->25561 25548 7850d0 25547->25548 25549 7850c4 25547->25549 25551 785113 25548->25551 25552 7850e5 25548->25552 25612 785359 75 API calls ctype 25549->25612 25555 78513d 25551->25555 25556 78511f 25551->25556 25613 785b31 75 API calls 25552->25613 25554 7850f1 25614 78350e 63 API calls 25554->25614 25566 785157 25555->25566 25616 78350e 63 API calls 25555->25616 25615 785b31 75 API calls 25556->25615 25567 78314a 25561->25567 25562 78514f 25564 7986ff ctype 63 API calls 25562->25564 25563 785131 25563->25561 25623 785b5a 75 API calls ctype 25563->25623 25564->25566 25617 7853a0 25566->25617 25568 783154 25567->25568 25569 783165 25567->25569 25626 78350e 63 API calls 25568->25626 25569->25371 25571 78315d 25572 7986ff ctype 63 API calls 25571->25572 25572->25569 25574 7975e7 __EH_prolog3 25573->25574 25627 796c55 25574->25627 25576 7975f1 25633 797511 25576->25633 25578 797608 25579 79764f codecvt 25578->25579 25636 78ca0b 6 API calls ctype 25578->25636 25637 797162 75 API calls 2 library calls 25578->25637 25638 797589 75 API calls 25578->25638 25639 785ea8 63 API calls 2 library calls 25578->25639 25579->25374 25584->25481 25585->25483 25586->25484 25587->25485 25588->25490 25589->25493 25590->25488 25591->25494 25592->25529 25593->25529 25594->25529 25595->25529 25596->25529 25597->25529 25598->25529 25599->25529 25600->25499 25601->25499 25602->25499 25603->25524 25604->25526 25605->25526 25606->25526 25607->25512 25608->25517 25609->25538 25610->25541 25611->25543 25612->25561 25613->25554 25614->25561 25615->25563 25616->25562 25618 7853bb 25617->25618 25619 7853b7 25617->25619 25620 7853c8 25618->25620 25624 78345d 75 API calls 4 library calls 25618->25624 25619->25563 25625 785be0 74 API calls 3 library calls 25620->25625 25623->25561 25625->25619 25626->25571 25628 796c61 __EH_prolog3 25627->25628 25629 7940b6 74 API calls 25628->25629 25630 796c78 25629->25630 25640 796c0e 25630->25640 25632 796c85 codecvt 25632->25576 25648 7957fd 25633->25648 25635 79751f 25635->25578 25636->25578 25637->25578 25638->25578 25639->25578 25641 796c29 25640->25641 25645 796c25 25640->25645 25642 796c37 25641->25642 25646 790769 75 API calls 4 library calls 25641->25646 25647 796aea 74 API calls 25642->25647 25645->25632 25647->25645 25649 795809 __EH_prolog3_catch 25648->25649 25650 783026 ctype 74 API calls 25649->25650 25651 795827 25650->25651 25652 7853a0 75 API calls 25651->25652 25653 79583a 25652->25653 25655 79586e codecvt 25653->25655 25660 783054 6 API calls ctype 25653->25660 25655->25635 25656 79584d 25661 783040 6 API calls ctype 25656->25661 25658 79585a 25662 7951b5 75 API calls 25658->25662 25660->25656 25661->25658 25662->25655 25664 78e0c5 __EH_prolog3_catch 25663->25664 25665 78e087 74 API calls 25664->25665 25686 78e0f0 ctype 25665->25686 25666 78e265 25690 78cfc2 25666->25690 25672 78ca0b 6 API calls 25672->25686 25674 78e3e4 25702 781712 25674->25702 25678 78e3f0 25679 7985b2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25678->25679 25681 781446 25679->25681 25681->24711 25682 788591 std::locale::_Locimp::_Locimp 75 API calls 25688 78e291 ctype 25682->25688 25683 7888f8 std::runtime_error::runtime_error 75 API calls 25683->25688 25684 782c2f 75 API calls 25684->25688 25685 7889a6 63 API calls ctype 25685->25688 25686->25666 25686->25672 25708 78d3c0 75 API calls 25686->25708 25709 792db9 75 API calls 2 library calls 25686->25709 25710 78dfb2 75 API calls 3 library calls 25686->25710 25711 78d919 75 API calls ctype 25686->25711 25688->25674 25688->25682 25688->25683 25688->25684 25688->25685 25689 78dfb2 75 API calls 25688->25689 25712 78e51f 25688->25712 25689->25688 25716 783de8 25690->25716 25693 78369f 25694 783de8 ctype 6 API calls 25693->25694 25695 7836ae 25694->25695 25696 78dc4f 25695->25696 25698 78dc5a 25696->25698 25699 78dc86 25698->25699 25721 783e24 25698->25721 25724 78d919 75 API calls ctype 25698->25724 25725 78cd5c 6 API calls 25698->25725 25699->25688 25703 782c64 __EH_prolog3 25702->25703 25731 7831ce 25703->25731 25706 7986ff ctype 63 API calls 25707 782c85 codecvt 25706->25707 25707->25678 25708->25686 25709->25686 25710->25686 25711->25686 25713 78e528 25712->25713 25714 78e535 25713->25714 25764 798e63 6 API calls __wctomb_s_l 25713->25764 25714->25688 25717 783dfe 25716->25717 25718 783e03 25716->25718 25720 798e63 6 API calls __wctomb_s_l 25717->25720 25718->25693 25720->25718 25726 78412a 25721->25726 25724->25698 25725->25698 25727 784138 25726->25727 25728 783e2d 25727->25728 25730 798e63 6 API calls __wctomb_s_l 25727->25730 25728->25698 25730->25728 25732 783de8 ctype 6 API calls 25731->25732 25733 7831e7 25732->25733 25734 783de8 ctype 6 API calls 25733->25734 25735 7831f6 25734->25735 25740 7836b5 25735->25740 25738 7986ff ctype 63 API calls 25739 782c7e 25738->25739 25739->25706 25741 783de8 ctype 6 API calls 25740->25741 25742 7836d2 25741->25742 25743 78412a ctype 6 API calls 25742->25743 25744 7836df 25743->25744 25746 783de8 ctype 6 API calls 25744->25746 25749 783714 25744->25749 25745 78412a ctype 6 API calls 25745->25749 25747 7836f0 25746->25747 25750 78412a ctype 6 API calls 25747->25750 25748 783740 25763 783859 6 API calls ctype 25748->25763 25749->25745 25749->25748 25761 7841ac 6 API calls ctype 25749->25761 25762 783b34 75 API calls 6 library calls 25749->25762 25753 7836fd 25750->25753 25753->25749 25754 783701 25753->25754 25760 783dc2 63 API calls ctype 25754->25760 25757 783708 25758 78369f ctype 6 API calls 25757->25758 25759 783212 25758->25759 25759->25738 25760->25757 25761->25749 25762->25749 25763->25759 25764->25714 25766 78312a 25765->25766 25767 781702 25765->25767 25771 7834f7 63 API calls 25766->25771 25767->24718 25769 783133 25770 7986ff ctype 63 API calls 25769->25770 25770->25767 25771->25769 25772->24726 25777 7835f1 25773->25777 25774 78362d 25775 783660 25774->25775 25786 784904 75 API calls 25774->25786 25778 783de8 ctype 6 API calls 25775->25778 25777->25774 25779 784904 75 API calls 25777->25779 25780 78366c 25778->25780 25779->25777 25781 783de8 ctype 6 API calls 25780->25781 25782 782c41 25781->25782 25783 7847c6 25782->25783 25787 784f72 25783->25787 25786->25774 25788 78412a ctype 6 API calls 25787->25788 25789 784f81 25788->25789 25791 78412a ctype 6 API calls 25789->25791 25792 781488 25789->25792 25793 78415d 6 API calls ctype 25789->25793 25791->25789 25792->24481 25793->25789 25795 792aba __EH_prolog3 25794->25795 25818 792adb 25795->25818 25820 791aa2 25795->25820 25797 792ad3 25798 78446e 112 API calls 25797->25798 25798->25818 25799 78e51f 6 API calls 25799->25818 25802 792c7e codecvt 25802->24738 25804 78e51f 6 API calls 25811 792c3f 25804->25811 25805 78e51f 6 API calls 25810 792bdd 25805->25810 25807 78446e 112 API calls 25807->25818 25808 78446e 112 API calls 25808->25811 25810->25805 25810->25811 25813 78446e 112 API calls 25810->25813 25835 78eb2c 25810->25835 25839 792986 25810->25839 25811->25802 25811->25804 25811->25808 25812 78e4f4 159 API calls 25811->25812 25812->25811 25813->25810 25814 791aa2 112 API calls 25814->25818 25816 7889a6 63 API calls ctype 25816->25818 25818->25799 25818->25807 25818->25810 25818->25814 25818->25816 25875 792109 25818->25875 25881 790c34 25818->25881 25885 790b8b 25818->25885 25906 791c85 25818->25906 25920 790ccb 25818->25920 25923 78fa8d 25818->25923 25821 791aae __EH_prolog3_catch 25820->25821 25926 78829f 25821->25926 25826 791b05 25932 78824b 25826->25932 25827 791c49 codecvt 25827->25797 25830 787fac 111 API calls 25834 791b72 25830->25834 25831 791af5 25831->25826 25831->25834 25940 787fac 25831->25940 25832 787fac 111 API calls 25833 791bc9 25832->25833 25833->25826 25833->25832 25834->25826 25834->25830 25834->25833 25944 78eb0c 6 API calls ctype 25834->25944 25836 78eb34 25835->25836 25837 78eb3f 25836->25837 26013 798e63 6 API calls __wctomb_s_l 25836->26013 25837->25810 25840 792995 __EH_prolog3 25839->25840 25841 792109 133 API calls 25840->25841 25842 7929a4 25841->25842 25843 790c34 75 API calls 25842->25843 25844 7929b4 25843->25844 25845 790b8b 75 API calls 25844->25845 25846 7929c6 25845->25846 25847 78446e 112 API calls 25846->25847 25848 7929df 25847->25848 25849 791aa2 112 API calls 25848->25849 25850 7929e7 25849->25850 25851 791c85 112 API calls 25850->25851 25852 7929ef 25851->25852 25853 791aa2 112 API calls 25852->25853 25854 7929f7 25853->25854 26014 7889a6 25854->26014 25857 7889a6 ctype 63 API calls 25858 792a11 25857->25858 25859 790ccb 75 API calls 25858->25859 25860 792a20 25859->25860 25861 791aa2 112 API calls 25860->25861 25862 792a2d 25861->25862 25863 7889a6 ctype 63 API calls 25862->25863 25864 792a3b 25863->25864 25865 792a93 25864->25865 25867 790ccb 75 API calls 25864->25867 25866 78fa8d 63 API calls 25865->25866 25868 792aa5 codecvt 25866->25868 25869 792a5f 25867->25869 25868->25810 25870 7889a6 ctype 63 API calls 25869->25870 25871 792a73 25870->25871 25872 792a84 25871->25872 26017 791f80 25871->26017 26027 792830 25872->26027 25876 792115 __EH_prolog3 25875->25876 26195 7919fb 25876->26195 25878 79214f 26201 78fb13 25878->26201 25880 792168 codecvt 25880->25818 25883 790c47 25881->25883 25882 790c52 25882->25818 25883->25882 25884 788591 std::locale::_Locimp::_Locimp 75 API calls 25883->25884 25884->25882 25886 790b97 __EH_prolog3 25885->25886 25887 790bab 25886->25887 25888 790bee 25886->25888 25890 7888f8 std::runtime_error::runtime_error 75 API calls 25887->25890 25889 788591 std::locale::_Locimp::_Locimp 75 API calls 25888->25889 25891 790bfb 25889->25891 25892 790bb4 25890->25892 26318 7828bc 75 API calls 25891->26318 26315 7828cc 75 API calls _strlen 25892->26315 25895 790c0d 25897 7888f8 std::runtime_error::runtime_error 75 API calls 25895->25897 25896 790bcf 26316 7828bc 75 API calls 25896->26316 25900 790be6 25897->25900 25899 790bd6 26317 7828cc 75 API calls _strlen 25899->26317 25903 7889a6 ctype 63 API calls 25900->25903 25902 790bdd 25904 7888f8 std::runtime_error::runtime_error 75 API calls 25902->25904 25905 790c29 codecvt 25903->25905 25904->25900 25905->25818 25907 791c91 __EH_prolog3_catch 25906->25907 25908 78829f 76 API calls 25907->25908 25917 791ca2 25908->25917 25909 791dfa 25910 78824b 75 API calls 25909->25910 25911 791e1c 25910->25911 25912 788030 75 API calls 25911->25912 25913 791e28 codecvt 25912->25913 25913->25818 25914 791d47 25915 787fac 111 API calls 25914->25915 25919 791d5d 25915->25919 25916 787fac 111 API calls 25916->25917 25917->25909 25917->25914 25917->25916 25918 787fac 111 API calls 25918->25919 25919->25909 25919->25918 26319 790684 25920->26319 26336 78f48a 63 API calls 3 library calls 25923->26336 25925 78fa98 25927 7882ab __EH_prolog3 25926->25927 25945 788066 25927->25945 25929 7882d8 codecvt 25929->25831 25933 788252 25932->25933 25934 788263 25932->25934 25951 787f15 75 API calls std::ios_base::_Init 25933->25951 25936 788030 25934->25936 25937 78803c __EH_prolog3 25936->25937 25938 788055 codecvt 25937->25938 25952 788003 75 API calls 2 library calls 25937->25952 25938->25827 25941 787fb4 25940->25941 25942 787fc1 25941->25942 25953 789f88 25941->25953 25942->25831 25944->25834 25946 78807c 25945->25946 25947 788084 25945->25947 25950 78bc65 EnterCriticalSection std::_Lockit::_Lockit 25946->25950 25947->25929 25949 788266 75 API calls 25947->25949 25949->25929 25950->25947 25951->25934 25952->25938 25954 789f94 __EH_prolog3_GS 25953->25954 25955 789f9e 25954->25955 25957 789ff0 25954->25957 25958 789fe1 25954->25958 25956 79afc7 ctype 5 API calls 25955->25956 25959 789fa5 25956->25959 25982 789d8a 75 API calls 2 library calls 25957->25982 25979 78988d 25958->25979 25959->25942 25962 789ffe 25983 789a85 6 API calls ctype 25962->25983 25964 78a00d 25984 7891ad 6 API calls ctype 25964->25984 25966 78a014 25985 789a85 6 API calls ctype 25966->25985 25968 78a025 25986 7891ad 6 API calls ctype 25968->25986 25970 78a106 25971 78988d _Fputc 98 API calls 25970->25971 25973 78a104 25970->25973 25971->25973 25972 78895b codecvt 63 API calls 25972->25973 25973->25972 25976 7891ad 6 API calls ctype 25978 78a02c 25976->25978 25977 789a85 6 API calls ctype 25977->25978 25978->25970 25978->25973 25978->25976 25978->25977 25987 79b8b1 98 API calls 5 library calls 25978->25987 25988 789b5e 75 API calls 4 library calls 25978->25988 25989 79b1fc 25979->25989 25981 78989f 25981->25955 25982->25962 25983->25964 25984->25966 25985->25968 25986->25978 25987->25978 25988->25978 25990 79b208 ___BuildCatchObject 25989->25990 25991 79b23b 25990->25991 25992 79b21b 25990->25992 25994 79bcbf __lock_file 63 API calls 25991->25994 26008 79ef5a 62 API calls __getptd_noexit 25992->26008 25996 79b241 25994->25996 25995 79b220 26009 798e3d 6 API calls 2 library calls 25995->26009 25998 7a2ec0 __fileno 62 API calls 25996->25998 26002 79b2bb 25996->26002 26001 79b251 25998->26001 25999 79b2cc 26012 79b300 LeaveCriticalSection LeaveCriticalSection _fgetwc 25999->26012 26001->26002 26010 79ef5a 62 API calls __getptd_noexit 26001->26010 26002->25999 26003 7a2ef5 __flsbuf 96 API calls 26002->26003 26003->25999 26004 79b230 ___BuildCatchObject 26004->25981 26006 79b2ab 26011 798e3d 6 API calls 2 library calls 26006->26011 26008->25995 26010->26006 26012->26004 26013->25837 26015 78895b codecvt 63 API calls 26014->26015 26016 7889af 26015->26016 26016->25857 26018 791f8c __EH_prolog3_catch 26017->26018 26019 78829f 76 API calls 26018->26019 26020 791f9f 26019->26020 26023 787fac 111 API calls 26020->26023 26026 791fae 26020->26026 26021 78824b 75 API calls 26022 79202c 26021->26022 26024 788030 75 API calls 26022->26024 26023->26026 26025 792038 codecvt 26024->26025 26025->25871 26026->26021 26028 79283f __EH_prolog3_GS 26027->26028 26053 79060e 26028->26053 26030 792865 26057 7907ee 26030->26057 26034 792885 26070 792042 26034->26070 26036 792897 26080 7920a5 26036->26080 26038 7928ad 26090 78f81b 26038->26090 26040 7928c4 26041 792953 26040->26041 26045 7888f8 std::runtime_error::runtime_error 75 API calls 26040->26045 26050 78f81b 6 API calls 26040->26050 26051 791c85 112 API calls 26040->26051 26052 791f80 112 API calls 26040->26052 26093 792549 26040->26093 26127 78ffaf 26041->26127 26043 792962 26044 78ffaf 63 API calls 26043->26044 26046 792971 26044->26046 26045->26040 26048 79afc7 ctype 5 API calls 26046->26048 26049 792985 26048->26049 26049->25865 26050->26040 26051->26040 26052->26040 26054 79061a std::_Locinfo::_Locinfo __EH_prolog3 26053->26054 26055 788591 std::locale::_Locimp::_Locimp 75 API calls 26054->26055 26056 790634 codecvt 26055->26056 26056->26030 26133 78f1bf 26057->26133 26063 790814 26064 78ff79 26063->26064 26065 78ff85 __EH_prolog3 26064->26065 26066 7889a6 ctype 63 API calls 26065->26066 26067 78ff96 26066->26067 26068 7889a6 ctype 63 API calls 26067->26068 26069 78ffa1 codecvt 26068->26069 26069->26034 26071 79204e __EH_prolog3 26070->26071 26072 790596 75 API calls 26071->26072 26073 79206e 26072->26073 26152 791994 26073->26152 26075 792079 26160 790c79 26075->26160 26077 792088 26078 78ffaf 63 API calls 26077->26078 26079 79209a codecvt 26078->26079 26079->26036 26081 7920b1 __EH_prolog3 26080->26081 26082 790596 75 API calls 26081->26082 26083 7920d2 26082->26083 26084 791994 99 API calls 26083->26084 26085 7920dd 26084->26085 26086 790c79 75 API calls 26085->26086 26087 7920ec 26086->26087 26088 78ffaf 63 API calls 26087->26088 26089 7920fe codecvt 26088->26089 26089->26038 26174 78f287 26090->26174 26094 792559 __EH_prolog3 26093->26094 26097 792582 26094->26097 26185 78faa0 6 API calls ctype 26094->26185 26096 792597 26186 789a85 6 API calls ctype 26096->26186 26099 792619 26097->26099 26100 792606 26097->26100 26190 789a85 6 API calls ctype 26099->26190 26101 791aa2 112 API calls 26100->26101 26105 792612 26101->26105 26102 7925a5 26107 7925e7 26102->26107 26110 788591 std::locale::_Locimp::_Locimp 75 API calls 26102->26110 26104 792625 26191 78faa0 6 API calls ctype 26104->26191 26109 7889a6 ctype 63 API calls 26105->26109 26189 7885f1 75 API calls 3 library calls 26107->26189 26112 79281d 26109->26112 26111 7925cd 26110->26111 26187 781000 75 API calls std::_String_base::_Xlen 26111->26187 26112->26040 26114 7925dd 26188 7913da 99 API calls 3 library calls 26114->26188 26116 78ebaf 6 API calls 26125 79263c 26116->26125 26118 78e540 6 API calls 26118->26125 26119 7891ad 6 API calls ctype 26119->26125 26122 78ebdd 6 API calls 26122->26125 26123 791c85 112 API calls 26123->26125 26124 791f80 112 API calls 26124->26125 26125->26105 26125->26116 26125->26118 26125->26119 26125->26122 26125->26123 26125->26124 26126 78f7e4 6 API calls 26125->26126 26192 78eb60 6 API calls ctype 26125->26192 26193 78f44f 6 API calls 26125->26193 26194 7923d7 112 API calls ctype 26125->26194 26126->26125 26128 78ffbb __EH_prolog3 26127->26128 26129 7889a6 ctype 63 API calls 26128->26129 26130 78ffcc 26129->26130 26131 78ff79 63 API calls 26130->26131 26132 78ffd7 codecvt 26131->26132 26132->26043 26134 78f1c5 26133->26134 26147 7895f2 26134->26147 26137 78f687 26138 78f690 26137->26138 26139 7895f2 ctype 6 API calls 26138->26139 26140 78f69d 26139->26140 26141 790596 26140->26141 26142 7905a2 __EH_prolog3 26141->26142 26143 7888f8 std::runtime_error::runtime_error 75 API calls 26142->26143 26144 7905b0 26143->26144 26145 7888f8 std::runtime_error::runtime_error 75 API calls 26144->26145 26146 7905c0 codecvt 26145->26146 26146->26063 26150 789609 26147->26150 26149 789637 26149->26137 26150->26149 26151 798e63 6 API calls __wctomb_s_l 26150->26151 26151->26149 26153 7919a0 __EH_prolog3 26152->26153 26154 790596 75 API calls 26153->26154 26155 7919b2 std::_Locinfo::_Locinfo 26154->26155 26166 791835 26155->26166 26158 78ff79 63 API calls 26159 7919f1 codecvt 26158->26159 26159->26075 26161 790c85 __EH_prolog3 26160->26161 26162 790596 75 API calls 26161->26162 26163 790c93 26162->26163 26164 7888f8 std::runtime_error::runtime_error 75 API calls 26163->26164 26165 790cc1 codecvt 26164->26165 26165->26077 26167 79183e 26166->26167 26170 791863 26166->26170 26172 78ebdd 6 API calls 26167->26172 26169 79184e 26169->26170 26173 791418 99 API calls ctype 26169->26173 26170->26158 26172->26169 26173->26170 26177 78e9ed 26174->26177 26178 78e9fc 26177->26178 26182 78ea1e 26177->26182 26178->26182 26183 78e65c 6 API calls ctype 26178->26183 26180 78ea0e 26180->26182 26184 78e65c 6 API calls ctype 26180->26184 26182->26040 26183->26180 26184->26182 26185->26096 26186->26102 26187->26114 26188->26107 26189->26097 26190->26104 26191->26125 26192->26125 26193->26125 26194->26125 26196 791a07 __EH_prolog3 26195->26196 26205 7917d5 26196->26205 26198 791a40 26209 78e704 26198->26209 26200 791a4e codecvt 26200->25878 26202 78fb1f __EH_prolog3 26201->26202 26300 789741 26202->26300 26204 78fb29 codecvt 26204->25880 26206 7917e1 __EH_prolog3 26205->26206 26213 78a5c0 26206->26213 26208 79182b codecvt 26208->26198 26210 78e710 __EH_prolog3 26209->26210 26211 78e757 codecvt 26210->26211 26299 78c2be EnterCriticalSection LeaveCriticalSection std::_Lockit::_Lockit std::_Locinfo::~_Locinfo 26210->26299 26211->26200 26222 78a421 26213->26222 26217 78a5e2 26218 78a5f9 26217->26218 26237 787f15 75 API calls std::ios_base::_Init 26217->26237 26219 78a604 26218->26219 26238 78c2be EnterCriticalSection LeaveCriticalSection std::_Lockit::_Lockit std::_Locinfo::~_Locinfo 26218->26238 26219->26208 26239 788130 26222->26239 26225 7987a2 codecvt 74 API calls 26226 78a457 26225->26226 26227 78a463 26226->26227 26245 78901d 79 API calls 3 library calls 26226->26245 26229 78a4c5 26227->26229 26230 78a4d1 __EH_prolog3 26229->26230 26247 7890cf 26230->26247 26234 78a4e4 26268 789054 26234->26268 26236 78a4f3 codecvt 26236->26217 26237->26218 26238->26219 26240 788235 26239->26240 26244 788174 26239->26244 26240->26225 26242 788591 75 API calls std::locale::_Locimp::_Locimp 26242->26244 26243 788478 75 API calls std::ios_base::_Init 26243->26244 26244->26242 26244->26243 26246 79aaa9 RaiseException 26244->26246 26245->26227 26246->26244 26272 789039 26247->26272 26250 78a2e6 26251 78a2f2 __EH_prolog3 26250->26251 26275 78be4e 26251->26275 26255 78a326 26285 78be76 26255->26285 26256 78a313 std::locale::_Getfacet 26256->26255 26289 789ee7 128 API calls 5 library calls 26256->26289 26258 78a37b codecvt 26258->26234 26260 78a336 26261 78a358 26260->26261 26290 798908 62 API calls std::exception::exception 26260->26290 26292 788faf 26261->26292 26265 78a34a 26291 79aaa9 RaiseException 26265->26291 26269 78905a 26268->26269 26270 78905f 26268->26270 26298 788fd9 EnterCriticalSection LeaveCriticalSection std::_Lockit::_Lockit std::_Locinfo::~_Locinfo 26269->26298 26270->26236 26273 788faf std::locale::facet::_Incref EnterCriticalSection LeaveCriticalSection 26272->26273 26274 78904d 26273->26274 26274->26250 26276 78be60 26275->26276 26278 78a2fc 26275->26278 26277 78c940 std::_Lockit::_Lockit EnterCriticalSection 26276->26277 26277->26278 26279 788f78 26278->26279 26280 788faa 26279->26280 26281 788f86 26279->26281 26280->26256 26282 78be4e std::_Lockit::_Lockit EnterCriticalSection 26281->26282 26283 788f90 26282->26283 26284 78be76 std::_Locinfo::~_Locinfo LeaveCriticalSection 26283->26284 26284->26280 26286 78be8b 26285->26286 26287 78be7d 26285->26287 26286->26258 26288 78c950 std::_Locinfo::~_Locinfo LeaveCriticalSection 26287->26288 26288->26286 26289->26260 26290->26265 26291->26261 26293 78be4e std::_Lockit::_Lockit EnterCriticalSection 26292->26293 26294 788fc2 26293->26294 26295 78be76 std::_Locinfo::~_Locinfo LeaveCriticalSection 26294->26295 26296 788fd6 26295->26296 26297 78bff1 76 API calls 2 library calls 26296->26297 26297->26255 26298->26270 26299->26211 26301 78974d __EH_prolog3 26300->26301 26308 78bc34 26301->26308 26304 7987a2 codecvt 74 API calls 26305 78976b 26304->26305 26307 789777 codecvt ctype 26305->26307 26313 78901d 79 API calls 3 library calls 26305->26313 26307->26204 26309 7987a2 codecvt 74 API calls 26308->26309 26310 78bc40 26309->26310 26314 78c920 InitializeCriticalSection 26310->26314 26312 789760 26312->26304 26313->26307 26314->26312 26315->25896 26316->25899 26317->25902 26318->25895 26320 790690 __EH_prolog3_GS ctype 26319->26320 26326 7906f5 ctype 26320->26326 26327 7906ab ctype 26320->26327 26321 790729 std::_Locinfo::_Locinfo 26322 7888f8 std::runtime_error::runtime_error 75 API calls 26321->26322 26333 7906ed 26322->26333 26323 7889a6 ctype 63 API calls 26324 79075f 26323->26324 26325 79afc7 ctype 5 API calls 26324->26325 26328 790766 26325->26328 26326->26321 26335 790349 75 API calls 2 library calls 26326->26335 26334 790349 75 API calls 2 library calls 26327->26334 26328->25818 26331 7906dc 26332 7888f8 std::runtime_error::runtime_error 75 API calls 26331->26332 26332->26333 26333->26323 26334->26331 26335->26321 26336->25925 26338 7896d5 26337->26338 26339 789737 26337->26339 26338->26339 26340 789f88 111 API calls 26338->26340 26339->24751 26340->26338 26341->24826 26343 79f5a2 ___BuildCatchObject 26342->26343 26344 7a229e __lock 62 API calls 26343->26344 26345 79f5a9 26344->26345 26346 79f672 __initterm 26345->26346 26347 79f5d5 26345->26347 26361 79f6ad 26346->26361 26366 79f8db 6 API calls __crt_waiting_on_module_handle 26347->26366 26351 79f5e0 26353 79f662 __initterm 26351->26353 26367 79f8db 6 API calls __crt_waiting_on_module_handle 26351->26367 26352 79f6aa ___BuildCatchObject 26352->24527 26353->26346 26356 79f6a1 26357 79f4a6 _doexit 3 API calls 26356->26357 26357->26352 26358 79f8d2 6 API calls ___crtMessageBoxW 26360 79f5f5 26358->26360 26359 79f8db 6 API calls __decode_pointer 26359->26360 26360->26353 26360->26358 26360->26359 26362 79f68e 26361->26362 26363 79f6b3 26361->26363 26362->26352 26365 7a21c4 LeaveCriticalSection 26362->26365 26368 7a21c4 LeaveCriticalSection 26363->26368 26365->26356 26366->26351 26367->26360 26368->26362

              Executed Functions

              Function 00781318 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 214COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • __EH_prolog3_catch.LIBCMT ref: 00781334
                • Part of subcall function 00781729: __EH_prolog3_GS.LIBCMT ref: 00781730
                • Part of subcall function 0078183E: __EH_prolog3_GS.LIBCMT ref: 00781845
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: H_prolog3_$H_prolog3_catch
              • String ID: Don't use any page files.$Let the system manage all page files.$Options$Set pagefile options for a drive. Where args are: driveletter: min max. Sizes are in megabytes (Mb).$This help message.$auto$auto,a$help$help,h$none$none,n$set$set,s
              • API String ID: 756925408-3976253575
              • Opcode ID: 025db0c26deeb3d6bd1629104f370a2fe2a438565ef677055b78cba226e8f9ae
              • Instruction ID: 2e9b0942462e51bc5f3ca4ff46fe64ea9cdd9ee9e0a9077444f09c1a4a3a859e
              • Opcode Fuzzy Hash: 025db0c26deeb3d6bd1629104f370a2fe2a438565ef677055b78cba226e8f9ae
              • Instruction Fuzzy Hash: 0B71B471980248EADF20FBA4D84AEEDB7B89F55300F504159F40AA3182EF3C5F49C762
              Function 0078B60D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 171COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 100 78b60d-78b626 call 79af44 103 78b628-78b632 call 78acfc 100->103 104 78b637-78b640 100->104 112 78b7b2-78b7b7 call 79afc7 103->112 105 78b642-78b64c 104->105 106 78b665-78b66a 104->106 105->106 108 78b64e-78b660 105->108 109 78b7ad 106->109 110 78b670-78b673 106->110 108->112 109->112 113 78b68e-78b6d6 call 789d8a call 789a85 call 7891ad call 789a85 call 7891ad 110->113 114 78b675-78b677 call 78ad7f 110->114 130 78b77f-78b79b 113->130 118 78b67c-78b683 114->118 118->112 121 78b689 118->121 121->109 132 78b6db-78b6de 130->132 133 78b7a1-78b7a3 130->133 135 78b7ba-78b7bd 132->135 136 78b6e4-78b6fc call 789a85 call 7891ad 132->136 134 78b7a6-78b7a8 call 78895b 133->134 134->109 135->133 139 78b7bf-78b7d2 call 78ad7f 135->139 147 78b6fe-78b722 call 789a85 call 7891ad call 79b8b1 136->147 148 78b724-78b72e 136->148 145 78b7d9-78b7e8 call 78895b 139->145 146 78b7d4 139->146 145->112 146->145 147->133 147->148 151 78b7ea-78b7fa call 78895b 148->151 152 78b734-78b736 148->152 151->112 155 78b738-78b741 152->155 156 78b74a-78b77d call 789a85 call 7891ad call 789a85 call 7891ad 152->156 155->134 159 78b743-78b745 call 789b5e 155->159 156->130 159->156
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: FputcH_prolog3_
              • String ID:
              • API String ID: 4013897487-3916222277
              • Opcode ID: d0d21321cc4976f3d3a6e113c103db4135d2d8f06d689020b41f6650832bbf4c
              • Instruction ID: 870112d607813e9521e1618afb537c06cad1d4adc853315f988868767f984a91
              • Opcode Fuzzy Hash: d0d21321cc4976f3d3a6e113c103db4135d2d8f06d689020b41f6650832bbf4c
              • Instruction Fuzzy Hash: 5E51A436980209DBDF14FFA4C8859FEB7B5AF98300F54842AF502A7581EF78A944CB51
              Function 00789F88 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 173 789f88-789f9c call 79af44 176 789fa8-789fb1 173->176 177 789f9e 173->177 178 789fd0-789fd5 176->178 179 789fb3-789fbc 176->179 180 789fa0-789fa5 call 79afc7 177->180 182 789fdc-789fdf 178->182 183 789fd7-789fda 178->183 179->178 181 789fbe-789fca 179->181 185 789fcc-789fce 181->185 186 789ff0-78a035 call 789d8a call 789a85 call 7891ad call 789a85 call 7891ad 182->186 187 789fe1-789fe3 call 78988d 182->187 183->180 185->180 202 78a0e2-78a0fe 186->202 191 789fe8-789fec 187->191 191->183 193 789fee 191->193 193->185 204 78a03a-78a03d 202->204 205 78a104 202->205 207 78a043-78a05b call 789a85 call 7891ad 204->207 208 78a106-78a109 204->208 206 78a11c 205->206 211 78a11f-78a12b call 78895b 206->211 220 78a05d-78a081 call 789a85 call 7891ad call 79b8b1 207->220 221 78a087-78a091 207->221 208->206 209 78a10b-78a11a call 78988d 208->209 209->206 218 78a132-78a135 209->218 211->218 218->211 220->206 220->221 221->218 222 78a097-78a099 221->222 224 78a09b-78a09f 222->224 225 78a0ad-78a0e0 call 789a85 call 7891ad call 789a85 call 7891ad 222->225 224->206 227 78a0a1-78a0a8 call 789b5e 224->227 225->202 227->225
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: Fputc$H_prolog3_
              • String ID:
              • API String ID: 2569218679-3916222277
              • Opcode ID: 0951ffa38b7fcb0cf05d388ff158a054b742ee26f48c4008a31924078e3ab27b
              • Instruction ID: a95f4d7ab144011821b7bf1a079ba174411ec9eb0b649afc249392dd8a443360
              • Opcode Fuzzy Hash: 0951ffa38b7fcb0cf05d388ff158a054b742ee26f48c4008a31924078e3ab27b
              • Instruction Fuzzy Hash: DD519631D80208EFDF14FBA4D889DFEB7B5AF95300F18851AE612A7181EF39A904CB51
              Function 007987A2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 241 7987a2-7987aa 242 7987b9-7987c4 call 7a00db 241->242 245 7987ac-7987b7 call 7a01b4 242->245 246 7987c6-7987c7 242->246 245->242 249 7987c8-7987d4 245->249 250 7987ef-798806 call 7886a6 call 79aaa9 249->250 251 7987d6-7987ee call 798787 call 7986e8 249->251 251->250
              APIs
              • _malloc.LIBCMT ref: 007987BC
                • Part of subcall function 007A00DB: __FF_MSGBANNER.LIBCMT ref: 007A00FE
                • Part of subcall function 007A00DB: __NMSG_WRITE.LIBCMT ref: 007A0105
                • Part of subcall function 007A00DB: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,0079DBAC,?,00000001,?,?,007A2228,00000018,007B37B0,0000000C,007A22B9), ref: 007A0152
              • std::bad_alloc::bad_alloc.LIBCMT ref: 007987DF
                • Part of subcall function 00798787: std::exception::exception.LIBCMT ref: 00798793
              • __CxxThrowException@8.LIBCMT ref: 00798801
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::exception::exception
              • String ID: JIx
              • API String ID: 3715980512-4247379014
              • Opcode ID: 0f2a1a25b8cc12b9ca30536c94d71cce0bad7a2bcc20da63790ad40582859401
              • Instruction ID: 67d60b300132f7c0b383d4f4f5dec49655ffda23c31f7fabf5bc7e5a5e0f60bc
              • Opcode Fuzzy Hash: 0f2a1a25b8cc12b9ca30536c94d71cce0bad7a2bcc20da63790ad40582859401
              • Instruction Fuzzy Hash: 79F0E231501209B6DF8477E0FC0ABAD3BA84B83724B204129E91155192DF7CE90482D2
              Function 007886BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 260 7886be-7886c9 261 7886cb 260->261 262 7886d6-7886e0 260->262 263 7886cd-7886ce call 7987a2 261->263 262->263 264 7886e2-788715 call 798818 call 79aaa9 call 7886be 262->264 268 7886d3-7886d5 263->268
              APIs
              • std::exception::exception.LIBCMT ref: 007886ED
              • __CxxThrowException@8.LIBCMT ref: 00788702
                • Part of subcall function 007987A2: _malloc.LIBCMT ref: 007987BC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: Exception@8Throw_mallocstd::exception::exception
              • String ID: L>{
              • API String ID: 4063778783-13835903
              • Opcode ID: 9c6e5437e2f4eea5696d89846dd4285181f49dcb85daa3b47e5ad5ae75810e28
              • Instruction ID: 8c7049a8810e56d100e0519b06a39557c901baf28d7440dc8aa8c2079bbf2959
              • Opcode Fuzzy Hash: 9c6e5437e2f4eea5696d89846dd4285181f49dcb85daa3b47e5ad5ae75810e28
              • Instruction Fuzzy Hash: 65F02E715101087ADF48FA64E80AB8E37A9EB50710F60C22DF411910C2EFB4D2448796
              Function 00792549 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Strings
              • Only one tab per paragraph is allowed, xrefs: 007925C0
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: H_prolog3
              • String ID: Only one tab per paragraph is allowed
              • API String ID: 431132790-829416125
              • Opcode ID: 0ab289a92cd353839ae8e96703d3c038068f0cde48cc7b699ee411ce7adfff6d
              • Instruction ID: d42e22ff18f23c303737c44b64c634b4d9a3b1cc8bd499c680393488dcb110a5
              • Opcode Fuzzy Hash: 0ab289a92cd353839ae8e96703d3c038068f0cde48cc7b699ee411ce7adfff6d
              • Instruction Fuzzy Hash: 89A16B72440148EFCF15FFA0C899EED3BA5AF18354F440159FE06A71A2EB39E955CB90
              Function 007845AC Relevance: 3.1, APIs: 2, Instructions: 130COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 378 7845ac-7845d8 call 79af0e call 798e73 383 7845da-7845dc 378->383 384 7845e5 378->384 383->384 385 7845de-7845e3 383->385 386 7845e8-7845f0 384->386 385->386 387 7845fa-784607 386->387 388 7845f2-7845f5 call 78bc65 386->388 389 784609-78460e 387->389 390 784617-78462f 387->390 388->387 389->390 392 784610-784612 call 787f4c 389->392 393 78463a-784649 390->393 394 784631-784638 390->394 392->390 397 78464b-78464f 393->397 398 784681-784690 call 78abd0 393->398 396 7846ac-7846ce call 787f2f call 78bc77 394->396 415 7846d0-7846d2 call 787e8a 396->415 416 7846d7-7846e6 396->416 400 78467b-78467f 397->400 401 784651-784671 call 787e53 397->401 405 784693-784695 398->405 400->398 404 78469e-7846a9 400->404 412 7846f8-7846fb 401->412 413 784677 401->413 404->396 408 784700-784704 405->408 409 784697 405->409 408->404 410 784706-784726 call 787e53 408->410 409->404 421 784728-78472c 410->421 422 784731-784734 410->422 412->397 413->400 415->416 419 7846e8-7846eb call 78bc6e 416->419 420 7846f0-7846f7 call 79afb3 416->420 419->420 421->404 422->408
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: H_prolog3_catch_wcslen
              • String ID:
              • API String ID: 1260878687-0
              • Opcode ID: d76c38ec8c0577ebb4495c53f36b40977844ec9123102a61e4f6bc9c391e3d2f
              • Instruction ID: ba2340432e1d99a1745af55206bd415cf09cfb7e759b626e5cfa2d76dcfa8eb4
              • Opcode Fuzzy Hash: d76c38ec8c0577ebb4495c53f36b40977844ec9123102a61e4f6bc9c391e3d2f
              • Instruction Fuzzy Hash: D9516670A40206CFCB20EF58C589A6CBBF1AF59304F258099E146DB3A2D7B9DE40CB81
              Function 0078446E Relevance: 3.1, APIs: 2, Instructions: 96COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 427 78446e-784498 call 79af0e call 798a50 432 78449a-78449c 427->432 433 7844a2-7844b3 call 78829f 427->433 432->433 434 78449e-7844a0 432->434 437 7844be-7844d3 433->437 438 7844b5-7844bc 433->438 434->433 440 784502-784511 call 7896c2 437->440 441 7844d5-7844d7 437->441 439 78452e-784552 call 78824b call 788030 call 79afb3 438->439 448 784514-784516 440->448 443 7844d9-7844f6 call 787fac 441->443 444 7844fc-784500 441->444 455 7844f8 443->455 456 784553-784554 443->456 444->440 447 78451f-78452a 444->447 447->439 449 784518 448->449 450 784559-78455b 448->450 449->447 450->447 454 78455d-78457a call 787fac 450->454 461 78457c-784580 454->461 462 784582-784583 454->462 455->444 456->441 461->447 462->450
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: H_prolog3_catch_strlen
              • String ID:
              • API String ID: 3133806014-0
              • Opcode ID: 0b61174bcc40d3afa056609ac00597f900ed842da5a6fd72881c68c6fdcda44e
              • Instruction ID: cf8f03b9ea983e263c462d467a15ee898f5606d1d914db32c3434ff134dbc5a7
              • Opcode Fuzzy Hash: 0b61174bcc40d3afa056609ac00597f900ed842da5a6fd72881c68c6fdcda44e
              • Instruction Fuzzy Hash: B8416D34640245CFCB10EFA8C989B6DBBF0AF18324F254158E655DB3A2C779DE40CB81
              Function 00788718 Relevance: 3.1, APIs: 2, Instructions: 62COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 464 788718-788732 call 79af0e 467 788739-788750 464->467 468 788734-788737 464->468 469 78875e-788768 call 7886be 467->469 470 788752-788759 467->470 468->469 473 78876d-7887a1 469->473 470->469 471 78875b 470->471 471->469 475 7887c2-7887e2 call 78895b call 78893f call 79afb3 473->475 476 7887a3-7887a7 473->476 478 7887a9-7887ac 476->478 479 7887ae 476->479 481 7887b1-7887bf call 78891e 478->481 479->481 481->475
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: H_prolog3_catchchar_traits
              • String ID:
              • API String ID: 1964944973-0
              • Opcode ID: 3606756e3f44cb99b91aa17f19677403a71090b5a8ea45f2806f3a9d910bb193
              • Instruction ID: 6183f5c7a8bb69fd9f2836346484c4bf90df019aa64130314fd4c6f00b0b855b
              • Opcode Fuzzy Hash: 3606756e3f44cb99b91aa17f19677403a71090b5a8ea45f2806f3a9d910bb193
              • Instruction Fuzzy Hash: CA11D372A40605EBDB44EF94C84176CB376BB94320FB08616F915AB2C1DF79BA508BD2
              Function 0079F4A6 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 488 79f4a6-79f4b7 call 79f47b ExitProcess
              APIs
              • ___crtCorExitProcess.LIBCMT ref: 0079F4AE
                • Part of subcall function 0079F47B: GetModuleHandleW.KERNEL32(mscoree.dll,?,0079F4B3,?,?,007A0114,000000FF,0000001E,?,0079DBAC,?,00000001,?,?,007A2228,00000018), ref: 0079F485
                • Part of subcall function 0079F47B: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0079F495
              • ExitProcess.KERNEL32 ref: 0079F4B7
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: ExitProcess$AddressHandleModuleProc___crt
              • String ID:
              • API String ID: 2427264223-0
              • Opcode ID: 8b89f3ad6c9b6077b7f69f1968f79a2439f03039763907e3d31a182f8c396ef8
              • Instruction ID: 5b535f93fcc07aae96cd03c21c2de64fc4cf6b5286803237ccb4755457a16b7d
              • Opcode Fuzzy Hash: 8b89f3ad6c9b6077b7f69f1968f79a2439f03039763907e3d31a182f8c396ef8
              • Instruction Fuzzy Hash: 8CB09B31000148FBCF112F51DC0D84B3F25DB81751711C020F41445131DF759D529694
              Function 00792AAB Relevance: 1.7, APIs: 1, Instructions: 158COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • __EH_prolog3.LIBCMT ref: 00792AB5
                • Part of subcall function 00791AA2: __EH_prolog3_catch.LIBCMT ref: 00791AA9
                • Part of subcall function 0078446E: __EH_prolog3_catch.LIBCMT ref: 00784475
                • Part of subcall function 0078446E: _strlen.LIBCMT ref: 00784482
                • Part of subcall function 00792986: __EH_prolog3.LIBCMT ref: 00792990
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: H_prolog3H_prolog3_catch$_strlen
              • String ID:
              • API String ID: 2084972985-0
              • Opcode ID: 5a7afcb1de062e0e407e9f0f563a7b48512765dd30e8f2117bf0a32b21a43c87
              • Instruction ID: 5d9c6e55fe76b46e131f46cc61c56e6ed41c32c4e0d01dad23dbc48bfaad9c8b
              • Opcode Fuzzy Hash: 5a7afcb1de062e0e407e9f0f563a7b48512765dd30e8f2117bf0a32b21a43c87
              • Instruction Fuzzy Hash: 7E51B572A44219EEDF05FBF0ED5AAEE77B9AF40310F10441AF40267182EF7C9A5187A5
              Function 00792830 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: H_prolog3_
              • String ID:
              • API String ID: 2427045233-0
              • Opcode ID: eb94f2efaf6ceb636488654cf7ff0ccb7f4c1107be3a3e41f8e03b37f6d6d0eb
              • Instruction ID: 7a9ebc3e3457c6763f1f828ffbfad7da58d824ff2644ff45f58ee3d5ef2edd68
              • Opcode Fuzzy Hash: eb94f2efaf6ceb636488654cf7ff0ccb7f4c1107be3a3e41f8e03b37f6d6d0eb
              • Instruction Fuzzy Hash: 72318D71841219EADF25FB50EC5ABEDB378AF16310F4080D9E54977182DF386F8A8B61
              Function 00792986 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • __EH_prolog3.LIBCMT ref: 00792990
                • Part of subcall function 00792109: __EH_prolog3.LIBCMT ref: 00792110
                • Part of subcall function 00790B8B: __EH_prolog3.LIBCMT ref: 00790B92
                • Part of subcall function 0078446E: __EH_prolog3_catch.LIBCMT ref: 00784475
                • Part of subcall function 0078446E: _strlen.LIBCMT ref: 00784482
                • Part of subcall function 00791AA2: __EH_prolog3_catch.LIBCMT ref: 00791AA9
                • Part of subcall function 00791C85: __EH_prolog3_catch.LIBCMT ref: 00791C8C
                • Part of subcall function 00791F80: __EH_prolog3_catch.LIBCMT ref: 00791F87
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: H_prolog3_catch$H_prolog3$_strlen
              • String ID:
              • API String ID: 392102239-0
              • Opcode ID: ce8874cbfa62dcb2f25fa53a567483e19d720a6a650c51d0f98654caecbf1e70
              • Instruction ID: b6abdf6ae3a7aa1455c1cfd4b18afef90953d84d9b223780965cb00eb7aa0c5c
              • Opcode Fuzzy Hash: ce8874cbfa62dcb2f25fa53a567483e19d720a6a650c51d0f98654caecbf1e70
              • Instruction Fuzzy Hash: CB31D432841209EEEF15FBA0ED1AFDD77B99F14320F508189F40967182EE786A05CB72
              Function 007922D6 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • __EH_prolog3.LIBCMT ref: 007922DD
                • Part of subcall function 007987A2: _malloc.LIBCMT ref: 007987BC
                • Part of subcall function 007987A2: std::bad_alloc::bad_alloc.LIBCMT ref: 007987DF
                • Part of subcall function 007987A2: __CxxThrowException@8.LIBCMT ref: 00798801
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: Exception@8H_prolog3Throw_mallocstd::bad_alloc::bad_alloc
              • String ID:
              • API String ID: 491441085-0
              • Opcode ID: 18a5db78d040b70e075df3f2ac0f89970eb2eb16632af80897f6c1b579dbe1d0
              • Instruction ID: d294be82c098a91657671029020a03a70747b45f0c3d266dfb8618bba86d3638
              • Opcode Fuzzy Hash: 18a5db78d040b70e075df3f2ac0f89970eb2eb16632af80897f6c1b579dbe1d0
              • Instruction Fuzzy Hash: 89019270640209FBEF44FBA4DD4BAAE7765AF00320F104229F9119A1C2DF7C8A418761
              Function 007887FA Relevance: 1.5, APIs: 1, Instructions: 39COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 697 7887fa-788805 698 78880c-78880f 697->698 699 788807 call 788ec9 697->699 701 78881e-788823 698->701 702 788811-788817 call 788718 698->702 699->698 704 78883f-788841 701->704 705 788825-788828 701->705 706 78881c 702->706 708 78884b-788855 704->708 709 788843-788846 call 78893f 704->709 705->704 707 78882a-78882f 705->707 706->708 710 788831 707->710 711 788833-78883d call 78895b 707->711 709->708 710->711 711->708
              APIs
              • std::_String_base::_Xlen.LIBCPMT ref: 00788807
                • Part of subcall function 00788EC9: __EH_prolog3.LIBCMT ref: 00788ED0
                • Part of subcall function 00788EC9: __CxxThrowException@8.LIBCMT ref: 00788EFB
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: Exception@8H_prolog3String_base::_ThrowXlenstd::_
              • String ID:
              • API String ID: 1675473389-0
              • Opcode ID: 75f3a10fa21f4752a747140b7b8218387fec2d054a69ddc817c50ec50effc0c4
              • Instruction ID: 45f2c29085ed65dab6fb24bec432f82df4abc52d1ca40494e9f189c34d8e5a41
              • Opcode Fuzzy Hash: 75f3a10fa21f4752a747140b7b8218387fec2d054a69ddc817c50ec50effc0c4
              • Instruction Fuzzy Hash: 10F0B4327E46109EDAB17568C80453F55A79FD1B60BD50F1EF852831C2DF7C98458393
              Function 007A1E8A Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
              Download Yara Rule
              APIs
              • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 007A1E9F
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: CreateHeap
              • String ID:
              • API String ID: 10892065-0
              • Opcode ID: 4fb01996c65871e52287538980feb710187756e0d249407212da933d8f581879
              • Instruction ID: 15045cab77e8a365fb706b44cf9779b553fe4723fc3e29fa0d313998e1aafffa
              • Opcode Fuzzy Hash: 4fb01996c65871e52287538980feb710187756e0d249407212da933d8f581879
              • Instruction Fuzzy Hash: 8AD05E36954348AEEB10AFB17C08B673BECA7C4396F00C536BA0DC6250F678D5508A08
              Function 00788574 Relevance: 1.5, APIs: 1, Instructions: 11COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: _strlen
              • String ID:
              • API String ID: 4218353326-0
              • Opcode ID: 3dc2762f278a2eec10c3bca226ffc830697792326f0c65507cdd55469475a6c4
              • Instruction ID: 45efb3b20c41c4c9b9ebaff25f000347a9b271c59e9f26e9ba1a49f4a963021d
              • Opcode Fuzzy Hash: 3dc2762f278a2eec10c3bca226ffc830697792326f0c65507cdd55469475a6c4
              • Instruction Fuzzy Hash: EFC08C32104220AA49553610A809C6FAA45CB81230B00C80FBC48012118D3A8C90859A
              Function 0079F6C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • _doexit.LIBCMT ref: 0079F6CE
                • Part of subcall function 0079F596: __lock.LIBCMT ref: 0079F5A4
                • Part of subcall function 0079F596: __decode_pointer.LIBCMT ref: 0079F5DB
                • Part of subcall function 0079F596: __decode_pointer.LIBCMT ref: 0079F5F0
                • Part of subcall function 0079F596: __decode_pointer.LIBCMT ref: 0079F61A
                • Part of subcall function 0079F596: __decode_pointer.LIBCMT ref: 0079F630
                • Part of subcall function 0079F596: __decode_pointer.LIBCMT ref: 0079F63D
                • Part of subcall function 0079F596: __initterm.LIBCMT ref: 0079F66C
                • Part of subcall function 0079F596: __initterm.LIBCMT ref: 0079F67C
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: __decode_pointer$__initterm$__lock_doexit
              • String ID:
              • API String ID: 1597249276-0
              • Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
              • Instruction ID: 9e6faec162b0dae8a305f4c08d7b3a2b5d73c0a17fca5bfc1bc4b5c337faff51
              • Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
              • Instruction Fuzzy Hash: D9B0923258020873DA202952AC07F063A0987C0BA4E650020FA0C1D1A1A9A2A9A5808A

              Non-executed Functions

              Function 007A52DF Relevance: 66.4, APIs: 44, Instructions: 432COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: ___getlocaleinfo
              • String ID:
              • API String ID: 1937885557-0
              • Opcode ID: 2a5bb40b8e7486997eb0079059d66f16d5dce17c6034ac71dfad862cf25795b9
              • Instruction ID: f60d1c27da1458ffd28af1a5cc90b41d9e5e8bb007c6561e02d05d0585e5d269
              • Opcode Fuzzy Hash: 2a5bb40b8e7486997eb0079059d66f16d5dce17c6034ac71dfad862cf25795b9
              • Instruction Fuzzy Hash: 85E1D1B290020DFEFF11DAE1CC85DFF77BEEB48744F04492AB256D2441EA75AA059760
              Function 007985B2 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • IsDebuggerPresent.KERNEL32 ref: 0079F815
              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0079F82A
              • UnhandledExceptionFilter.KERNEL32(007AC4F0), ref: 0079F835
              • GetCurrentProcess.KERNEL32(C0000409), ref: 0079F851
              • TerminateProcess.KERNEL32(00000000), ref: 0079F858
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
              • String ID:
              • API String ID: 2579439406-0
              • Opcode ID: c88cbda013b17f8e05c3389c941f8bca4455d9615994e3fecd720884b7b1f7cc
              • Instruction ID: c407e21446b0b4e290182860ce2aa5c8e931eea8a4253aea982fc7fb0983b6ab
              • Opcode Fuzzy Hash: c88cbda013b17f8e05c3389c941f8bca4455d9615994e3fecd720884b7b1f7cc
              • Instruction Fuzzy Hash: AC21EBB49042189FDB40DF28EC89F557BB4BB8A304F00C21AE72996B61E7BC5880CF4D
              Function 007889E5 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
              Download Yara Rule
              APIs
              • GetVersionExW.KERNEL32(?), ref: 00788A0B
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: Version
              • String ID:
              • API String ID: 1889659487-0
              • Opcode ID: 9a460809592b33908f99adc7da218c59d3ba5e1a9d2fded85f8a78d1825495c0
              • Instruction ID: ef5a1f9dd30ba7714439523160e6e2087eb77145e0c0a87734c6172fd78420e3
              • Opcode Fuzzy Hash: 9a460809592b33908f99adc7da218c59d3ba5e1a9d2fded85f8a78d1825495c0
              • Instruction Fuzzy Hash: F341D521549BC4CDD776DE688448796BFE01B32308F58CD8EC4D647A83C6A9A68CC7A3
              Function 007A1742 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(Function_00021700), ref: 007A1747
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 851feb39dc252d742829e2cf3add8939e1f313a56d6bf9c7285d686f704beaa2
              • Instruction ID: 05c23187c02755617cf9e01930b9e58845322137fee19ee64775f46aae46ae45
              • Opcode Fuzzy Hash: 851feb39dc252d742829e2cf3add8939e1f313a56d6bf9c7285d686f704beaa2
              • Instruction Fuzzy Hash: 6F9002A425520086961057705C4941767905ACA697B82E650E012C4455DB6840005525
              Function 00799F62 Relevance: .4, Instructions: 384COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
              • Instruction ID: 876cf3dd32846b96bc7b51b80109e30714987f212f9fbc690d20b3ddb826be0e
              • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
              • Instruction Fuzzy Hash: A8D17D73C0F9B34A9B36862D60A813EEE626FD174031EC3E5DCE82F28D952B5D0195D1
              Function 00799B42 Relevance: .4, Instructions: 378COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
              • Instruction ID: d6072e1079167dc25542918268bffc82b5c4a11d7c46fe5721c0c20bbfddad01
              • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
              • Instruction Fuzzy Hash: E7D18E73C0E9B34A9B35852D649823EEEA26FD175031EC3E9CDE83F28DD22A5D0195D0
              Function 00799736 Relevance: .4, Instructions: 361COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
              • Instruction ID: c08a196841e2255f6571f23fad2e7b5163bb4e581a0634d7cf913dde5a8d8da1
              • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
              • Instruction Fuzzy Hash: E4C18D73C1E9B34A9B36852D60A852EEE626FD175131FC3E8CDE83F28D912B5D0186D0
              Function 00799362 Relevance: .4, Instructions: 351COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
              • Instruction ID: 7d1e264682eeb3dcbc7f90777b2db01a391baed35bc433c3cf53057d0a719380
              • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
              • Instruction Fuzzy Hash: 99C18E73D1E9B34A9B36852E609812FEE626FD174131FC3A8CDE82F28DD52B5D1186D0
              Function 0079F260 Relevance: .1, Instructions: 76COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
              • Instruction ID: 33552173d82eb922b3c6636f64d9b347e5ebfff8ece0809606eb398f4c9047b6
              • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
              • Instruction Fuzzy Hash: E811087F20118243DE048B6DF4B47BFA795FBCA32173C437AD041CB758D22AE9459500
              Function 00781AAE Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 274registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management,00000000,00000002,?,445E45D0), ref: 00781B02
              • RegSetValueExW.ADVAPI32(?,PagingFiles,00000000,00000007,?,?,00000001,00000000,?), ref: 00781BCA
              • RegCloseKey.ADVAPI32(?), ref: 00781BF8
                • Part of subcall function 007845AC: __EH_prolog3_catch.LIBCMT ref: 007845B3
                • Part of subcall function 007845AC: _wcslen.LIBCMT ref: 007845C3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: CloseH_prolog3_catchOpenValue_wcslen
              • String ID: ?:\pagefile.sys$ERROR: Unable to write to the registry - please ensure you have administrator rights.$PagingFiles$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management$Setting system to automatically manage pagefiles. Please reboot for changes to take effect.$SystemRoot$\pagefile.sys 0 0
              • API String ID: 407989496-1100478893
              • Opcode ID: 7a9d3813cb284225d5d45697a85acd543b5367080264fbfa55d001a8b8e73af6
              • Instruction ID: e3c328b5e76a90676aaa9f8ce3fe6753eb0ba2313188a2025ffe9f01c6de9f94
              • Opcode Fuzzy Hash: 7a9d3813cb284225d5d45697a85acd543b5367080264fbfa55d001a8b8e73af6
              • Instruction Fuzzy Hash: 90A161B1588380EEE724FB60CC4AF9B77E8BB85310F404A1DF59953292DB785909CB63
              Function 0079F9C7 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,007B3640,0000000C,0079FB02,00000000,00000000,?,00000000,0078291A,00000000,?,00781D70), ref: 0079F9D9
              • __crt_waiting_on_module_handle.LIBCMT ref: 0079F9E4
                • Part of subcall function 0079F422: Sleep.KERNEL32(000003E8,00000000,?,0079F92A,KERNEL32.DLL,?,0079F976,?,00000000,0078291A,00000000,?,00781D70), ref: 0079F42E
                • Part of subcall function 0079F422: GetModuleHandleW.KERNEL32(?,?,0079F92A,KERNEL32.DLL,?,0079F976,?,00000000,0078291A,00000000,?,00781D70), ref: 0079F437
              • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0079FA0D
              • GetProcAddress.KERNEL32(?,DecodePointer), ref: 0079FA1D
              • __lock.LIBCMT ref: 0079FA3F
              • InterlockedIncrement.KERNEL32(007B7F20), ref: 0079FA4C
              • __lock.LIBCMT ref: 0079FA60
              • ___addlocaleref.LIBCMT ref: 0079FA7E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
              • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
              • API String ID: 1028249917-2843748187
              • Opcode ID: 3490a2bf62f9299465d4ab696d8ef28833bc7dbc046b7c631cdb10f49a4ec6f5
              • Instruction ID: 3bb061799f4df5b9337296d7f6a4f465b6c06dc3b142397056166be0f3ad2866
              • Opcode Fuzzy Hash: 3490a2bf62f9299465d4ab696d8ef28833bc7dbc046b7c631cdb10f49a4ec6f5
              • Instruction Fuzzy Hash: 01116371900701EEDB20AF69AC05B9ABBE4EF45310F108529E499D62A1CB7CAA418F54
              Function 0078C7AC Relevance: 18.1, APIs: 12, Instructions: 139COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • ____lc_handle_func.LIBCMT ref: 0078C7E0
              • ____lc_codepage_func.LIBCMT ref: 0078C7E8
              • __GetLocaleForCP.LIBCPMT ref: 0078C811
              • ____mb_cur_max_l_func.LIBCMT ref: 0078C827
              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000002,00000000,00000000,?,?,?,?,0078A8CE,?,00000000,00000001,00000000), ref: 0078C846
              • ____mb_cur_max_l_func.LIBCMT ref: 0078C854
              • ___pctype_func.LIBCMT ref: 0078C879
              • ____mb_cur_max_l_func.LIBCMT ref: 0078C89F
              • ____mb_cur_max_l_func.LIBCMT ref: 0078C8B7
              • ____mb_cur_max_l_func.LIBCMT ref: 0078C8CF
              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,00000000,?,?,?,?,0078A8CE,?,00000000,00000001,00000000), ref: 0078C8DC
              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,00000000,00000000,?,?,?,?,0078A8CE,?,00000000,00000001,00000000), ref: 0078C90D
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: ____mb_cur_max_l_func$ByteCharMultiWide$Locale____lc_codepage_func____lc_handle_func___pctype_func
              • String ID:
              • API String ID: 3819326198-0
              • Opcode ID: e0a77393a14461be23a62d317c3837d9089de51a666b06f36807fcac7988d21d
              • Instruction ID: cb5b473cd1f185a218edbd6ed8d35bec542e31ee0865d6d5428917d55c198051
              • Opcode Fuzzy Hash: e0a77393a14461be23a62d317c3837d9089de51a666b06f36807fcac7988d21d
              • Instruction Fuzzy Hash: AE41C431184241EEDF226F31DC49B7A3BA8EF00361F24842AF955CA192EB3CD990DB70
              Function 0078780C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 340COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: char_traits$String_base::_Xlenstd::_
              • String ID: wx
              • API String ID: 1810552321-3666969251
              • Opcode ID: ab7ec79c39d6a5e6059ccd90fdb6934ff08c8e541a6c1d99366acc7f948dca4d
              • Instruction ID: a79468fdb233048fe85e1e4efa277de6b9f85687da454e1acf9851dbb7b5794f
              • Opcode Fuzzy Hash: ab7ec79c39d6a5e6059ccd90fdb6934ff08c8e541a6c1d99366acc7f948dca4d
              • Instruction Fuzzy Hash: 20D11DB025450AEF8B0CEF58C9D4CAAB776FF843007608619E41AC7655EB34FA64CBE5
              Function 007818CE Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 149COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 007818D5
                • Part of subcall function 00788B22: __EH_prolog3.LIBCMT ref: 00788B29
                • Part of subcall function 00782F03: char_traits.LIBCPMT ref: 00782F28
              Strings
              • PagefileConfig.exe --set C: 1024 4096, xrefs: 0078191C
              • PagefileConfig.exe --set C: 1024 4096 --set D: 512 512, xrefs: 00781946
              • Examples:, xrefs: 007818EC
              • PagefileConfig.exe --none, xrefs: 007819C4
              • Notes:, xrefs: 00781A18
              • - Pagefile sizes are in megabytes (Mb)., xrefs: 00781A42
              • PagefileConfig.exe --set C: 0 0 --set D: 512 512, xrefs: 00781970
              • PagefileConfig.exe --auto, xrefs: 0078199A
              • - Setting min and max to 0 will let the system manage the pagefile for a given drive., xrefs: 00781A6C
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: H_prolog3H_prolog3_char_traits
              • String ID: - Pagefile sizes are in megabytes (Mb).$ - Setting min and max to 0 will let the system manage the pagefile for a given drive.$ PagefileConfig.exe --auto$ PagefileConfig.exe --none$ PagefileConfig.exe --set C: 0 0 --set D: 512 512$ PagefileConfig.exe --set C: 1024 4096$ PagefileConfig.exe --set C: 1024 4096 --set D: 512 512$Examples:$Notes:
              • API String ID: 3685356560-987424936
              • Opcode ID: 315452b0106512dbdadbae73df51d4c68faa733549832996c9023f5605c3281c
              • Instruction ID: 3fa39f0b0803cbd16662aaaa9d2a63f6947fcaf5d5dfe98013a43566e19b42a2
              • Opcode Fuzzy Hash: 315452b0106512dbdadbae73df51d4c68faa733549832996c9023f5605c3281c
              • Instruction Fuzzy Hash: EB51EAB188524CEADB05FBE4C899DDEBBBC9F69300F848055E411B3142DB7C5B4ADB61
              Function 0078A2E6 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 0078A2ED
              • std::_Lockit::_Lockit.LIBCPMT ref: 0078A2F7
              • int.LIBCPMT ref: 0078A30E
                • Part of subcall function 00788F78: std::_Lockit::_Lockit.LIBCPMT ref: 00788F8B
              • std::locale::_Getfacet.LIBCPMT ref: 0078A317
              • ctype.LIBCPMT ref: 0078A331
              • std::bad_exception::bad_exception.LIBCMT ref: 0078A345
              • __CxxThrowException@8.LIBCMT ref: 0078A353
              • std::locale::facet::_Incref.LIBCPMT ref: 0078A363
              • std::locale::facet::facet_Register.LIBCPMT ref: 0078A369
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowctypestd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
              • String ID: bad cast
              • API String ID: 2535038987-3145022300
              • Opcode ID: 0853d718283b90dff659f81abbf9ae21ac1f30fc8dd8a4aa46b51441d79e5196
              • Instruction ID: 658558eee8fd5994d14c4d19298e578a6f857c95e22f7706a4444fd74584007a
              • Opcode Fuzzy Hash: 0853d718283b90dff659f81abbf9ae21ac1f30fc8dd8a4aa46b51441d79e5196
              • Instruction Fuzzy Hash: 54016D71981219EBCF15FBA09C5AAFEB335AF40720F544219F3206B2E1EF3CA9019752
              Function 0078A505 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 0078A50C
              • std::_Lockit::_Lockit.LIBCPMT ref: 0078A516
              • int.LIBCPMT ref: 0078A52D
                • Part of subcall function 00788F78: std::_Lockit::_Lockit.LIBCPMT ref: 00788F8B
              • std::locale::_Getfacet.LIBCPMT ref: 0078A536
              • codecvt.LIBCPMT ref: 0078A550
              • std::bad_exception::bad_exception.LIBCMT ref: 0078A564
              • __CxxThrowException@8.LIBCMT ref: 0078A572
              • std::locale::facet::_Incref.LIBCPMT ref: 0078A582
              • std::locale::facet::facet_Register.LIBCPMT ref: 0078A588
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
              • String ID: bad cast
              • API String ID: 577375395-3145022300
              • Opcode ID: 4460aab3ffcf79c3cf254622f6f485227b7c56d4fe6c58949cd800261f6bd91d
              • Instruction ID: 696c6c505d38d0bd155b9919dab8e726d15fc6f6691fe3c204f0682c8319aec5
              • Opcode Fuzzy Hash: 4460aab3ffcf79c3cf254622f6f485227b7c56d4fe6c58949cd800261f6bd91d
              • Instruction Fuzzy Hash: B0018B71981219EBDF11FBA09C4AAEEB335AF40720F640219F2206B2D0EF3C9A518752
              Function 0078B999 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 0078B9A0
              • std::_Lockit::_Lockit.LIBCPMT ref: 0078B9AA
              • int.LIBCPMT ref: 0078B9C1
                • Part of subcall function 00788F78: std::_Lockit::_Lockit.LIBCPMT ref: 00788F8B
              • std::locale::_Getfacet.LIBCPMT ref: 0078B9CA
              • ctype.LIBCPMT ref: 0078B9E4
              • std::bad_exception::bad_exception.LIBCMT ref: 0078B9F8
              • __CxxThrowException@8.LIBCMT ref: 0078BA06
              • std::locale::facet::_Incref.LIBCPMT ref: 0078BA16
              • std::locale::facet::facet_Register.LIBCPMT ref: 0078BA1C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowctypestd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
              • String ID: bad cast
              • API String ID: 2535038987-3145022300
              • Opcode ID: f557802caa5e506397c056d9e4c6f0f436452f9ea56f551c40114725cb411149
              • Instruction ID: d583a492b4639b063c8bd56d35176bc7d2451af9d2ad5fd689456dae36cc43fd
              • Opcode Fuzzy Hash: f557802caa5e506397c056d9e4c6f0f436452f9ea56f551c40114725cb411149
              • Instruction Fuzzy Hash: 14016D71981219DBCF15FBA09D5AAFEB335AF80720F544219F2216B2E1DF3C9A018752
              Function 0078BA36 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 0078BA3D
              • std::_Lockit::_Lockit.LIBCPMT ref: 0078BA47
              • int.LIBCPMT ref: 0078BA5E
                • Part of subcall function 00788F78: std::_Lockit::_Lockit.LIBCPMT ref: 00788F8B
              • std::locale::_Getfacet.LIBCPMT ref: 0078BA67
              • codecvt.LIBCPMT ref: 0078BA81
              • std::bad_exception::bad_exception.LIBCMT ref: 0078BA95
              • __CxxThrowException@8.LIBCMT ref: 0078BAA3
              • std::locale::facet::_Incref.LIBCPMT ref: 0078BAB3
              • std::locale::facet::facet_Register.LIBCPMT ref: 0078BAB9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
              • String ID: bad cast
              • API String ID: 577375395-3145022300
              • Opcode ID: 467fd84bb9a5db855e02abadc9f11d5b809af12e7d8c2c41176b9029826c91ea
              • Instruction ID: 499568e0f2e15b9ae01d581c8dea1c670d9e71f6fff942487a35d244c183b817
              • Opcode Fuzzy Hash: 467fd84bb9a5db855e02abadc9f11d5b809af12e7d8c2c41176b9029826c91ea
              • Instruction Fuzzy Hash: FF018071981219EBCF15FBA0DC5AAFEB335AF40720F544218F2206B1E1DF3C9A018792
              Function 0079ECB3 Relevance: 15.1, APIs: 10, Instructions: 95COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __calloc_crt.LIBCMT ref: 0079ECCC
                • Part of subcall function 0079DBE0: __calloc_impl.LIBCMT ref: 0079DBF1
                • Part of subcall function 0079DBE0: Sleep.KERNEL32(00000000), ref: 0079DC08
              • __calloc_crt.LIBCMT ref: 0079ECF0
              • __calloc_crt.LIBCMT ref: 0079ED0C
              • __copytlocinfo_nolock.LIBCMT ref: 0079ED31
              • __setlocale_nolock.LIBCMT ref: 0079ED3E
              • ___removelocaleref.LIBCMT ref: 0079ED4A
              • ___freetlocinfo.LIBCMT ref: 0079ED51
              • __setmbcp_nolock.LIBCMT ref: 0079ED69
              • ___removelocaleref.LIBCMT ref: 0079ED7E
              • ___freetlocinfo.LIBCMT ref: 0079ED85
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: __calloc_crt$___freetlocinfo___removelocaleref$Sleep__calloc_impl__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
              • String ID:
              • API String ID: 2969281212-0
              • Opcode ID: f8498c17a51d2db3714177f4ea20d1f6ba4d79a07fa7e17ceae1e684997419f2
              • Instruction ID: f59602717abdbed0a75900327762229bc7ef8a930170bd6f79deaf50a9cebeca
              • Opcode Fuzzy Hash: f8498c17a51d2db3714177f4ea20d1f6ba4d79a07fa7e17ceae1e684997419f2
              • Instruction Fuzzy Hash: 7221D835204A01EBDF31BF28F90A95B7BE5FF45760B20452EF49956261DF3D9C00D661
              Function 00781EF8 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management,00000000,00000002,?,445E45D0), ref: 00781F37
              • RegSetValueExW.ADVAPI32(?,PagingFiles,00000000,00000007,?), ref: 00781FA6
              • RegCloseKey.ADVAPI32(?), ref: 00781FF4
              • RegCloseKey.ADVAPI32(?), ref: 00781FD4
                • Part of subcall function 007845AC: __EH_prolog3_catch.LIBCMT ref: 007845B3
                • Part of subcall function 007845AC: _wcslen.LIBCMT ref: 007845C3
              Strings
              • PagingFiles, xrefs: 00781F9D
              • Setting system to not use any pagefiles. Please reboot for changes to take effect., xrefs: 00781FFA
              • ERROR: Unable to write to the registry - please ensure you have administrator rights., xrefs: 00781F47, 00781FB6
              • SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management, xrefs: 00781F2D
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: Close$H_prolog3_catchOpenValue_wcslen
              • String ID: ERROR: Unable to write to the registry - please ensure you have administrator rights.$PagingFiles$SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management$Setting system to not use any pagefiles. Please reboot for changes to take effect.
              • API String ID: 1113622823-379381163
              • Opcode ID: e33097214a5f26f0df4bfe43150be7bf98ecd4acfe95cf1aac3f9f05549b62aa
              • Instruction ID: a662f72291bbccbc8fe810a6e27f223d693de3810d4a497c66b967761678bd42
              • Opcode Fuzzy Hash: e33097214a5f26f0df4bfe43150be7bf98ecd4acfe95cf1aac3f9f05549b62aa
              • Instruction Fuzzy Hash: EF21D6B2688341AFD704EF61DC4BE2B77ACFB86710F000A1DF151921D1EBA8A804CB26
              Function 00797229 Relevance: 9.2, APIs: 6, Instructions: 199COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch.LIBCMT ref: 00797248
              • std::_String_base::_Xlen.LIBCPMT ref: 0079728C
                • Part of subcall function 00790769: __EH_prolog3.LIBCMT ref: 00790770
                • Part of subcall function 00790769: __CxxThrowException@8.LIBCMT ref: 0079079B
              • ctype.LIBCPMT ref: 00797304
              • ctype.LIBCPMT ref: 00797327
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: ctype$Exception@8H_prolog3H_prolog3_catchString_base::_ThrowXlenstd::_
              • String ID:
              • API String ID: 1217835658-0
              • Opcode ID: 04803643252ec614580cd094c53f4eca1e33ff631a8cca94919ae43e48b02462
              • Instruction ID: 56890e628754cec7137bb6427aa523a1cb055a818d611e16312202c9a47d78a4
              • Opcode Fuzzy Hash: 04803643252ec614580cd094c53f4eca1e33ff631a8cca94919ae43e48b02462
              • Instruction Fuzzy Hash: 4F719371A10708DFCF28DFA4DC85AAEBBB6FF44710F10851DE41A97291DB78AA08CB51
              Function 00795515 Relevance: 9.2, APIs: 6, Instructions: 199COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch.LIBCMT ref: 00795534
              • std::_String_base::_Xlen.LIBCPMT ref: 00795578
                • Part of subcall function 0078345D: __EH_prolog3.LIBCMT ref: 00783464
                • Part of subcall function 0078345D: __CxxThrowException@8.LIBCMT ref: 00783496
              • ctype.LIBCPMT ref: 007955F0
              • ctype.LIBCPMT ref: 00795613
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: ctype$Exception@8H_prolog3H_prolog3_catchString_base::_ThrowXlenstd::_
              • String ID:
              • API String ID: 1217835658-0
              • Opcode ID: 30c3187d878f036c069814ddc830f9fd84353b4e3eb16b3094b27f43d9d2c7c2
              • Instruction ID: bf211b9e42eab1e0f08502f3cce6add04b553c1f4756afd0cf9ab708136deedc
              • Opcode Fuzzy Hash: 30c3187d878f036c069814ddc830f9fd84353b4e3eb16b3094b27f43d9d2c7c2
              • Instruction Fuzzy Hash: 93718171A00718DFCF25DFA8DC85AAEBBF6EF44310F10451DE41A97291EB78AA48CB51
              Function 00786269 Relevance: 9.2, APIs: 6, Instructions: 181COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch_GS.LIBCMT ref: 00786270
              • std::_String_base::_Xlen.LIBCPMT ref: 007862AB
                • Part of subcall function 0078345D: __EH_prolog3.LIBCMT ref: 00783464
                • Part of subcall function 0078345D: __CxxThrowException@8.LIBCMT ref: 00783496
              • ctype.LIBCPMT ref: 00786318
              • ctype.LIBCPMT ref: 00786338
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: ctype$Exception@8H_prolog3H_prolog3_catch_String_base::_ThrowXlenstd::_
              • String ID:
              • API String ID: 1119708605-0
              • Opcode ID: 38e85d0382dc22ba63386ebae82fcd51529832306067bd58d84bde624c6e8421
              • Instruction ID: 58a9653faa0d615e2373f2932008a932f8be63db1f8645e31420cbc32ea84069
              • Opcode Fuzzy Hash: 38e85d0382dc22ba63386ebae82fcd51529832306067bd58d84bde624c6e8421
              • Instruction Fuzzy Hash: 6D515171A40318EFDB14EFA8DC89A6EBBB6FB44310F10851DF4159B295DBB9E9089B10
              Function 007853E6 Relevance: 9.2, APIs: 6, Instructions: 181COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch_GS.LIBCMT ref: 007853ED
              • std::_String_base::_Xlen.LIBCPMT ref: 00785428
                • Part of subcall function 0078345D: __EH_prolog3.LIBCMT ref: 00783464
                • Part of subcall function 0078345D: __CxxThrowException@8.LIBCMT ref: 00783496
              • ctype.LIBCPMT ref: 00785495
              • ctype.LIBCPMT ref: 007854B5
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: ctype$Exception@8H_prolog3H_prolog3_catch_String_base::_ThrowXlenstd::_
              • String ID:
              • API String ID: 1119708605-0
              • Opcode ID: 9e211f49b93e76e1682a3c150f5d0c065e9f0f5be15949dbf8bb7d4974fda584
              • Instruction ID: 0b47e527d04a466302d6c8a2067a61d4d191c030310ec437f08f61cacfa1735c
              • Opcode Fuzzy Hash: 9e211f49b93e76e1682a3c150f5d0c065e9f0f5be15949dbf8bb7d4974fda584
              • Instruction Fuzzy Hash: 6F5140B1A40708EFDB14EFA9DC89A9EBBB6FF54310F10851DF4159B291EBB5E9048B10
              Function 00794BB6 Relevance: 9.2, APIs: 6, Instructions: 168COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch.LIBCMT ref: 00794BBD
              • std::_String_base::_Xlen.LIBCPMT ref: 00794BF2
                • Part of subcall function 00790769: __EH_prolog3.LIBCMT ref: 00790770
                • Part of subcall function 00790769: __CxxThrowException@8.LIBCMT ref: 0079079B
              • ctype.LIBCPMT ref: 00794C66
              • ctype.LIBCPMT ref: 00794C86
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: ctype$Exception@8H_prolog3H_prolog3_catchString_base::_ThrowXlenstd::_
              • String ID:
              • API String ID: 1217835658-0
              • Opcode ID: 1d362b65b007858c13592b4d8077d6f0f1f899bae342ac3c225307f505112b35
              • Instruction ID: f5a5be7619fbaa3cc4a32984fa1e3ec4791addfb1538060aaf09f3df5228ae2c
              • Opcode Fuzzy Hash: 1d362b65b007858c13592b4d8077d6f0f1f899bae342ac3c225307f505112b35
              • Instruction Fuzzy Hash: A3519EB1A00709DFCF14DFA4D959AAEBBB5FF44310F11461DF416A7281EB74AA05CBA0
              Function 0079117F Relevance: 9.2, APIs: 6, Instructions: 161COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch.LIBCMT ref: 00791186
              • std::_String_base::_Xlen.LIBCPMT ref: 007911BB
                • Part of subcall function 00790769: __EH_prolog3.LIBCMT ref: 00790770
                • Part of subcall function 00790769: __CxxThrowException@8.LIBCMT ref: 0079079B
              • ctype.LIBCPMT ref: 0079122B
              • ctype.LIBCPMT ref: 00791249
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: ctype$Exception@8H_prolog3H_prolog3_catchString_base::_ThrowXlenstd::_
              • String ID:
              • API String ID: 1217835658-0
              • Opcode ID: b028adf884b20e2417ca1d5023ba4057d60d242f4904589b83c16372089eaed7
              • Instruction ID: 7d2d63ae133701c6a966f7260ec8ecde3b7b44e869b3e35fb8f72081d6e70c8c
              • Opcode Fuzzy Hash: b028adf884b20e2417ca1d5023ba4057d60d242f4904589b83c16372089eaed7
              • Instruction Fuzzy Hash: 29518071A0060EEFCF25EFA4C8599AEBBB5FF44310F10461DF416A7251DB74AA14CBA1
              Function 00790D6E Relevance: 9.1, APIs: 6, Instructions: 140COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch.LIBCMT ref: 00790D75
              • std::_String_base::_Xlen.LIBCPMT ref: 00790DAA
                • Part of subcall function 00790769: __EH_prolog3.LIBCMT ref: 00790770
                • Part of subcall function 00790769: __CxxThrowException@8.LIBCMT ref: 0079079B
              • ctype.LIBCPMT ref: 00790E0B
              • ctype.LIBCPMT ref: 00790E1E
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: ctype$Exception@8H_prolog3H_prolog3_catchString_base::_ThrowXlenstd::_
              • String ID:
              • API String ID: 1217835658-0
              • Opcode ID: 2cb32ee0200f887fef4b4dcd92d4494f010d3024c2ea1485a2ff42d0bc90f9c3
              • Instruction ID: 382d34c71df4301e4a37c26656725ae18febd13743449f63976e60b5c1887b94
              • Opcode Fuzzy Hash: 2cb32ee0200f887fef4b4dcd92d4494f010d3024c2ea1485a2ff42d0bc90f9c3
              • Instruction Fuzzy Hash: 92516DB0A1020ADFCF25EF68D8959AF77B9FF44310B10452DF81697241EB74AE14CBA1
              Function 0079CB94 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __CreateFrameInfo.LIBCMT ref: 0079CBBC
                • Part of subcall function 0079ADD6: __getptd.LIBCMT ref: 0079ADE4
                • Part of subcall function 0079ADD6: __getptd.LIBCMT ref: 0079ADF2
              • __getptd.LIBCMT ref: 0079CBC6
                • Part of subcall function 0079FB27: __getptd_noexit.LIBCMT ref: 0079FB2A
                • Part of subcall function 0079FB27: __amsg_exit.LIBCMT ref: 0079FB37
              • __getptd.LIBCMT ref: 0079CBD4
              • __getptd.LIBCMT ref: 0079CBE2
              • __getptd.LIBCMT ref: 0079CBED
              • _CallCatchBlock2.LIBCMT ref: 0079CC13
                • Part of subcall function 0079AE7B: __CallSettingFrame@12.LIBCMT ref: 0079AEC7
                • Part of subcall function 0079CCBA: __getptd.LIBCMT ref: 0079CCC9
                • Part of subcall function 0079CCBA: __getptd.LIBCMT ref: 0079CCD7
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
              • String ID:
              • API String ID: 1602911419-0
              • Opcode ID: d2a53ddc6d2c0ecd983ad738e5366b6827ae37909ac85c17f584428d1b029e4e
              • Instruction ID: 427060da8d51f99f52fc4076e923b5684701715f2445890305d3c7e1fd713776
              • Opcode Fuzzy Hash: d2a53ddc6d2c0ecd983ad738e5366b6827ae37909ac85c17f584428d1b029e4e
              • Instruction Fuzzy Hash: 3411C6B1D00249EFDF00EFA4E84AAED7BB1FF08315F108069F814A7251DB789A119B54
              Function 007937CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 007937D3
              • __CxxThrowException@8.LIBCMT ref: 00793804
                • Part of subcall function 0079AAA9: RaiseException.KERNEL32(?,?,00798806,?,?,?,?,JIx,00798806,?,007B3E4C,007B9948,?,0078494A,?), ref: 0079AAEB
              • __EH_prolog3.LIBCMT ref: 00793811
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: H_prolog3$ExceptionException@8RaiseThrow
              • String ID: multiple_occurrences$multiple_values
              • API String ID: 1412866469-1208176579
              • Opcode ID: 2c38f2e5896ef032ba773c2be8dcc915416932ea1abaa6df84c0496bc81cd13f
              • Instruction ID: 3bef6737161899c87233fb900c44772446e7c2be22b1d1d621ff1ba17c4b9c4c
              • Opcode Fuzzy Hash: 2c38f2e5896ef032ba773c2be8dcc915416932ea1abaa6df84c0496bc81cd13f
              • Instruction Fuzzy Hash: 382148B1940208EADF04FBA4E84AFEDB778AF15300F508558F515AB192DF7C9B49CB62
              Function 0079BBEE Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: __calloc_crt
              • String ID: P{{$`}{$z{
              • API String ID: 3494438863-3789798985
              • Opcode ID: 7678f2212e5f5edc5ac52ca3f859b0199e1a919006a2e6ada7344101c91e563e
              • Instruction ID: 7be45581e8b7a536eda9480b490204f0f94dd4856de72a4760b523456134a7ce
              • Opcode Fuzzy Hash: 7678f2212e5f5edc5ac52ca3f859b0199e1a919006a2e6ada7344101c91e563e
              • Instruction Fuzzy Hash: A0112C717046159BEF284F1C7E55FA62392EB863247258337F511CB290EF3CCC418264
              Function 00797A56 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00797A5D
              • std::_Lockit::_Lockit.LIBCPMT ref: 00797A69
              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00797AD7
                • Part of subcall function 00788478: __EH_prolog3.LIBCMT ref: 0078847F
              • __CxxThrowException@8.LIBCMT ref: 00797ACE
                • Part of subcall function 0079AAA9: RaiseException.KERNEL32(?,?,00798806,?,?,?,?,JIx,00798806,?,007B3E4C,007B9948,?,0078494A,?), ref: 0079AAEB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: H_prolog3std::_$ExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrow
              • String ID: bad locale name
              • API String ID: 4278901745-1405518554
              • Opcode ID: 4f603ecd3b730a971cb809d3c7e984564a5d1b28747fb4397bc81a867041b2e9
              • Instruction ID: c5faa98e956686501c2380c99c3f816781fa8a391e420880035b97e837177ccd
              • Opcode Fuzzy Hash: 4f603ecd3b730a971cb809d3c7e984564a5d1b28747fb4397bc81a867041b2e9
              • Instruction Fuzzy Hash: 65018471845688EADB05FBA4D94A7DDBBB49F24310F90804DF1492B182DF7D5708C762
              Function 0079CF41 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • ___BuildCatchObject.LIBCMT ref: 0079CF54
                • Part of subcall function 0079CEAF: ___BuildCatchObjectHelper.LIBCMT ref: 0079CEE5
              • _UnwindNestedFrames.LIBCMT ref: 0079CF6B
              • ___FrameUnwindToState.LIBCMT ref: 0079CF79
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
              • String ID: csm$d5{
              • API String ID: 2163707966-2832275219
              • Opcode ID: 897de3ac07446944308d15e80b2e02fed61e753b384f2a82f7a733087c59a827
              • Instruction ID: a0fb6a20fd97db3c0d06b40bac4b454cd9bf7aa961e739ef8905b9ef3fb697cb
              • Opcode Fuzzy Hash: 897de3ac07446944308d15e80b2e02fed61e753b384f2a82f7a733087c59a827
              • Instruction Fuzzy Hash: 3A01F67200150AFFDF13AF51ED4AEAA7F6BEF08354F044015BE1815161D73A99B1EBA1
              Function 007948A3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38COMMON
              Download Yara Rule
              APIs
              Strings
              • style disallows all characters for short options, xrefs: 007948E2
              • style disallows parameters for short options, xrefs: 007948D3, 007948E7
              • style disallows parameters for long options, xrefs: 007948C1
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: Exception@8H_prolog3Throw
              • String ID: style disallows all characters for short options$style disallows parameters for long options$style disallows parameters for short options
              • API String ID: 3670251406-2573483067
              • Opcode ID: 4b08f493aa5f662f5ae691fbca2bccc22f3ed738cb4ec4fc37272b8fdc88a35c
              • Instruction ID: a231c2f4ec3549650113a8742fc52997ec7fa6a144687589f533a048aeae2698
              • Opcode Fuzzy Hash: 4b08f493aa5f662f5ae691fbca2bccc22f3ed738cb4ec4fc37272b8fdc88a35c
              • Instruction Fuzzy Hash: D1F09071941248AADF64A5D0F94AFEE6368AF51329F044229F902AA141DB2CDD07C792
              Function 007A0BA0 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __getptd.LIBCMT ref: 007A0BAC
                • Part of subcall function 0079FB27: __getptd_noexit.LIBCMT ref: 0079FB2A
                • Part of subcall function 0079FB27: __amsg_exit.LIBCMT ref: 0079FB37
              • __amsg_exit.LIBCMT ref: 007A0BCC
              • __lock.LIBCMT ref: 007A0BDC
              • InterlockedDecrement.KERNEL32(?), ref: 007A0BF9
              • InterlockedIncrement.KERNEL32(00B42D98), ref: 007A0C24
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
              • String ID:
              • API String ID: 4271482742-0
              • Opcode ID: 08f07fe4b2ce57a235cea9d2f2ab3782fcdcdd75bfda3bcd02e956237bd5f67e
              • Instruction ID: a394281d29465a78e1a1b8380a95378205096cec4714fd9487370a55042c6ed4
              • Opcode Fuzzy Hash: 08f07fe4b2ce57a235cea9d2f2ab3782fcdcdd75bfda3bcd02e956237bd5f67e
              • Instruction Fuzzy Hash: 8C01FE31D01715DBCB10AF24AD09B9EB3A0BF45B20F188715F810A7192CB3C5D81CBE5
              Function 00781729 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00781730
                • Part of subcall function 00788B22: __EH_prolog3.LIBCMT ref: 00788B29
                • Part of subcall function 00782F03: char_traits.LIBCPMT ref: 00782F28
              Strings
              • Copyright (C) 2009 Jonathan Bennett, xrefs: 007817A2
              • http://www.autoitscript.com/tools, xrefs: 007817CC
              • PagefileConfig v1.0.0 - Pagefile Configuration Utility, xrefs: 00781778
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: H_prolog3H_prolog3_char_traits
              • String ID: Copyright (C) 2009 Jonathan Bennett$PagefileConfig v1.0.0 - Pagefile Configuration Utility$http://www.autoitscript.com/tools
              • API String ID: 3685356560-2737818879
              • Opcode ID: f24ff2ea885dc77c2ad25e21a368e3d56d454636caa3e6d4a9bc847a78969723
              • Instruction ID: 5166d1c5a81866872a409964490d3ec6706d0bcf98e9b6b3c9c26358975aed6d
              • Opcode Fuzzy Hash: f24ff2ea885dc77c2ad25e21a368e3d56d454636caa3e6d4a9bc847a78969723
              • Instruction Fuzzy Hash: 09312AB584518CEADB05FBE4C899DDEBBBC9F69300F448059E412B3142DF385B0ACB61
              Function 00788130 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __CxxThrowException@8.LIBCMT ref: 0078817D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: Exception@8Throw
              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
              • API String ID: 2005118841-1866435925
              • Opcode ID: fbe95a07488151587d9ead5107ca19933224452811a858101bd655477f8c6ada
              • Instruction ID: 40cbb186ee7819b4749e8e7efae5fdcd638eb7451cf2d677d20739a9b7d7b737
              • Opcode Fuzzy Hash: fbe95a07488151587d9ead5107ca19933224452811a858101bd655477f8c6ada
              • Instruction Fuzzy Hash: E02173B1188748AFC350EF14C855F9BB3E8EB85710F84492DF59586281DF7DA908CB57
              Function 00785821 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00785828
              • type_info::operator==.LIBCMT ref: 0078584E
              • std::bad_exception::bad_exception.LIBCMT ref: 0078586C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: H_prolog3std::bad_exception::bad_exceptiontype_info::operator==
              • String ID: bad cast
              • API String ID: 1107443109-3145022300
              • Opcode ID: ac06a058b164ebae96fb3841846d685432b82bfc6fe948e65ae49ab827e1ab7e
              • Instruction ID: 8aefe8b1a69ee12633e936f7e36044b631bb765d403dcca06644f98d933f35b7
              • Opcode Fuzzy Hash: ac06a058b164ebae96fb3841846d685432b82bfc6fe948e65ae49ab827e1ab7e
              • Instruction Fuzzy Hash: 41F0AF70E80604EBDF64FF64C80ABBEB7A0AF01701F004429A852EB241EB7CDD04CB82
              Function 0079C8D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • __getptd.LIBCMT ref: 0079C8EA
                • Part of subcall function 0079FB27: __getptd_noexit.LIBCMT ref: 0079FB2A
                • Part of subcall function 0079FB27: __amsg_exit.LIBCMT ref: 0079FB37
              • __getptd.LIBCMT ref: 0079C8FB
              • __getptd.LIBCMT ref: 0079C909
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: __getptd$__amsg_exit__getptd_noexit
              • String ID: MOC
              • API String ID: 803148776-624257665
              • Opcode ID: 6318ce30a81a55e391bff514816b56a4f8d7f02916502401f4d8f18761619bf4
              • Instruction ID: 61f4b6b67bd4f8a56d4e5391e08fbb4f3f3eed39b5e852d951ea805bf70bb4d2
              • Opcode Fuzzy Hash: 6318ce30a81a55e391bff514816b56a4f8d7f02916502401f4d8f18761619bf4
              • Instruction Fuzzy Hash: 8EE04F76510244CFDF10EB74E44AB683798EF55325F2601B1E41CCB222C73CE9409682
              Function 0079B74F Relevance: 6.1, APIs: 4, Instructions: 137COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __flush.LIBCMT ref: 0079B813
              • __fileno.LIBCMT ref: 0079B833
              • __locking.LIBCMT ref: 0079B83A
              • __flsbuf.LIBCMT ref: 0079B865
                • Part of subcall function 0079EF5A: __getptd_noexit.LIBCMT ref: 0079EF5A
                • Part of subcall function 00798E3D: __decode_pointer.LIBCMT ref: 00798E48
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
              • String ID:
              • API String ID: 3240763771-0
              • Opcode ID: 86b4dd513e40df894f61f8930a33e2bafc901f08d6d5cc91125f90f76cd047b7
              • Instruction ID: 2070e541fa21b1f3ba099026d2d3b0181e769287064708c67785ee574d7ccadf
              • Opcode Fuzzy Hash: 86b4dd513e40df894f61f8930a33e2bafc901f08d6d5cc91125f90f76cd047b7
              • Instruction Fuzzy Hash: 6641D831A00604EBDF24DFA9FA8499EB7BAEFC4760F24866DE41597140E778DE41CB80
              Function 00788DFB Relevance: 6.1, APIs: 4, Instructions: 83registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?), ref: 00788E2A
              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?), ref: 00788E55
              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?), ref: 00788E9E
              • RegCloseKey.ADVAPI32(?), ref: 00788EBF
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: QueryValue$CloseOpen
              • String ID:
              • API String ID: 1586453840-0
              • Opcode ID: 6a8cb5ce71a79e7ae77c602a47c947ef6ac5bcba21ea4dd28a01995953369ff3
              • Instruction ID: ad1404ea5ac368aa851f6cde8473d03851d85e70919fdf0122868031116b5c03
              • Opcode Fuzzy Hash: 6a8cb5ce71a79e7ae77c602a47c947ef6ac5bcba21ea4dd28a01995953369ff3
              • Instruction Fuzzy Hash: 1D21AF32A40214FFDF24AF64DC0AAAFBB79EF81710F504069E905AB151EB74AE50CBD5
              Function 0079E087 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __getptd.LIBCMT ref: 0079E093
                • Part of subcall function 0079FB27: __getptd_noexit.LIBCMT ref: 0079FB2A
                • Part of subcall function 0079FB27: __amsg_exit.LIBCMT ref: 0079FB37
              • __getptd.LIBCMT ref: 0079E0AA
              • __amsg_exit.LIBCMT ref: 0079E0B8
              • __lock.LIBCMT ref: 0079E0C8
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: __amsg_exit__getptd$__getptd_noexit__lock
              • String ID:
              • API String ID: 3521780317-0
              • Opcode ID: b9e32ba7ad07661f0896f9b543c6154fa6202c7892a52bf0d94fc6384bc96995
              • Instruction ID: a1037aa13c3c9b7e1a8fceeea1a629059013ffc6fc8a726d7183c41774347716
              • Opcode Fuzzy Hash: b9e32ba7ad07661f0896f9b543c6154fa6202c7892a52bf0d94fc6384bc96995
              • Instruction Fuzzy Hash: 46F01D32900704CADF70FF78B40AB9973A06F04720F648229E454D72D2DBBC9941CB56
              Function 0078387C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 225COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00783883
                • Part of subcall function 007889B0: __EH_prolog3.LIBCMT ref: 007889B7
              • __CxxThrowException@8.LIBCMT ref: 007838C1
                • Part of subcall function 0079AAA9: RaiseException.KERNEL32(?,?,00798806,?,?,?,?,JIx,00798806,?,007B3E4C,007B9948,?,0078494A,?), ref: 0079AAEB
              Strings
              • invalid map/set<T> iterator, xrefs: 00783894
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: H_prolog3$ExceptionException@8RaiseThrow
              • String ID: invalid map/set<T> iterator
              • API String ID: 1412866469-152884079
              • Opcode ID: 1f329cd76bb477523ceddbd9680cdba2020ece6cd5e98456789924116985da44
              • Instruction ID: 54849be60089df38cfdfe54b11442ced8d1dc3aa2bed84e0e1f0cd4925e52111
              • Opcode Fuzzy Hash: 1f329cd76bb477523ceddbd9680cdba2020ece6cd5e98456789924116985da44
              • Instruction Fuzzy Hash: 26A1A070A44280DFDB55EF1CC0C4B65BBA2AF55718F68908CE08A4F7A2C7B9ED85CB51
              Function 00783B34 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 225COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00783B3B
                • Part of subcall function 007889B0: __EH_prolog3.LIBCMT ref: 007889B7
              • __CxxThrowException@8.LIBCMT ref: 00783B79
                • Part of subcall function 0079AAA9: RaiseException.KERNEL32(?,?,00798806,?,?,?,?,JIx,00798806,?,007B3E4C,007B9948,?,0078494A,?), ref: 0079AAEB
              Strings
              • invalid map/set<T> iterator, xrefs: 00783B4C
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: H_prolog3$ExceptionException@8RaiseThrow
              • String ID: invalid map/set<T> iterator
              • API String ID: 1412866469-152884079
              • Opcode ID: 975f6f3e265062dff24f9514353e070b441685ffc21dc1303d38ff0cd39adbbd
              • Instruction ID: 6cdc6b0f9aa37b86057718bca27e17280c21e890570689cf812776fd36a3f80e
              • Opcode Fuzzy Hash: 975f6f3e265062dff24f9514353e070b441685ffc21dc1303d38ff0cd39adbbd
              • Instruction Fuzzy Hash: 1CA19FB0644281DFDB15EF28C084B65BFE2AF59718F28858CD0495F2A2C7B9EDC5CB64
              Function 0078D678 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 0078D67F
              • __CxxThrowException@8.LIBCMT ref: 0078D6B7
                • Part of subcall function 0079AAA9: RaiseException.KERNEL32(?,?,00798806,?,?,?,?,JIx,00798806,?,007B3E4C,007B9948,?,0078494A,?), ref: 0079AAEB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: ExceptionException@8H_prolog3RaiseThrow
              • String ID: map/set<T> too long
              • API String ID: 1961742612-1285458680
              • Opcode ID: 6ec78da4c5dcf391bd4ff08cc2e36577495a81603fb95ac986bc57d157830784
              • Instruction ID: 3b02c90f16ece3642817e7a941e1d7224ef5b6744b6d8dabb74e4731da199716
              • Opcode Fuzzy Hash: 6ec78da4c5dcf391bd4ff08cc2e36577495a81603fb95ac986bc57d157830784
              • Instruction Fuzzy Hash: 0261B471580240EFDF22BF38D88AA6D7BA5EF45310F140099F5419B2A2DFBD9D509B62
              Function 0078DA1E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 0078DA25
              • __CxxThrowException@8.LIBCMT ref: 0078DA5D
                • Part of subcall function 0079AAA9: RaiseException.KERNEL32(?,?,00798806,?,?,?,?,JIx,00798806,?,007B3E4C,007B9948,?,0078494A,?), ref: 0079AAEB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: ExceptionException@8H_prolog3RaiseThrow
              • String ID: map/set<T> too long
              • API String ID: 1961742612-1285458680
              • Opcode ID: b1a46e2a1fac79e15ee410cc8fdf2a8d316ebba50ee625449b45214fb83b3fcb
              • Instruction ID: 3749d72451fd1754bf00d77bd83dc0bca2903c80a25daf19f9310c90560e7c8c
              • Opcode Fuzzy Hash: b1a46e2a1fac79e15ee410cc8fdf2a8d316ebba50ee625449b45214fb83b3fcb
              • Instruction Fuzzy Hash: 1B61A071580240EFDB26BF38D88AE6D7BA6AF05710F140095F5019B2A2DF7D9E10CBA2
              Function 007841FB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00784202
                • Part of subcall function 00784AF1: __EH_prolog3.LIBCMT ref: 00784AF8
                • Part of subcall function 00784B3C: __EH_prolog3.LIBCMT ref: 00784B43
                • Part of subcall function 0078895B: char_traits.LIBCPMT ref: 00788980
                • Part of subcall function 00782D34: std::_String_base::_Xlen.LIBCPMT ref: 00782D71
                • Part of subcall function 00782D34: char_traits.LIBCPMT ref: 00782DC0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: H_prolog3char_traits$H_prolog3_String_base::_Xlenstd::_
              • String ID: (=$[=arg(=
              • API String ID: 3935908814-2804717308
              • Opcode ID: 321932ac5a619344ab7d19f2aaa904b3d2a52ce77d6ebaf4d58f2fbacf30d6eb
              • Instruction ID: 0d9ffa7bf4019be521170010721481cc96b2875c0fde9d8323c49a8297546a97
              • Opcode Fuzzy Hash: 321932ac5a619344ab7d19f2aaa904b3d2a52ce77d6ebaf4d58f2fbacf30d6eb
              • Instruction Fuzzy Hash: 5C31A5B1D80305EADB10FB95CC49FDFBAF8EB55700F40462AF515B2182DABD9604CB62
              Function 007864D4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON
              Download Yara Rule
              APIs
              • __CxxThrowException@8.LIBCMT ref: 0078657B
              Strings
              • at least one value required, xrefs: 007865A7
              • multiple values not allowed, xrefs: 0078654D
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: Exception@8Throw
              • String ID: at least one value required$multiple values not allowed
              • API String ID: 2005118841-4090532116
              • Opcode ID: 31dd9aff6e69a45c160fe286f2d3328f2482bc1b1afa7d86e260a0eb1eb689ce
              • Instruction ID: 7c7a2ae871198917c8d33d4200fce2a14626630c36f130e4203362ffd7f296b6
              • Opcode Fuzzy Hash: 31dd9aff6e69a45c160fe286f2d3328f2482bc1b1afa7d86e260a0eb1eb689ce
              • Instruction Fuzzy Hash: 4821F4B1288384BBC324FF54DC86FEAB7A8EB84710F004A2DF154821C1DBBCA944C792
              Function 00783228 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
              Download Yara Rule
              APIs
              • std::_String_base::_Xlen.LIBCPMT ref: 00783263
              • char_traits.LIBCPMT ref: 007832B4
                • Part of subcall function 00788F01: __EH_prolog3.LIBCMT ref: 00788F08
                • Part of subcall function 00788F01: __CxxThrowException@8.LIBCMT ref: 00788F33
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: Exception@8H_prolog3String_base::_ThrowXlenchar_traitsstd::_
              • String ID: \pagefile.sys 0 0
              • API String ID: 1868744336-1836148727
              • Opcode ID: 98506b566b3d40e07400ff78b2fc3663a7df16ac395c2c9753848fd85bcebf44
              • Instruction ID: 508dbce9e17591d90873492d7cc2c7a50072da1aae1a9102a235f6e5ecfba400
              • Opcode Fuzzy Hash: 98506b566b3d40e07400ff78b2fc3663a7df16ac395c2c9753848fd85bcebf44
              • Instruction Fuzzy Hash: 8821CD71640205EBCB10EF6CC9C495AB3B6BF44B107504A28E416CB642E778FE54CBA1
              Function 007832CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: String_base::_Xlenchar_traitsstd::_
              • String ID: \pagefile.sys 0 0
              • API String ID: 511128623-1836148727
              • Opcode ID: 3fd0df068d3158838ac6c4c856cf5d049a375fca5760c9853a72e6d7f3dd86fa
              • Instruction ID: c8c5b5e810cfe93deaf5ad4429ddbb1cc1c7c39cb2d5dfe4db91072194040015
              • Opcode Fuzzy Hash: 3fd0df068d3158838ac6c4c856cf5d049a375fca5760c9853a72e6d7f3dd86fa
              • Instruction Fuzzy Hash: 1D119471640701DB8620FEACD98592EF3EABF80F04B540A1DF056C7A52EB79FE048795
              Function 0079CCBA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 0079AE29: __getptd.LIBCMT ref: 0079AE2F
                • Part of subcall function 0079AE29: __getptd.LIBCMT ref: 0079AE3F
              • __getptd.LIBCMT ref: 0079CCC9
                • Part of subcall function 0079FB27: __getptd_noexit.LIBCMT ref: 0079FB2A
                • Part of subcall function 0079FB27: __amsg_exit.LIBCMT ref: 0079FB37
              • __getptd.LIBCMT ref: 0079CCD7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: __getptd$__amsg_exit__getptd_noexit
              • String ID: csm
              • API String ID: 803148776-1018135373
              • Opcode ID: 586819d06424154abc68e0f83f452f27895a84e2ce1504a77ad45e74777f4479
              • Instruction ID: 9d35b75a71b4483dd0854576bcc36f079d49499566b601f74fff7ebd08988427
              • Opcode Fuzzy Hash: 586819d06424154abc68e0f83f452f27895a84e2ce1504a77ad45e74777f4479
              • Instruction Fuzzy Hash: 39014675A01218DECF369F24F859AADBBB5AF14311F28583EE4419A691CF388D80CB81
              Function 00784932 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • std::exception::exception.LIBCMT ref: 00784964
              • __CxxThrowException@8.LIBCMT ref: 00784979
                • Part of subcall function 007987A2: _malloc.LIBCMT ref: 007987BC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: Exception@8Throw_mallocstd::exception::exception
              • String ID: hL>{
              • API String ID: 4063778783-541378461
              • Opcode ID: 86bbebc4c624b46d5c9d023891f32b8caa40291f2edb6d6a22e1d5be90305378
              • Instruction ID: 3ad4fa01e3bad04031dc02e4602815a912ba1d6cb9f1e99722f63fdeb5ac0c8a
              • Opcode Fuzzy Hash: 86bbebc4c624b46d5c9d023891f32b8caa40291f2edb6d6a22e1d5be90305378
              • Instruction Fuzzy Hash: FDF0EC71510108AACF04EAA4D446ACE336DAB55714F10C22DE421D2082DFB4D209C791
              Function 00788F01 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00788F08
              • __CxxThrowException@8.LIBCMT ref: 00788F33
                • Part of subcall function 0079AAA9: RaiseException.KERNEL32(?,?,00798806,?,?,?,?,JIx,00798806,?,007B3E4C,007B9948,?,0078494A,?), ref: 0079AAEB
              Strings
              • invalid string position, xrefs: 00788F0D
              Memory Dump Source
              • Source File: 00000000.00000002.2125848291.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
              • Associated: 00000000.00000002.2125831096.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125875539.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125890707.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2125906706.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_780000_PagefileConfig.jbxd
              Similarity
              • API ID: ExceptionException@8H_prolog3RaiseThrow
              • String ID: invalid string position
              • API String ID: 1961742612-1799206989
              • Opcode ID: bf30dfa18d2395a442397b4ffc5f3e1f8e33b27977ccab9d4ccb144264ed938d
              • Instruction ID: 4e835e9d64996657eafaa9e9cfbee3202bb7c5194ed517db700dc011185e45cb
              • Opcode Fuzzy Hash: bf30dfa18d2395a442397b4ffc5f3e1f8e33b27977ccab9d4ccb144264ed938d
              • Instruction Fuzzy Hash: 6BD017B2A80108E6CF40F6E0EC4ABDDB378AF14701F840525B200AA081DFAC5604C7A2