Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OneDriveUpdater.exe

Overview

General Information

Sample name:OneDriveUpdater.exe
Analysis ID:1467919
MD5:792e95b64b9cf45ac8bc10d4d0f077c2
SHA1:e50af7ee7e0a323d8aa60b6d9b3d39ab33b004f5
SHA256:60e64dd2c6d2ac6fe9b498fadac81bc34a725de5d893e7df8b2728d8dc5b192d
Infos:

Detection

Score:0
Range:0 - 100
Whitelisted:true
Confidence:100%

Signatures

Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • OneDriveUpdater.exe (PID: 7252 cmdline: "C:\Users\user\Desktop\OneDriveUpdater.exe" MD5: 792E95B64B9CF45AC8BC10D4D0F077C2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4110E98 CryptAcquireContextW,CryptCreateHash,CryptGetHashParam,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,0_2_00007FF7C4110E98
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4120034 _invalid_parameter_noinfo,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CryptCreateHash,GetLastError,CryptSetHashParam,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,0_2_00007FF7C4120034
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4113C64 _Aligned_get_default_resource,CryptBinaryToStringW,CryptBinaryToStringW,CryptStringToBinaryW,_Aligned_get_default_resource,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF7C4113C64
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40B8874 BCryptDestroyKey,_invalid_parameter_noinfo_noreturn,0_2_00007FF7C40B8874
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C42D0F3C CryptCreateHash,GetLastError,CreateFileW,GetFileSize,CreateFileMappingW,MapViewOfFile,CryptHashData,GetLastError,CryptGetHashParam,CryptGetHashParam,UnmapViewOfFile,CryptDestroyHash,CloseHandle,CloseHandle,CloseHandle,0_2_00007FF7C42D0F3C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C42D0C78 CryptReleaseContext,0_2_00007FF7C42D0C78
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C42D0CD4 CryptStringToBinaryW,GetLastError,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,0_2_00007FF7C42D0CD4
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C42D11CC CryptBinaryToStringW,CryptBinaryToStringW,GetLastError,0_2_00007FF7C42D11CC
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C42D1338 CryptBinaryToStringW,CryptBinaryToStringW,GetLastError,0_2_00007FF7C42D1338
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C42D14A4 CryptAcquireContextW,GetLastError,0_2_00007FF7C42D14A4
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4092050 CryptDestroyHash,0_2_00007FF7C4092050
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40920B4 CryptGetHashParam,GetLastError,CryptGetHashParam,_invalid_parameter_noinfo,CryptDestroyHash,0_2_00007FF7C40920B4
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40921A4 CryptCreateHash,GetLastError,0_2_00007FF7C40921A4
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40921F0 CryptAcquireContextW,0_2_00007FF7C40921F0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4092220 CryptReleaseContext,0_2_00007FF7C4092220
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C409224C CryptHashData,GetLastError,0_2_00007FF7C409224C
Source: OneDriveUpdater.exeStatic PE information: certificate valid
Source: OneDriveUpdater.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\dbs\sh\odct\0417_205450_0\client\onedrive\Product\StandaloneUpdater\exe\obj\amd64\OneDriveStandaloneUpdater.pdbT source: OneDriveUpdater.exe
Source: Binary string: D:\dbs\sh\odct\0417_205450_0\client\onedrive\Product\StandaloneUpdater\exe\obj\amd64\OneDriveStandaloneUpdater.pdb source: OneDriveUpdater.exe
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4030EC4 FindFirstFileW,GetLastError,FindNextFileW,GetLastError,FindClose,0_2_00007FF7C4030EC4
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C406521C FindFirstFileW,GetLastError,FindNextFileW,GetLastError,CompareFileTime,DeleteFileW,GetLastError,FindClose,0_2_00007FF7C406521C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C403125C FindFirstFileW,GetLastError,FindNextFileW,GetLastError,FindClose,0_2_00007FF7C403125C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C407ACC0 FindFirstFileW,FindNextFileW,FindClose,0_2_00007FF7C407ACC0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40A91B4 GetTempPathW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,0_2_00007FF7C40A91B4
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C410DFF8 FindFirstFileW,FindClose,DeleteFileW,GetLastError,0_2_00007FF7C410DFF8
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4122020 FindFirstFileNameW,0_2_00007FF7C4122020
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4122080 FindFirstFileW,0_2_00007FF7C4122080
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4051A80 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF7C4051A80
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C414E934 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,0_2_00007FF7C414E934
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C412F9D0 FindFirstFileW,0_2_00007FF7C412F9D0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4122A30 InternetCheckConnectionW,0_2_00007FF7C4122A30
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/collector/v1.0/inventoryodbc:December
Source: OneDriveUpdater.exe, 00000000.00000003.2037954027.000001BB9545A000.00000004.00000020.00020000.00000000.sdmp, OneDriveUpdater.exe, 00000000.00000003.2038396854.000001BB9553B000.00000004.00000020.00020000.00000000.sdmp, OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmp, OneDriveUpdater.exe, 00000000.00000003.2038736188.000001BB95499000.00000004.00000020.00020000.00000000.sdmp, OneDriveUpdater.exe, 00000000.00000003.2038342311.000001BB9548A000.00000004.00000020.00020000.00000000.sdmp, OneDriveUpdater.exe, 00000000.00000003.2038946928.000001BB9553D000.00000004.00000020.00020000.00000000.sdmp, OneDriveUpdater.exe, 00000000.00000003.2038314047.000001BB95465000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: OneDriveUpdater.exeString found in binary or memory: https://dc.services.visualstudio.com/v2/track
Source: OneDriveUpdater.exeString found in binary or memory: https://g.live.com
Source: OneDriveUpdater.exeString found in binary or memory: https://g.live.com/1rewlive5skydrive/MsitFastV2
Source: OneDriveUpdater.exeString found in binary or memory: https://g.live.com/1rewlive5skydrive/MsitSlowV2
Source: OneDriveUpdater.exeString found in binary or memory: https://g.live.com/1rewlive5skydrive/ODSUEnterpriseV2
Source: OneDriveUpdater.exeString found in binary or memory: https://g.live.com/1rewlive5skydrive/ODSUEnterpriseV2https://g.live.com/1rewlive5skydrive/ODSUMsitFa
Source: OneDriveUpdater.exeString found in binary or memory: https://g.live.com/1rewlive5skydrive/ODSUInsiderV2
Source: OneDriveUpdater.exeString found in binary or memory: https://g.live.com/1rewlive5skydrive/ODSUMsitFastV2
Source: OneDriveUpdater.exeString found in binary or memory: https://g.live.com/1rewlive5skydrive/ODSUMsitSlowV2
Source: StandaloneUpdater-2024-07-04.2340.7252.1.aodl.0.dr, StandaloneUpdate_2024-07-04_234035_7252-7256.log.0.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/ODSUProductionV2
Source: OneDriveUpdater.exeString found in binary or memory: https://g.live.com/1rewlive5skydrive/OSRSS_32bit
Source: OneDriveUpdater.exeString found in binary or memory: https://g.live.com/1rewlive5skydrive/OSRSS_32bithttps://g.live.com/1rewlive5skydrive/OSRSS_64bit%loc
Source: OneDriveUpdater.exeString found in binary or memory: https://g.live.com/1rewlive5skydrive/OSRSS_64bit
Source: OneDriveUpdater.exe, 00000000.00000002.2899076468.000001BB954C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/One
Source: OneDriveUpdater.exeString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveEnterpriseV2
Source: OneDriveUpdater.exeString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveInsiderV2
Source: StandaloneUpdater-2024-07-04.2340.7252.1.aodl.0.dr, StandaloneUpdate_2024-07-04_234035_7252-7256.log.0.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2ember:Dec:December
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2ember:Dec:Decemberd$hh0
Source: OneDriveUpdater.exe, 00000000.00000002.2899076468.000001BB954C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/Onee
Source: OneDriveUpdater.exeString found in binary or memory: https://g.live.com/1rewlive5skydrive/win7
Source: OneDriveUpdater.exeString found in binary or memory: https://g.live.com/1rewlive5skydrive/win8
Source: OneDriveUpdater.exeString found in binary or memory: https://g.live.com/1rewlive5skydrive/win81
Source: OneDriveUpdater.exeString found in binary or memory: https://g.live.com/1rewlive5skydrive/win81https://g.live.com/1rewlive5skydrive/win8https://g.live.co
Source: OneDriveUpdater.exeString found in binary or memory: https://g.live.com/odclientsettings/Enterprise
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB936C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Enterprise%l
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/EnterpriseG?Bi
Source: OneDriveUpdater.exeString found in binary or memory: https://g.live.com/odclientsettings/Enterprisehttps://g.live.com/odclientsettings/MsitFasthttps://g.
Source: OneDriveUpdater.exe, OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Insiders
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB936C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Insidersl
Source: OneDriveUpdater.exeString found in binary or memory: https://g.live.com/odclientsettings/MsitFast
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/MsitFast:?
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB936C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/MsitFastl
Source: OneDriveUpdater.exeString found in binary or memory: https://g.live.com/odclientsettings/MsitSlow
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/MsitSlow#?
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB936C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/MsitSlowl
Source: StandaloneUpdate_2024-07-04_234035_7252-7256.log.0.drString found in binary or memory: https://g.live.com/odclientsettings/Prod
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prodonfig
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB936C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prods
Source: OneDriveUpdater.exe, 00000000.00000002.2899300327.000001BB95800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.
Source: OneDriveUpdater.exe, OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB936EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms
Source: OneDriveUpdater.exe, 00000000.00000002.2899300327.000001BB95800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Ig
Source: OneDriveUpdater.exe, 00000000.00000002.2899300327.000001BB95800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Install
Source: OneDriveUpdater.exe, 00000000.00000002.2899300327.000001BB95800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.1
Source: StandaloneUpdater-2024-07-04.2340.7252.1.aodl.0.dr, Update.xml.0.dr, Update.xml0.0.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.116.0609.0005/OneDriveSetup.exe
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB936EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.116.0609.0005/OneDriveSetup.exen
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB936EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.116.0609.0005/OneDriveSetup.exes.
Source: StandaloneUpdater-2024-07-04.2340.7252.1.aodl.0.dr, Update.xml.0.dr, Update.xml0.0.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.116.0609.0005/amd64/OneDriveSetup.exe
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.116.0609.0005/amd64/OneDriveSetup.exes
Source: StandaloneUpdater-2024-07-04.2340.7252.1.aodl.0.dr, Update.xml.0.dr, Update.xml0.0.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.116.0609.0005/arm64/OneDriveSetup.exe
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.116.0609.0005/arm64/OneDriveSetup.exeb-
Source: StandaloneUpdater-2024-07-04.2340.7252.1.aodl.0.dr, Update.xml0.0.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.126.0623.0001/OneDriveSetup.exe
Source: StandaloneUpdater-2024-07-04.2340.7252.1.aodl.0.dr, Update.xml0.0.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.126.0623.0001/amd64/OneDriveSetup.exe
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.126.0623.0001/amd64/OneDriveSetup.exerday
Source: StandaloneUpdater-2024-07-04.2340.7252.1.aodl.0.dr, Update.xml0.0.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.126.0623.0001/arm64/OneDriveSetup.exe
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.126.0623.0001/arm64/OneDriveSetup.exes
Source: StandaloneUpdater-2024-07-04.2340.7252.1.aodl.0.dr, Update.xml0.0.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.128.0625.0001/OneDriveSetup.exe
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB936EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.128.0625.0001/OneDriveSetup.exenes
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.128.0625.0001/amd64/O
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.128.0625.0001/amd64/ODi
Source: StandaloneUpdater-2024-07-04.2340.7252.1.aodl.0.dr, Update.xml0.0.dr, StandaloneUpdate_2024-07-04_234035_7252-7256.log.0.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.128.0625.0001/amd64/OneDriveSetup.exe
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93708000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.128.0625.0001/amd64/OneDriveSetup.exe?OneDriveUpdate=1d5c
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93708000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.128.0625.0001/amd64/OneDriveSetup.exees
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.128.0625.0001/amd64/OneDriveSetup.exerday~-
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.128.0625.0001/amd64/OneDriveSetup.exes
Source: StandaloneUpdater-2024-07-04.2340.7252.1.aodl.0.dr, Update.xml0.0.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.128.0625.0001/arm64/OneDriveSetup.exe
Source: OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.128.0625.0001/arm64/OneDriveSetup.exes
Source: OneDriveUpdater.exe, 00000000.00000002.2899300327.000001BB95800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/24.1O
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4120034 _invalid_parameter_noinfo,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CryptCreateHash,GetLastError,CryptSetHashParam,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,0_2_00007FF7C4120034
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C407B214: CreateFileW,DeviceIoControl,DeviceIoControl,FindCloseChangeNotification,0_2_00007FF7C407B214
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4121F10 DeleteService,0_2_00007FF7C4121F10
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4121CA0 CreateProcessAsUserW,0_2_00007FF7C4121CA0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40147480_2_00007FF7C4014748
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41107BC0_2_00007FF7C41107BC
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40642AC0_2_00007FF7C40642AC
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C414C3FC0_2_00007FF7C414C3FC
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40104900_2_00007FF7C4010490
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40E04A40_2_00007FF7C40E04A4
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C401D0180_2_00007FF7C401D018
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C42CD0840_2_00007FF7C42CD084
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40E091C0_2_00007FF7C40E091C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41117480_2_00007FF7C4111748
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41317B80_2_00007FF7C41317B8
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40A97C00_2_00007FF7C40A97C0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C406521C0_2_00007FF7C406521C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41652240_2_00007FF7C4165224
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40252800_2_00007FF7C4025280
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4061D0C0_2_00007FF7C4061D0C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C412A8E00_2_00007FF7C412A8E0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41129C00_2_00007FF7C41129C0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4026C300_2_00007FF7C4026C30
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4103E900_2_00007FF7C4103E90
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C411BE6C0_2_00007FF7C411BE6C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41200340_2_00007FF7C4120034
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C416C5200_2_00007FF7C416C520
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41585700_2_00007FF7C4158570
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C42B46000_2_00007FF7C42B4600
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40F45F80_2_00007FF7C40F45F8
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40946200_2_00007FF7C4094620
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40486900_2_00007FF7C4048690
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40C46980_2_00007FF7C40C4698
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41147140_2_00007FF7C4114714
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41AC7A00_2_00007FF7C41AC7A0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C413C7E00_2_00007FF7C413C7E0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C42B88500_2_00007FF7C42B8850
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40B88740_2_00007FF7C40B8874
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C415C8E00_2_00007FF7C415C8E0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41901540_2_00007FF7C4190154
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C42B81300_2_00007FF7C42B8130
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41741200_2_00007FF7C4174120
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C404C1AC0_2_00007FF7C404C1AC
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41241D00_2_00007FF7C41241D0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C42B81B00_2_00007FF7C42B81B0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40C41FC0_2_00007FF7C40C41FC
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40C83100_2_00007FF7C40C8310
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40203900_2_00007FF7C4020390
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40BC4140_2_00007FF7C40BC414
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40C04200_2_00007FF7C40C0420
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C411C4300_2_00007FF7C411C430
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40F045C0_2_00007FF7C40F045C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C407C4D00_2_00007FF7C407C4D0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40B0DD00_2_00007FF7C40B0DD0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4084DD80_2_00007FF7C4084DD8
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C404CE480_2_00007FF7C404CE48
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C411CE840_2_00007FF7C411CE84
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4168E800_2_00007FF7C4168E80
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40C0E5C0_2_00007FF7C40C0E5C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C42D0F3C0_2_00007FF7C42D0F3C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C413CF900_2_00007FF7C413CF90
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4084F780_2_00007FF7C4084F78
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4118F700_2_00007FF7C4118F70
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40A0FE00_2_00007FF7C40A0FE0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41809F00_2_00007FF7C41809F0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4090A240_2_00007FF7C4090A24
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4168A580_2_00007FF7C4168A58
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40B8AE00_2_00007FF7C40B8AE0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4154ADC0_2_00007FF7C4154ADC
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4004B600_2_00007FF7C4004B60
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40C8B600_2_00007FF7C40C8B60
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4098BDC0_2_00007FF7C4098BDC
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C416CC700_2_00007FF7C416CC70
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C412CCC80_2_00007FF7C412CCC8
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C42BCCE00_2_00007FF7C42BCCE0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41995540_2_00007FF7C4199554
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40315600_2_00007FF7C4031560
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40E15580_2_00007FF7C40E1558
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C415D5600_2_00007FF7C415D560
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41410B00_2_00007FF7C41410B0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40556700_2_00007FF7C4055670
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C419D7100_2_00007FF7C419D710
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C42C57900_2_00007FF7C42C5790
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41497A40_2_00007FF7C41497A4
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40D98100_2_00007FF7C40D9810
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C405982A0_2_00007FF7C405982A
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40D98600_2_00007FF7C40D9860
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41298600_2_00007FF7C4129860
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C42C58B00_2_00007FF7C42C58B0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40A19040_2_00007FF7C40A1904
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C405911C0_2_00007FF7C405911C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C419912C0_2_00007FF7C419912C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C404D1CC0_2_00007FF7C404D1CC
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41AD2800_2_00007FF7C41AD280
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41612C00_2_00007FF7C41612C0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C42C12B80_2_00007FF7C42C12B8
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C411CE840_2_00007FF7C411CE84
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41794480_2_00007FF7C4179448
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41E1DFC0_2_00007FF7C41E1DFC
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4139E040_2_00007FF7C4139E04
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4055DE00_2_00007FF7C4055DE0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4161F400_2_00007FF7C4161F40
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4141F1C0_2_00007FF7C4141F1C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4021F440_2_00007FF7C4021F44
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4159FAC0_2_00007FF7C4159FAC
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C419997C0_2_00007FF7C419997C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41410B00_2_00007FF7C41410B0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4005A000_2_00007FF7C4005A00
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40BDA300_2_00007FF7C40BDA30
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4051A800_2_00007FF7C4051A80
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40BDAA00_2_00007FF7C40BDAA0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40B1AA00_2_00007FF7C40B1AA0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4031B600_2_00007FF7C4031B60
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4099CD40_2_00007FF7C4099CD4
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4111CF00_2_00007FF7C4111CF0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C415252C0_2_00007FF7C415252C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C415E5600_2_00007FF7C415E560
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40B26600_2_00007FF7C40B2660
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40DA65C0_2_00007FF7C40DA65C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40967200_2_00007FF7C4096720
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C402A7800_2_00007FF7C402A780
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41668300_2_00007FF7C4166830
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C414A8300_2_00007FF7C414A830
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41A285C0_2_00007FF7C41A285C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C418A1440_2_00007FF7C418A144
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41EA11C0_2_00007FF7C41EA11C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40B61400_2_00007FF7C40B6140
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41EA21C0_2_00007FF7C41EA21C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41BA2DC0_2_00007FF7C41BA2DC
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40163540_2_00007FF7C4016354
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C405E35C0_2_00007FF7C405E35C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C411E4100_2_00007FF7C411E410
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C415A3DC0_2_00007FF7C415A3DC
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40C64800_2_00007FF7C40C6480
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C406ED480_2_00007FF7C406ED48
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C404ADB40_2_00007FF7C404ADB4
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4016E900_2_00007FF7C4016E90
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C405EF210_2_00007FF7C405EF21
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40AEF600_2_00007FF7C40AEF60
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C405EFAB0_2_00007FF7C405EFAB
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C404AF9C0_2_00007FF7C404AF9C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4156FD00_2_00007FF7C4156FD0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C406F0500_2_00007FF7C406F050
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C416F06C0_2_00007FF7C416F06C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C415B0C40_2_00007FF7C415B0C4
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C42C31080_2_00007FF7C42C3108
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40E31100_2_00007FF7C40E3110
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40B69580_2_00007FF7C40B6958
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C405A9E80_2_00007FF7C405A9E8
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40DA65C0_2_00007FF7C40DA65C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C404A9E00_2_00007FF7C404A9E0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C405EA300_2_00007FF7C405EA30
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4156A800_2_00007FF7C4156A80
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4006A800_2_00007FF7C4006A80
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4072B3C0_2_00007FF7C4072B3C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C404ABC80_2_00007FF7C404ABC8
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C403EC480_2_00007FF7C403EC48
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C405B5380_2_00007FF7C405B538
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C410F56C0_2_00007FF7C410F56C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C42C36000_2_00007FF7C42C3600
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41376100_2_00007FF7C4137610
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41135EC0_2_00007FF7C41135EC
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40476CC0_2_00007FF7C40476CC
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40DB6DC0_2_00007FF7C40DB6DC
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41337340_2_00007FF7C4133734
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C406F7AC0_2_00007FF7C406F7AC
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41A77FC0_2_00007FF7C41A77FC
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C416B7F00_2_00007FF7C416B7F0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40AF8240_2_00007FF7C40AF824
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41678500_2_00007FF7C4167850
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C42B78D00_2_00007FF7C42B78D0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C414B8C80_2_00007FF7C414B8C8
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C404B1880_2_00007FF7C404B188
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40971C00_2_00007FF7C40971C0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40BB1C40_2_00007FF7C40BB1C4
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C401F1E80_2_00007FF7C401F1E8
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40FB2540_2_00007FF7C40FB254
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C405B2BC0_2_00007FF7C405B2BC
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C411B2F40_2_00007FF7C411B2F4
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C404B3700_2_00007FF7C404B370
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41174000_2_00007FF7C4117400
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C42BB4740_2_00007FF7C42BB474
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40A7D2D0_2_00007FF7C40A7D2D
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C418FD2C0_2_00007FF7C418FD2C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41E3DD00_2_00007FF7C41E3DD0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4117E780_2_00007FF7C4117E78
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4133EC00_2_00007FF7C4133EC0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40FBEF40_2_00007FF7C40FBEF4
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C414FF280_2_00007FF7C414FF28
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C415BF880_2_00007FF7C415BF88
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40579300_2_00007FF7C4057930
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C419F9200_2_00007FF7C419F920
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41539C40_2_00007FF7C41539C4
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C408F9C80_2_00007FF7C408F9C8
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C42CF9A40_2_00007FF7C42CF9A4
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4197A680_2_00007FF7C4197A68
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: String function: 00007FF7C4065BC0 appears 95 times
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: String function: 00007FF7C40649A8 appears 39 times
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: String function: 00007FF7C40387F8 appears 40 times
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: String function: 00007FF7C4064448 appears 63 times
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: String function: 00007FF7C4019D08 appears 64 times
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: String function: 00007FF7C40198B4 appears 690 times
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: String function: 00007FF7C4174970 appears 43 times
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: String function: 00007FF7C40381A4 appears 55 times
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: String function: 00007FF7C40A3E8C appears 39 times
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: String function: 00007FF7C402C7D8 appears 57 times
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: String function: 00007FF7C40D9714 appears 31 times
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: String function: 00007FF7C402E8B8 appears 205 times
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: String function: 00007FF7C4019D98 appears 33 times
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: String function: 00007FF7C4175F64 appears 181 times
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: String function: 00007FF7C4079000 appears 39 times
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: String function: 00007FF7C40765D4 appears 112 times
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: String function: 00007FF7C401B4E4 appears 950 times
Source: OneDriveUpdater.exeBinary or memory string: OriginalFilename vs OneDriveUpdater.exe
Source: OneDriveUpdater.exeBinary or memory string: \StringFileInfo\%04x%04x\OriginalFilename vs OneDriveUpdater.exe
Source: OneDriveUpdater.exe, 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOneDriveStandaloneUpdater.exeF vs OneDriveUpdater.exe
Source: OneDriveUpdater.exe, 00000000.00000002.2898735011.000001BB95403000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinWord.exeB vs OneDriveUpdater.exe
Source: OneDriveUpdater.exeBinary or memory string: OriginalFilenameOneDriveStandaloneUpdater.exeF vs OneDriveUpdater.exe
Source: classification engineClassification label: clean6.winEXE@1/6@0/0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4121670 AdjustTokenPrivileges,0_2_00007FF7C4121670
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4117230 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,CloseHandle,GetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,0_2_00007FF7C4117230
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40C74A0 LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,0_2_00007FF7C40C74A0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41221B0 GetDiskFreeSpaceExW,0_2_00007FF7C41221B0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: CreateServiceW,0_2_00007FF7C4121DA0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4139C30 CreateToolhelp32Snapshot,Process32FirstW,FindCloseChangeNotification,0_2_00007FF7C4139C30
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4105810 CoCreateInstance,0_2_00007FF7C4105810
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4121910 ChangeServiceConfig2W,0_2_00007FF7C4121910
Source: C:\Users\user\Desktop\OneDriveUpdater.exeFile created: C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\StandaloneUpdater-2024-07-04.2340.7252.1.aodlJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeMutant created: \Sessions\1\BaseNamedObjects\FileSyncClientUpdaterNamedMutex
Source: C:\Users\user\Desktop\OneDriveUpdater.exeFile created: C:\Users\user\AppData\Local\Temp\wctC1D2.tmpJump to behavior
Source: OneDriveUpdater.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\OneDriveUpdater.exeFile read: C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\DeviceHealthSummaryConfiguration.iniJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: OneDriveUpdater.exe, 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmp, OneDriveUpdater.exe, 00000000.00000000.1645667013.00007FF7C43BF000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: OneDriveUpdater.exe, 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmp, OneDriveUpdater.exe, 00000000.00000000.1645667013.00007FF7C43BF000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: OneDriveUpdater.exe, 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmp, OneDriveUpdater.exe, 00000000.00000000.1645667013.00007FF7C43BF000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: OneDriveUpdater.exe, 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmp, OneDriveUpdater.exe, 00000000.00000000.1645667013.00007FF7C43BF000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: wofutil.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CE34C0D-0DC9-4C1F-897C-DAA1B78CEE7C}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeFile written: C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\DeviceHealthSummaryConfiguration.iniJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\ClickToRun\ConfigurationJump to behavior
Source: OneDriveUpdater.exeStatic PE information: certificate valid
Source: initial sampleStatic PE information: Valid certificate with Microsoft Issuer
Source: OneDriveUpdater.exeStatic PE information: More than 248 > 100 exports found
Source: OneDriveUpdater.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: OneDriveUpdater.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: OneDriveUpdater.exeStatic file information: File size 4200864 > 1048576
Source: OneDriveUpdater.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2e7a00
Source: OneDriveUpdater.exeStatic PE information: More than 200 imports for KERNEL32.dll
Source: OneDriveUpdater.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: OneDriveUpdater.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: OneDriveUpdater.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: OneDriveUpdater.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: OneDriveUpdater.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: OneDriveUpdater.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: OneDriveUpdater.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: OneDriveUpdater.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\dbs\sh\odct\0417_205450_0\client\onedrive\Product\StandaloneUpdater\exe\obj\amd64\OneDriveStandaloneUpdater.pdbT source: OneDriveUpdater.exe
Source: Binary string: D:\dbs\sh\odct\0417_205450_0\client\onedrive\Product\StandaloneUpdater\exe\obj\amd64\OneDriveStandaloneUpdater.pdb source: OneDriveUpdater.exe
Source: OneDriveUpdater.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: OneDriveUpdater.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: OneDriveUpdater.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: OneDriveUpdater.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: OneDriveUpdater.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41241D0 OpenProcess,GetLastError,LoadLibraryW,GetProcAddress,FreeLibrary,GetLastError,ReadProcessMemory,GetLastError,ReadProcessMemory,GetLastError,ReadProcessMemory,GetLastError,CloseHandle,0_2_00007FF7C41241D0
Source: OneDriveUpdater.exeStatic PE information: section name: .didat
Source: OneDriveUpdater.exeStatic PE information: section name: _RDATA
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C412E481 push rax; ret 0_2_00007FF7C412E483
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C414F332 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00007FF7C414F332
Source: C:\Users\user\Desktop\OneDriveUpdater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4030EC4 FindFirstFileW,GetLastError,FindNextFileW,GetLastError,FindClose,0_2_00007FF7C4030EC4
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C406521C FindFirstFileW,GetLastError,FindNextFileW,GetLastError,CompareFileTime,DeleteFileW,GetLastError,FindClose,0_2_00007FF7C406521C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C403125C FindFirstFileW,GetLastError,FindNextFileW,GetLastError,FindClose,0_2_00007FF7C403125C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C407ACC0 FindFirstFileW,FindNextFileW,FindClose,0_2_00007FF7C407ACC0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40A91B4 GetTempPathW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,0_2_00007FF7C40A91B4
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C410DFF8 FindFirstFileW,FindClose,DeleteFileW,GetLastError,0_2_00007FF7C410DFF8
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4122020 FindFirstFileNameW,0_2_00007FF7C4122020
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4122080 FindFirstFileW,0_2_00007FF7C4122080
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4051A80 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF7C4051A80
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C414E934 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,0_2_00007FF7C414E934
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C412F9D0 FindFirstFileW,0_2_00007FF7C412F9D0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4038BBC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7C4038BBC
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41241D0 OpenProcess,GetLastError,LoadLibraryW,GetProcAddress,FreeLibrary,GetLastError,ReadProcessMemory,GetLastError,ReadProcessMemory,GetLastError,ReadProcessMemory,GetLastError,CloseHandle,0_2_00007FF7C41241D0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C419580C GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF7C419580C
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4038DA0 SetUnhandledExceptionFilter,0_2_00007FF7C4038DA0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4038FC4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7C4038FC4
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4038BBC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7C4038BBC
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40465BC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7C40465BC
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41216B0 AllocateAndInitializeSid,0_2_00007FF7C41216B0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4063FF0 cpuid 0_2_00007FF7C4063FF0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: GetLocaleInfoEx,0_2_00007FF7C414F1B8
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: GetLocaleInfoW,0_2_00007FF7C40585E0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00007FF7C4058738
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: GetLocaleInfoW,0_2_00007FF7C40587E8
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FF7C4058914
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: EnumSystemLocalesW,0_2_00007FF7C4058228
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: EnumSystemLocalesW,0_2_00007FF7C40582F8
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FF7C4058390
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: EnumSystemLocalesW,0_2_00007FF7C40533C4
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00007FF7C4057ED8
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: GetLocaleInfoW,0_2_00007FF7C4053960
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C40648E8 GetSystemTime,EnterCriticalSection,LeaveCriticalSection,0_2_00007FF7C40648E8
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4120880 LookupAccountNameW,LookupAccountNameW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF7C4120880
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41930C8 GetTimeZoneInformation,0_2_00007FF7C41930C8
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C411B8FC _Aligned_get_default_resource,_invalid_parameter_noinfo_noreturn,GetVersionExW,RegGetValueW,0_2_00007FF7C411B8FC
Source: C:\Users\user\Desktop\OneDriveUpdater.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C410D754 CreateBindCtx,0_2_00007FF7C410D754
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4082CD0 socket,htons,htonl,bind,setsockopt,listen,closesocket,0_2_00007FF7C4082CD0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41235C0 RpcBindingFromStringBindingW,0_2_00007FF7C41235C0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41235D0 RpcBindingSetAuthInfoExW,0_2_00007FF7C41235D0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C41235B0 RpcBindingFree,0_2_00007FF7C41235B0
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4123620 RpcBindingVectorFree,0_2_00007FF7C4123620
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4123670 RpcServerInqBindings,0_2_00007FF7C4123670
Source: C:\Users\user\Desktop\OneDriveUpdater.exeCode function: 0_2_00007FF7C4123710 RpcStringBindingComposeW,0_2_00007FF7C4123710

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Valid Accounts		11
Service Execution		1
Valid Accounts		1
Valid Accounts		1
Masquerading		OS Credential Dumping2
System Time Discovery		Remote Services11
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault Accounts1
Native API		12
Windows Service		11
Access Token Manipulation		1
Valid Accounts		LSASS Memory2
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		12
Windows Service		11
Access Token Manipulation		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		NTDS1
Account Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets1
System Owner/User Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
System Network Connections Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem36
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
OneDriveUpdater.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://clients.config.office.net/user/v1.0/tenantassociationkey0%URL Reputationsafe
https://g.live.com/odclientsettings/Enterprisehttps://g.live.com/odclientsettings/MsitFasthttps://g.0%Avira URL Cloudsafe
https://g.live.com/1rewlive5skydrive/ODSUMsitSlowV20%Avira URL Cloudsafe
https://g.live.com/odclientsettings/Enterprise0%Avira URL Cloudsafe
https://g.live.com/1rewlive5skydrive/OneDriveProductionV20%Avira URL Cloudsafe
https://g.live.com/odclientsettings/Prod0%Avira URL Cloudsafe
https://g.live.com/1rewlive5skydrive/OneDriveEnterpriseV20%Avira URL Cloudsafe
https://g.live.com/1rewlive5skydrive/ODSUInsiderV20%Avira URL Cloudsafe
https://g.live.com/odclientsettings/EnterpriseG?Bi0%Avira URL Cloudsafe
https://g.live.com/odclientsettings/MsitFastl0%Avira URL Cloudsafe
https://g.live.com/odclientsettings/Prods0%Avira URL Cloudsafe
https://g.live.com/odclientsettings/MsitSlow#?0%Avira URL Cloudsafe
https://g.live.com/1rewlive5skydrive/win810%Avira URL Cloudsafe
https://clients.config.office.net/collector/v1.0/inventoryodbc:December0%Avira URL Cloudsafe
https://g.live.com/1rewlive5skydrive/Onee0%Avira URL Cloudsafe
https://g.live.com/1rewlive5skydrive/ODSUMsitFastV20%Avira URL Cloudsafe
https://dc.services.visualstudio.com/v2/track0%Avira URL Cloudsafe
https://g.live.com/1rewlive5skydrive/One0%Avira URL Cloudsafe
https://g.live.com/1rewlive5skydrive/win81https://g.live.com/1rewlive5skydrive/win8https://g.live.co0%Avira URL Cloudsafe
https://g.live.com/odclientsettings/Prodonfig0%Avira URL Cloudsafe
https://g.live.com/odclientsettings/MsitFast:?0%Avira URL Cloudsafe
https://g.live.com/1rewlive5skydrive/MsitFastV20%Avira URL Cloudsafe
https://g.live.com/odclientsettings/Insiders0%Avira URL Cloudsafe
https://g.live.com/1rewlive5skydrive/ODSUEnterpriseV2https://g.live.com/1rewlive5skydrive/ODSUMsitFa0%Avira URL Cloudsafe
https://g.live.com/odclientsettings/MsitSlow0%Avira URL Cloudsafe
https://g.live.com/1rewlive5skydrive/OneDriveInsiderV20%Avira URL Cloudsafe
https://oneclient.sfx.0%Avira URL Cloudsafe
https://g.live.com0%Avira URL Cloudsafe
https://g.live.com/odclientsettings/Enterprise%l0%Avira URL Cloudsafe
https://g.live.com/1rewlive5skydrive/OSRSS_32bit0%Avira URL Cloudsafe
https://g.live.com/odclientsettings/Insidersl0%Avira URL Cloudsafe
https://g.live.com/1rewlive5skydrive/OSRSS_64bit0%Avira URL Cloudsafe
https://g.live.com/odclientsettings/MsitSlowl0%Avira URL Cloudsafe
https://g.live.com/1rewlive5skydrive/ODSUEnterpriseV20%Avira URL Cloudsafe
https://g.live.com/1rewlive5skydrive/win80%Avira URL Cloudsafe
https://g.live.com/1rewlive5skydrive/win70%Avira URL Cloudsafe
https://g.live.com/1rewlive5skydrive/MsitSlowV20%Avira URL Cloudsafe
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2ember:Dec:December0%Avira URL Cloudsafe
https://g.live.com/odclientsettings/MsitFast0%Avira URL Cloudsafe
https://g.live.com/1rewlive5skydrive/ODSUProductionV20%Avira URL Cloudsafe
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2ember:Dec:Decemberd$hh00%Avira URL Cloudsafe
https://g.live.com/1rewlive5skydrive/OSRSS_32bithttps://g.live.com/1rewlive5skydrive/OSRSS_64bit%loc0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://g.live.com/1rewlive5skydrive/OneDriveEnterpriseV2OneDriveUpdater.exefalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/odclientsettings/ProdStandaloneUpdate_2024-07-04_234035_7252-7256.log.0.drfalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2StandaloneUpdater-2024-07-04.2340.7252.1.aodl.0.dr, StandaloneUpdate_2024-07-04_234035_7252-7256.log.0.drfalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/odclientsettings/EnterpriseG?BiOneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/odclientsettings/ProdsOneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB936C8000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/1rewlive5skydrive/ODSUInsiderV2OneDriveUpdater.exefalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/1rewlive5skydrive/ODSUMsitSlowV2OneDriveUpdater.exefalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/odclientsettings/EnterpriseOneDriveUpdater.exefalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/odclientsettings/MsitFastlOneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB936C8000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/odclientsettings/Enterprisehttps://g.live.com/odclientsettings/MsitFasthttps://g.OneDriveUpdater.exefalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/odclientsettings/MsitSlow#?OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://clients.config.office.net/user/v1.0/tenantassociationkeyOneDriveUpdater.exe, 00000000.00000003.2037954027.000001BB9545A000.00000004.00000020.00020000.00000000.sdmp, OneDriveUpdater.exe, 00000000.00000003.2038396854.000001BB9553B000.00000004.00000020.00020000.00000000.sdmp, OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmp, OneDriveUpdater.exe, 00000000.00000003.2038736188.000001BB95499000.00000004.00000020.00020000.00000000.sdmp, OneDriveUpdater.exe, 00000000.00000003.2038342311.000001BB9548A000.00000004.00000020.00020000.00000000.sdmp, OneDriveUpdater.exe, 00000000.00000003.2038946928.000001BB9553D000.00000004.00000020.00020000.00000000.sdmp, OneDriveUpdater.exe, 00000000.00000003.2038314047.000001BB95465000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/collector/v1.0/inventoryodbc:DecemberOneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/odclientsettings/ProdonfigOneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/1rewlive5skydrive/ODSUMsitFastV2OneDriveUpdater.exefalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/1rewlive5skydrive/win81OneDriveUpdater.exefalse
  • Avira URL Cloud: safe
unknown
https://dc.services.visualstudio.com/v2/trackOneDriveUpdater.exefalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/1rewlive5skydrive/win81https://g.live.com/1rewlive5skydrive/win8https://g.live.coOneDriveUpdater.exefalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/1rewlive5skydrive/OneeOneDriveUpdater.exe, 00000000.00000002.2899076468.000001BB954C0000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/odclientsettings/MsitFast:?OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/1rewlive5skydrive/OneOneDriveUpdater.exe, 00000000.00000002.2899076468.000001BB954C0000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/1rewlive5skydrive/MsitFastV2OneDriveUpdater.exefalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/odclientsettings/InsidersOneDriveUpdater.exe, OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/1rewlive5skydrive/ODSUEnterpriseV2https://g.live.com/1rewlive5skydrive/ODSUMsitFaOneDriveUpdater.exefalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/odclientsettings/MsitSlowOneDriveUpdater.exefalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/1rewlive5skydrive/OneDriveInsiderV2OneDriveUpdater.exefalse
  • Avira URL Cloud: safe
unknown
https://oneclient.sfx.OneDriveUpdater.exe, 00000000.00000002.2899300327.000001BB95800000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/1rewlive5skydrive/OSRSS_32bitOneDriveUpdater.exefalse
  • Avira URL Cloud: safe
unknown
https://g.live.comOneDriveUpdater.exefalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/odclientsettings/Enterprise%lOneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB936C8000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/odclientsettings/InsiderslOneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB936C8000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/1rewlive5skydrive/OSRSS_64bitOneDriveUpdater.exefalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2ember:Dec:DecemberOneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/1rewlive5skydrive/ODSUProductionV2StandaloneUpdater-2024-07-04.2340.7252.1.aodl.0.dr, StandaloneUpdate_2024-07-04_234035_7252-7256.log.0.drfalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/odclientsettings/MsitFastOneDriveUpdater.exefalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/odclientsettings/MsitSlowlOneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB936C8000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/1rewlive5skydrive/win7OneDriveUpdater.exefalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/1rewlive5skydrive/ODSUEnterpriseV2OneDriveUpdater.exefalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/1rewlive5skydrive/MsitSlowV2OneDriveUpdater.exefalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/1rewlive5skydrive/win8OneDriveUpdater.exefalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2ember:Dec:Decemberd$hh0OneDriveUpdater.exe, 00000000.00000002.2897803199.000001BB93717000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/1rewlive5skydrive/OSRSS_32bithttps://g.live.com/1rewlive5skydrive/OSRSS_64bit%locOneDriveUpdater.exefalse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1467919
Start date and time:2024-07-05 01:39:47 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 38s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:OneDriveUpdater.exe
Detection:CLEAN
Classification:clean6.winEXE@1/6@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 187
  • Number of non-executed functions: 47
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): oneclient.sfx.ms, g.live.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • VT rate limit hit for: OneDriveUpdater.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json

Download File
Process:C:\Users\user\Desktop\OneDriveUpdater.exe
File Type:JSON data
Category:dropped
Size (bytes):64854
Entropy (8bit):5.39444677062414
Encrypted:false
SSDEEP:384:poaSLGTSy3S0XuMU9mCzHS7vpvpJGV6Hu/i49Pji7iJI5TZCP56vS1xDR+dBUFvT:WryF7U9mCzHS7vu/xV2iP56vcDR+P0T
MD5:E516A60BC980095E8D156B1A99AB5EEE
SHA1:238E243FFC12D4E012FD020C9822703109B987F6
SHA-256:543796A1B343B4EBC0285D89CB8EB70667AC7B513DA37495E38003704E9D88D7
SHA-512:9B51E99BA20E9DA56D1ACC24A1CF9F9C9DBDEB742BEC034E0FF2BC179A60F4AFF249F40344F9DDD43229DCDEFA1041940F65AFB336D46C175FFEFF725C638D58
Malicious:false
Reputation:moderate, very likely benign file
Preview:{"ramps":[{"id":3,"offset":0,"share":100},{"id":4,"offset":0,"share":100},{"id":5,"offset":0,"share":100},{"id":6,"offset":0,"share":100},{"id":7,"offset":0,"share":1},{"id":8,"offset":0,"share":1},{"id":9,"offset":0,"share":1},{"id":10,"offset":0,"share":1},{"id":14,"offset":0,"share":1},{"id":17,"offset":0,"share":100},{"id":18,"offset":0,"share":100},{"id":21,"offset":0,"share":1},{"id":22,"offset":0,"share":1},{"id":24,"offset":0,"share":100},{"id":25,"offset":0,"share":100},{"id":26,"offset":0,"share":100},{"id":27,"offset":0,"share":100},{"id":29,"offset":0,"share":100},{"id":30,"offset":0,"share":100},{"id":31,"offset":31,"share":100},{"id":34,"offset":0,"share":100},{"id":35,"offset":0,"share":100},{"id":36,"offset":0,"share":100},{"id":37,"offset":0,"share":100},{"id":39,"offset":0,"share":100},{"id":41,"offset":0,"share":100},{"id":43,"offset":0,"share":100},{"id":44,"offset":0,"share":100},{"id":45,"offset":0,"share":50},{"id":46,"offset":0,"share":50},{"id":53,"offset":0,"s

C:\Users\user\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\Update.xml

Download File
Process:C:\Users\user\Desktop\OneDriveUpdater.exe
File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:dropped
Size (bytes):899
Entropy (8bit):5.650905767540785
Encrypted:false
SSDEEP:24:JdbC/3ZGhufHCSnnSO8fSSnedSSEfmC6MSnASo:3sMOBR2xeamFPS
MD5:E14BDA011C0CF74E3AA14DB6FA10D3F2
SHA1:8B198AEC3F814CCEBD84A684E8F3EC9D06382AA8
SHA-256:8068D76A11CB451E82352AE2FE92DF07216040461B8830408FE181B71AF7F1C5
SHA-512:5780023CD4E4AF2AE8C8EF6B219DE7B1250162E91C50A9105DD0035C8ED96B10A1C45110E80973E44CF3C4AB4396D432F2FDF04799BF818224F5409ED8C35542
Malicious:false
Reputation:low
Preview:.<?xml version="1.0" encoding="utf-8"?>..<root>.. <update throttle="100" rescan="1440" currentversion="24.116.0609.0005" maxapplicable="24.999.9999.9999" minapplicable="16.000.0000.0000" maxrandomdelay="360" absolutedelay="4320" useractivedelay="7" maxidlechecks="6">.. <binary sha1hash="iPmonJFhLG1DJsVCu3O8C02zDPE=" sha256hash="9GtWdJ5mNTijC+RniTQVZJNNL/v/pHeTkIzMluCzSsw=" url="https://oneclient.sfx.ms/Win/Installers/24.116.0609.0005/OneDriveSetup.exe" />.. <amd64binary sha1hash="mM+W3mLbCO3HAu1cGD4a4PdRQGw=" sha256hash="pVnIUqbb+sPBwmFmV98Hf9z6dBhT2VIESe9Va6yktNU=" url="https://oneclient.sfx.ms/Win/Installers/24.116.0609.0005/amd64/OneDriveSetup.exe" />.. <arm64binary sha1hash="bXrWME5g0j+2Yu+QZVB18bmw1Cg=" sha256hash="6ekQqi4QRB/baeFaPbG3nvM6HepCSjA3Km3M1QvM9eU=" url="https://oneclient.sfx.ms/Win/Installers/24.116.0609.0005/arm64/OneDriveSetup.exe" />.. </update>..</root>

C:\Users\user\AppData\Local\Microsoft\OneDrive\Update\Update.xml

Download File
Process:C:\Users\user\Desktop\OneDriveUpdater.exe
File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:dropped
Size (bytes):2619
Entropy (8bit):5.650376775847054
Encrypted:false
SSDEEP:48:3jOBR2xeamFP7OzoPZY2cboc0GicDSM6ydS1uyc2g55g5T:zC7TqvCcGM0uRl5E
MD5:5156D44272713C25BAB73568881D6231
SHA1:A7BEAC91AC601654AC45818566F650D27C0DD86A
SHA-256:D3D5D10E19439834BB702265A4A33F226FAE10584A3936B05B169FF876E299D8
SHA-512:5B67B413C8881CA3FB6CA13E18231651D06F0DB1DCCD5F54BA90E75445CA0555880E5BE3D90C1757E12D93C9AF12BF6E79242DE8B8668FDB4AFE5BF2A67E555B
Malicious:false
Reputation:low
Preview:.<?xml version="1.0" encoding="utf-8"?>..<root>.. <update throttle="100" rescan="1440" currentversion="24.116.0609.0005" maxapplicable="24.116.0609.0004" minapplicable="16.000.0000.0000" maxrandomdelay="360" absolutedelay="4320" useractivedelay="7" maxidlechecks="6">.. <binary sha1hash="iPmonJFhLG1DJsVCu3O8C02zDPE=" sha256hash="9GtWdJ5mNTijC+RniTQVZJNNL/v/pHeTkIzMluCzSsw=" url="https://oneclient.sfx.ms/Win/Installers/24.116.0609.0005/OneDriveSetup.exe" />.. <amd64binary sha1hash="mM+W3mLbCO3HAu1cGD4a4PdRQGw=" sha256hash="pVnIUqbb+sPBwmFmV98Hf9z6dBhT2VIESe9Va6yktNU=" url="https://oneclient.sfx.ms/Win/Installers/24.116.0609.0005/amd64/OneDriveSetup.exe" />.. <arm64binary sha1hash="bXrWME5g0j+2Yu+QZVB18bmw1Cg=" sha256hash="6ekQqi4QRB/baeFaPbG3nvM6HepCSjA3Km3M1QvM9eU=" url="https://oneclient.sfx.ms/Win/Installers/24.116.0609.0005/arm64/OneDriveSetup.exe" />.. </update>.. <update throttle="10" rescan="1440" currentversion="24.126.0623.0001" maxapplicable="24.126.0623.0000" min

C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\DeviceHealthSummaryConfiguration.ini

Download File
Process:C:\Users\user\Desktop\OneDriveUpdater.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):77
Entropy (8bit):4.779728184019344
Encrypted:false
SSDEEP:3:RsRo7JKIAY9PGvpZjTOjKfrQQUqNs:qVI99uvp5aYFUqNs
MD5:F619535A518729085EA69D79C0746C2D
SHA1:335545C6C0B044F296746936C84F5BF25AE3A9EF
SHA-256:562D161B3F384285970422BC6F407FE4982FAF9C20AC7A030595AAB3D5BABE37
SHA-512:C9790EF2B11BD3D620EDAABA3BBA4BEF0F201A6709DDD3E7FBA607D23F5DCE1135FDC26CC680951C9493C28C86B992E70260BA56178802BAA8E2EA732EE0E542
Malicious:false
Reputation:low
Preview:Version=4..LastReportTime=1696413196..LastSavedScore=0..UnhealthyDuration=0..

C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\StandaloneUpdater-2024-07-04.2340.7252.1.aodl

Download File
Process:C:\Users\user\Desktop\OneDriveUpdater.exe
File Type:data
Category:dropped
Size (bytes):65536
Entropy (8bit):5.056512452939649
Encrypted:false
SSDEEP:768:FwpdE6kFc1bkFc1Q6bxFqNcL3KBEX1nFNm:FQEd1kbx
MD5:54FEE4BADA5FDB439E1C49156A43CC6A
SHA1:9BC59140F3B10FA1ADD45C6BD574BA979B771D8D
SHA-256:87532FD65C754A17A6D87854C5FD94B1F47208B21C9109B795ECACEB35020EA3
SHA-512:AD579CD62B9B420DF9A2A0B4C219C540A443506FF0B3A77A1E14AFB081819BF731E162217A8CE2F9A70EADB294AE81CCEE433ADBEE5B3B6AB0F5E14FA24919DA
Malicious:false
Reputation:low
Preview:EBFGONED....................22.077.0410.0007................................................10.0.19045...................................................................................................................................................................3......T...X.....;._..D..e.g..E|.).....N...........BinaryLoggingSession.cpp....)...BinaryLoggingSession::StartLoggingSession..........3......T...X.....;._..D..e.g..E2.......t.......!...DeprecatedDeviceHealthTracker.cpp....C...DeviceHealth::DeprecatedHealthTracker::HandleHealthSummaryByVersion.............3......T...X.....;._..D..e.g..E.[.....P...........HealthScoreRecorder.cpp%...-...DeviceHealth::ScoreRecorder::LoadHealthScores.........3......T...X...0..F...B...cIj.3$.......b...........StandaloneUpdater.cppI...7...StandaloneUpdater::InitializeWithDefaultImplementations......'............3......T...X...0..F...B...cIj.3.o.................StandaloneUpdater.cppN...7...StandaloneUpdater::InitializeWithDefaultImplementations+...

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\StandaloneUpdate_2024-07-04_234035_7252-7256.log

Download File
Process:C:\Users\user\Desktop\OneDriveUpdater.exe
File Type:data
Category:dropped
Size (bytes):65536
Entropy (8bit):0.910466497696784
Encrypted:false
SSDEEP:192:XA7Au+F8FgFJoFwfFIF3F/FmF7FeF+F8FcFJUFhEFeF:w7AuqEQJowtIVNCBKqEkJMh8K
MD5:AF858438BF320D1B45EF6E6037FB1976
SHA1:3D3A5315E7B8EBC78615D1A0AD2D7361643946BF
SHA-256:2E3A473D2D4F64848DA1B672B02731F2D49EFE677579D03E591727146E7C143D
SHA-512:BC8C62240BEB770DA3493BCF5E2452E778EE7093CB1463876BE2E211BD72A4EA771853BC4BF9CB2E35320F0398F12267FF37B636AB60C9CE7543AEAEC1EB3266
Malicious:false
Reputation:low
Preview:0.7./.0.4./.2.0.2.4. .2.3.:.4.0.:.3.5...1.3.7. .O.f.f.i.c.e.C.o.n.f.i.g.H.e.l.p.e.r.:. .G.e.t.C.a.c.h.e.T.i.m.e.s.t.a.m.p. .h.r. .=. .0.x.8.0.0.7.0.0.0.2.,. .r.e.s.u.l.t.:. .0.,. .v.a.l.u.e.D.a.t.a.:. .0.....0.7./.0.4./.2.0.2.4. .2.3.:.4.0.:.3.5...1.3.7. .O.f.f.i.c.e.C.o.n.f.i.g.H.e.l.p.e.r.:. .G.e.t.E.n.v.i.r.o.n.m.e.n.t.T.y.p.e. .h.r. .=. .0.x.8.0.0.7.0.0.0.2.,. .r.e.s.u.l.t.:. .0.,. .v.a.l.u.e.D.a.t.a.:. .0.,. .....0.7./.0.4./.2.0.2.4. .2.3.:.4.0.:.3.5...1.3.7. .O.f.f.i.c.e.C.o.n.f.i.g.H.e.l.p.e.r.:. .U.s.e.O.f.f.i.c.e.C.o.n.f.i.g.U.p.d.a.t.e.V.a.l.u.e.s.:. .0.....0.7./.0.4./.2.0.2.4. .2.3.:.4.0.:.3.5...1.3.7. .S.e.t.t.i.n.g.s.D.o.w.n.l.o.a.d.e.r.:. .u.s.e. .o.f.f.i.c.e. .c.o.n.f.i.g. .u.p.d.a.t.e. .v.a.l.u.e.s. .f.a.l.s.e.....0.7./.0.4./.2.0.2.4. .2.3.:.4.0.:.3.5...1.3.7. .S.e.t.t.i.n.g.s.D.o.w.n.l.o.a.d.e.r.:. .S.e.t. .a. .f.l.a.g. .t.o. .t.r.y. .O.f.f.i.c.e.C.o.n.f.i.g. .i.f. .d.o.w.n.l.o.a.d. .f.a.i.l.s... .i.s.T.o.D.o.w.n.l.o.a.d.U.p.d.a.t.e.R.i.n.g.S.E.t.t.i.n.g.s.J.s.o.n.:. .

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):6.255702585045085
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:OneDriveUpdater.exe
File size:4'200'864 bytes
MD5:792e95b64b9cf45ac8bc10d4d0f077c2
SHA1:e50af7ee7e0a323d8aa60b6d9b3d39ab33b004f5
SHA256:60e64dd2c6d2ac6fe9b498fadac81bc34a725de5d893e7df8b2728d8dc5b192d
SHA512:5064c1a64fa0bd5a31b205d8b34cb85cc3da7091dd2412421f6394d42b9a596430b67ea4d05129912ad942458198280a3a69409388d2413072c53d928de70e86
SSDEEP:49152:3EenBpKLBz+dV0LWUEur5XVmy1rVaou58gZbkT3FjNVcXrkj6B+/T+k54Q1Wb:6VlH0MAQj8k5d18
TLSH:3E165A4BA2B901E4D0BBD23D8A679617FAB1785587359BDF0690435A0F33BE09E3E710
File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......6x.Sr.b.r.b.r.b..kg...b..pf.{.b..pg.I.b..lk.~.b. lf.a.b. la.z.b. lg...b..ka.|.b..kf.m.b..kd.p.b..kc._.b.r.c...b..lg...b..lb.s.b

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x140038ba0
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0x24CF8552 [Thu Jul 27 21:57:38 1989 UTC]
TLS Callbacks:0x40167610, 0x1, 0x40167690, 0x1
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:998485b035498bd8f4259c68101e6cc3

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 02/09/2021 19:25:38 01/09/2022 19:25:38
Subject Chain
  • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:3
Thumbprint MD5:CCB19DD724F52810AD930629C1825FA3
Thumbprint SHA-1:9251BD18AC5C69FDC0CB16B51D5133A84FE6BC2F
Thumbprint SHA-256:E93FB5ABE1EF7797849E0B6B487C954EBDDABCB53DD16E4EF952524D51C30F9D
Serial:330000042535216F36087CEB06000000000425

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FDC80803C94h
dec eax
add esp, 28h
jmp 00007FDC8080344Fh
int3
int3
and dword ptr [003A4991h], 00000000h
ret
dec eax
mov dword ptr [esp+08h], ebx
push ebp
dec eax
lea ebp, dword ptr [esp-000004C0h]
dec eax
sub esp, 000005C0h
mov ebx, ecx
mov ecx, 00000017h
call dword ptr [002B096Ah]
test eax, eax
je 00007FDC808035D6h
mov ecx, ebx
int 29h
mov ecx, 00000003h
call 00007FDC80803599h
xor edx, edx
dec eax
lea ecx, dword ptr [ebp-10h]
inc ecx
mov eax, 000004D0h
call 00007FDC80804C04h
dec eax
lea ecx, dword ptr [ebp-10h]
call dword ptr [002B123Dh]
dec eax
mov ebx, dword ptr [ebp+000000E8h]
dec eax
lea edx, dword ptr [ebp+000004D8h]
dec eax
mov ecx, ebx
inc ebp
xor eax, eax
call dword ptr [002B122Bh]
dec eax
test eax, eax
je 00007FDC8080360Eh
dec eax
and dword ptr [esp+38h], 00000000h
dec eax
lea ecx, dword ptr [ebp+000004E0h]
dec eax
mov edx, dword ptr [ebp+000004D8h]
dec esp
mov ecx, eax
dec eax
mov dword ptr [esp+30h], ecx
dec esp
mov eax, ebx
dec eax
lea ecx, dword ptr [ebp+000004E8h]
dec eax
mov dword ptr [esp+28h], ecx
dec eax
lea ecx, dword ptr [ebp-10h]
dec eax
mov dword ptr [esp+20h], ecx
xor ecx, ecx
call dword ptr [002B11F2h]
dec eax

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x3b43e00x72cc.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x3bb6ac0x1cc.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x4020000xb60.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x3e30000x1ce6c.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x3ff4000x25a0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x4030000x528c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x3620400x70.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x3621000x28.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x35af900x138.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x2e90000xef8.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3b42500x60.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x2e791c0x2e7a00a23d1340ce6770bd3e96322ec9b8471eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x2e90000xd5a440xd5c003aa3851f60487a2dcdffab0194e0ef4fFalse0.31893046418128657data4.962151045168778IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x3bf0000x232140x1e600ba3d3cf5404aba214171beb85f132b1dFalse0.1951437114197531data4.8715384935366615IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x3e30000x1ce6c0x1d000e4f42dd872058c005b33a5ecac3104d7False0.5015069369612069data6.283611176742107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat0x4000000x480x200bab7359b53959913b7a4cb69225e1e2eFalse0.076171875data0.5703483918359332IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA0x4010000xfc0x20088f14c29479baa4dadcc14245a4175baFalse0.318359375data2.458301158770647IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x4020000xb600xc001e19c28ffefb2ba22f1cb67e37d3548cFalse0.3821614583333333data4.648152733517116IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x4030000x528c0x54002fe0dbcb762c4ef1986df34a76320f1aFalse0.2546968005952381data5.441211306199959IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
EDPENLIGHTENEDAPPINFOID0x402b500x2dataEnglishUnited States5.0
EDPPERMISSIVEAPPINFOID0x402b580x2dataEnglishUnited States5.0
RT_VERSION0x4022100x408dataEnglishUnited States0.42151162790697677
RT_MANIFEST0x4026180x533XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4320060105184072

Imports

DLLImport
KERNEL32.dllRtlPcToFileHeader, InterlockedPushEntrySList, SetLastError, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, GetModuleFileNameW, GetStdHandle, WriteFile, GetCurrentThread, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, SetStdHandle, GetStringTypeW, GetTimeZoneInformation, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, ReadFile, RtlUnwindEx, WriteConsoleW, CompareFileTime, FindClose, FindNextFileW, FindFirstFileW, Process32NextW, OpenProcess, Process32FirstW, CreateToolhelp32Snapshot, CreateProcessW, GetProductInfo, VerifyVersionInfoW, VerSetConditionMask, LoadLibraryExW, MoveFileExW, IsWow64Process, ExpandEnvironmentStringsW, UnmapViewOfFile, MapViewOfFileEx, CreateFileMappingW, GetFileSize, CreateFileW, LocalFree, LocalAlloc, OpenMutexW, FileTimeToSystemTime, FileTimeToLocalFileTime, GetTickCount64, GetVolumePathNameW, Sleep, GetCommandLineW, GetModuleHandleExW, FreeLibrary, GetEnvironmentVariableW, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, TerminateProcess, GetCurrentProcess, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetProcAddress, GetModuleHandleW, CreateEventW, WaitForSingleObjectEx, ResetEvent, SetEvent, InitializeCriticalSectionAndSpinCount, CloseHandle, LeaveCriticalSection, EnterCriticalSection, OutputDebugStringW, IsDebuggerPresent, DeleteCriticalSection, InitializeCriticalSectionEx, GetProcessHeap, HeapSize, HeapFree, HeapReAlloc, HeapAlloc, HeapDestroy, GetLastError, SystemTimeToTzSpecificLocalTime, PeekNamedPipe, GetDriveTypeW, FreeLibraryAndExitThread, ExitThread, CreateThread, RtlUnwind, LoadLibraryExA, VirtualQuery, VirtualProtect, InitializeCriticalSection, HeapCreate, GetDiskFreeSpaceW, LockFile, GetFullPathNameA, HeapValidate, GetTempPathA, FormatMessageW, GetDiskFreeSpaceA, GetFileAttributesA, FlushViewOfFile, CreateFileA, LoadLibraryA, DeleteFileA, GetSystemInfo, HeapCompact, UnlockFile, MapViewOfFile, GetSystemPowerStatus, GetModuleFileNameA, OutputDebugStringA, CompareStringEx, LCMapStringEx, DecodePointer, InitOnceExecuteOnce, GetLocaleInfoEx, CreateHardLinkW, AreFileApisANSI, SetEndOfFile, GetCurrentDirectoryW, AcquireSRWLockShared, ReleaseSRWLockShared, SleepConditionVariableSRW, SleepConditionVariableCS, WakeAllConditionVariable, RaiseException, ReadConsoleW, DeleteFileW, GetSystemTime, CreateDirectoryW, GetFullPathNameW, GetTempFileNameW, RemoveDirectoryW, SetFileTime, GetTempPathW, CopyFileW, SystemTimeToFileTime, LockFileEx, UnlockFileEx, DeviceIoControl, LoadLibraryW, WerRegisterFile, WerUnregisterFile, GetTickCount, K32GetModuleFileNameExW, WaitForSingleObject, WaitForMultipleObjects, QueueUserWorkItem, CreateMutexW, GetVersionExW, MoveFileW, GetUserDefaultLocaleName, GetComputerNameW, FindFirstVolumeW, FindNextVolumeW, FindVolumeClose, GetDiskFreeSpaceExW, GetFileAttributesW, GetFileAttributesExW, GetFileInformationByHandle, GetFinalPathNameByHandleW, GetLongPathNameW, SetFileAttributesW, SetFileInformationByHandle, SetFilePointer, GetCompressedFileSizeW, FindFirstFileNameW, CreateIoCompletionPort, GetQueuedCompletionStatus, PostQueuedCompletionStatus, ReleaseMutex, GetProcessTimes, GetExitCodeProcess, GetSystemTimes, SetDllDirectoryW, ReplaceFileW, ReadDirectoryChangesW, RegisterApplicationRestart, GetFileInformationByHandleEx, OpenFileById, CreateSymbolicLinkW, CompareStringOrdinal, GetUserGeoID, GlobalFree, ReadProcessMemory, QueryPerformanceFrequency, FormatMessageA, InitializeSRWLock, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryEnterCriticalSection, SwitchToThread, GetExitCodeThread, GetNativeSystemInfo, InitializeConditionVariable, WakeConditionVariable
USER32.dllPostThreadMessageW, SendMessageTimeoutW, ShowWindow, DestroyWindow, CreateWindowExW, RegisterClassW, DispatchMessageW, GetMessageW, SystemParametersInfoW, GetWindowThreadProcessId, GetClassNameW, EnumWindows, PostMessageW, PostQuitMessage, TranslateMessage
OLEAUT32.dllVariantChangeType, VarBstrCmp, VariantClear, SysStringByteLen, LoadTypeLib, LoadRegTypeLib, SysFreeString, SysStringLen, SetErrorInfo, GetErrorInfo, GetRecordInfoFromTypeInfo, SysAllocStringLen, VariantInit, SysAllocString, SysAllocStringByteLen
ntdll.dllRtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind
SHLWAPI.dllStrStrIW, SHRegGetBoolUSValueW, SHRegGetValueW, PathStripToRootW, PathStripPathW, PathIsDirectoryW, PathRemoveFileSpecW, PathFileExistsW, SHSetValueW, SHCreateStreamOnFileEx, PathIsRelativeW, PathFindFileNameW, SHDeleteKeyW, SHDeleteValueW, SHGetValueW, PathIsPrefixW, SHCreateStreamOnFileW
VERSION.dllVerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
USERENV.dllGetDefaultUserProfileDirectoryW, CreateEnvironmentBlock, GetProfileType
ADVAPI32.dllRegGetValueA, EventUnregister, CryptAcquireContextW, CryptReleaseContext, CryptGetHashParam, CryptCreateHash, EventWriteTransfer, GetUserNameW, RegOpenKeyExW, OpenProcessToken, GetTokenInformation, MapGenericMask, IsValidAcl, DuplicateToken, AccessCheck, OpenThreadToken, ConvertStringSecurityDescriptorToSecurityDescriptorW, GetNamedSecurityInfoW, StartServiceW, StartServiceCtrlDispatcherW, SetServiceStatus, RegisterServiceCtrlHandlerW, QueryServiceStatusEx, QueryServiceStatus, QueryServiceConfigW, DeleteService, CreateServiceW, ControlService, ChangeServiceConfig2W, CryptHashData, CryptDestroyHash, AdjustTokenPrivileges, AllocateAndInitializeSid, FreeSid, LookupPrivilegeValueW, SetEntriesInAclW, SetNamedSecurityInfoW, ImpersonateLoggedOnUser, RevertToSelf, CopySid, GetLengthSid, IsValidSid, RegDeleteValueW, RegEnumKeyExW, RegEnumValueW, RegQueryInfoKeyW, RegSetKeyValueW, RegGetValueW, LookupAccountNameW, CryptDestroyKey, CryptSetHashParam, CryptImportKey, CreateProcessAsUserW, CreateWellKnownSid, DuplicateTokenEx, GetAclInformation, SetFileSecurityW, RegCreateKeyTransactedW, RegDeleteKeyExW, RegEnumKeyW, RegLoadKeyW, RegUnLoadKeyW, RegDeleteTreeW, ChangeServiceConfigW, OpenSCManagerW, ConvertSidToStringSidW, RegSetValueExW, RegCreateKeyExW, RegCloseKey, RegQueryValueExW, CloseServiceHandle, OpenServiceW, EventRegister
SHELL32.dllSHLoadNonloadedIconOverlayIdentifiers, SHChangeNotify, SHParseDisplayName, SHCreateItemFromParsingName, SHGetFolderPathAndSubDirW, SHSetKnownFolderPath, CommandLineToArgvW, SHGetSpecialFolderPathW, SHCreateDirectoryExW, SHGetFolderPathW, ShellExecuteExW, SHGetKnownFolderPath, SHFileOperationW
ole32.dllCoSetProxyBlanket, CoInitialize, CreateBindCtx, StringFromCLSID, CoTaskMemAlloc, StringFromGUID2, CoCreateInstance, CoTaskMemFree, GetRunningObjectTable, CreateItemMoniker, CoCreateGuid, CoUninitialize, CoInitializeEx, CLSIDFromString, CoCreateFreeThreadedMarshaler
WINHTTP.dllWinHttpGetProxyForUrl, WinHttpSetCredentials, WinHttpSetOption, WinHttpCloseHandle, WinHttpOpen, WinHttpGetIEProxyConfigForCurrentUser
RstrtMgr.DLLRmGetList, RmRegisterResources, RmEndSession, RmStartSession
WINTRUST.dllWTHelperGetProvSignerFromChain, WTHelperProvDataFromStateData, WinVerifyTrustEx
WTSAPI32.dllWTSFreeMemory, WTSQuerySessionInformationW, WTSEnumerateSessionsW, WTSQueryUserToken
bcrypt.dllBCryptEncrypt, BCryptGenerateSymmetricKey, BCryptCloseAlgorithmProvider, BCryptDestroyKey, BCryptOpenAlgorithmProvider, BCryptGenRandom, BCryptSetProperty
CRYPT32.dllCertVerifyCertificateChainPolicy, CertFreeCertificateChain, CryptBinaryToStringW, CryptStringToBinaryW
RPCRT4.dllUuidToStringW, RpcBindingFree, RpcBindingFromStringBindingW, RpcBindingVectorFree, RpcBindingSetAuthInfoExW, RpcEpRegisterW, RpcEpUnregister, RpcServerInqCallAttributesW, RpcStringFreeW, RpcStringBindingComposeW, RpcServerInqBindings, RpcServerRegisterIfEx, RpcServerUnregisterIf, RpcServerUseProtseqW, RpcExceptionFilter
Secur32.dllGetUserNameExW
urlmon.dllURLOpenStreamW
WININET.dllInternetCheckConnectionW, InternetCrackUrlA, InternetOpenW, InternetConnectA, InternetReadFile, InternetQueryOptionW, InternetSetStatusCallbackW, HttpOpenRequestA, InternetCloseHandle, HttpSendRequestW, HttpQueryInfoA, HttpAddRequestHeadersA
WS2_32.dllbind, closesocket, htonl, accept, listen, send, setsockopt, socket, WSAStartup, WSAGetLastError, htons
IPHLPAPI.DLLGetAdaptersInfo

Exports

NameOrdinalAddress
?$TSS0@?1??stateLock@DebugEventSource@Events@Applications@Microsoft@@KAAEAVrecursive_mutex@std@@XZ@4HA10x1403e1660
??0DebugEventDispatcher@Events@Applications@Microsoft@@QEAA@AEBV0123@@Z20x14016a1c0
??0DebugEventDispatcher@Events@Applications@Microsoft@@QEAA@XZ30x14016a1c0
??0DebugEventListener@Events@Applications@Microsoft@@QEAA@AEBV0123@@Z40x14016a1d0
??0DebugEventListener@Events@Applications@Microsoft@@QEAA@XZ50x14016a1d0
??0DebugEventSource@Events@Applications@Microsoft@@QEAA@$$QEAV0123@@Z60x14016a1e0
??0DebugEventSource@Events@Applications@Microsoft@@QEAA@AEBV0123@@Z70x14016a2a0
??0DebugEventSource@Events@Applications@Microsoft@@QEAA@XZ80x1400a69f0
??0EventProperties@Events@Applications@Microsoft@@QEAA@AEBV0123@@Z90x140171af0
??0EventProperties@Events@Applications@Microsoft@@QEAA@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z100x140171b40
??0EventProperties@Events@Applications@Microsoft@@QEAA@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AEBV?$map@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@UEventProperty@Events@Applications@Microsoft@@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@V?$allocator@U?$pair@$$CBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@UEventProperty@Events@Applications@Microsoft@@@std@@@2@@5@@Z110x140171b70
??0EventProperties@Events@Applications@Microsoft@@QEAA@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@E@Z120x140171bc0
??0EventProperties@Events@Applications@Microsoft@@QEAA@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$initializer_list@U?$pair@$$CBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@UEventProperty@Events@Applications@Microsoft@@@std@@@5@@Z130x140171cc0
??0EventProperties@Events@Applications@Microsoft@@QEAA@XZ140x140171d20
??0EventProperty@Events@Applications@Microsoft@@QEAA@$$QEAU0123@@Z150x140176d70
??0EventProperty@Events@Applications@Microsoft@@QEAA@AEAV?$vector@NV?$allocator@N@std@@@std@@W4PiiKind@123@W4DataCategory@123@@Z160x140176dc0
??0EventProperty@Events@Applications@Microsoft@@QEAA@AEAV?$vector@UGUID_t@Events@Applications@Microsoft@@V?$allocator@UGUID_t@Events@Applications@Microsoft@@@std@@@std@@W4PiiKind@123@W4DataCategory@123@@Z170x140176e30
??0EventProperty@Events@Applications@Microsoft@@QEAA@AEAV?$vector@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$allocator@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@std@@W4PiiKind@123@W4DataCategory@123@@Z180x140176ea0
??0EventProperty@Events@Applications@Microsoft@@QEAA@AEAV?$vector@_JV?$allocator@_J@std@@@std@@W4PiiKind@123@W4DataCategory@123@@Z190x140176f10
??0EventProperty@Events@Applications@Microsoft@@QEAA@AEBU0123@@Z200x140176d70
??0EventProperty@Events@Applications@Microsoft@@QEAA@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@W4PiiKind@123@W4DataCategory@123@@Z210x140176f80
??0EventProperty@Events@Applications@Microsoft@@QEAA@CW4PiiKind@123@W4DataCategory@123@@Z220x140177000
??0EventProperty@Events@Applications@Microsoft@@QEAA@EW4PiiKind@123@W4DataCategory@123@@Z230x140177030
??0EventProperty@Events@Applications@Microsoft@@QEAA@FW4PiiKind@123@W4DataCategory@123@@Z240x140177060
??0EventProperty@Events@Applications@Microsoft@@QEAA@GW4PiiKind@123@W4DataCategory@123@@Z250x140177090
??0EventProperty@Events@Applications@Microsoft@@QEAA@HW4PiiKind@123@W4DataCategory@123@@Z260x1401770c0
??0EventProperty@Events@Applications@Microsoft@@QEAA@IW4PiiKind@123@W4DataCategory@123@@Z270x1401770f0
??0EventProperty@Events@Applications@Microsoft@@QEAA@JW4PiiKind@123@W4DataCategory@123@@Z280x1401770c0
??0EventProperty@Events@Applications@Microsoft@@QEAA@NW4PiiKind@123@W4DataCategory@123@@Z290x140177120
??0EventProperty@Events@Applications@Microsoft@@QEAA@PEBDW4PiiKind@123@W4DataCategory@123@@Z300x140177150
??0EventProperty@Events@Applications@Microsoft@@QEAA@UGUID_t@123@W4PiiKind@123@W4DataCategory@123@@Z310x1401771e0
??0EventProperty@Events@Applications@Microsoft@@QEAA@Utime_ticks_t@123@W4PiiKind@123@W4DataCategory@123@@Z320x140177220
??0EventProperty@Events@Applications@Microsoft@@QEAA@XZ330x140177250
??0EventProperty@Events@Applications@Microsoft@@QEAA@_JW4PiiKind@123@W4DataCategory@123@@Z340x1401772c0
??0EventProperty@Events@Applications@Microsoft@@QEAA@_KW4PiiKind@123@W4DataCategory@123@@Z350x1401772c0
??0EventProperty@Events@Applications@Microsoft@@QEAA@_NW4PiiKind@123@W4DataCategory@123@@Z360x1401772f0
??0GUID_t@Events@Applications@Microsoft@@QEAA@AEBU0123@@Z370x140177310
??0GUID_t@Events@Applications@Microsoft@@QEAA@HHHAEBV?$initializer_list@E@std@@@Z380x140177350
??0GUID_t@Events@Applications@Microsoft@@QEAA@PEBD@Z390x140177390
??0GUID_t@Events@Applications@Microsoft@@QEAA@QEBE_N@Z400x140177470
??0GUID_t@Events@Applications@Microsoft@@QEAA@U_GUID@@@Z410x140177550
??0GUID_t@Events@Applications@Microsoft@@QEAA@XZ420x1401775c0
??0IAuthTokensController@Events@Applications@Microsoft@@QEAA@AEBV0123@@Z430x14016a310
??0IAuthTokensController@Events@Applications@Microsoft@@QEAA@XZ440x14016a310
??0ILogConfiguration@Events@Applications@Microsoft@@QEAA@$$QEAV0123@@Z450x14016a320
??0ILogConfiguration@Events@Applications@Microsoft@@QEAA@AEBV0123@@Z460x14016a3c0
??0ILogConfiguration@Events@Applications@Microsoft@@QEAA@AEBV?$initializer_list@U?$pair@$$CBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@VVariant@Events@Applications@Microsoft@@@std@@@std@@@Z470x1401748c0
??0ILogConfiguration@Events@Applications@Microsoft@@QEAA@XZ480x1400a6a80
??0ILogController@Events@Applications@Microsoft@@QEAA@$$QEAV0123@@Z490x14016a410
??0ILogController@Events@Applications@Microsoft@@QEAA@AEBV0123@@Z500x14016a410
??0ILogController@Events@Applications@Microsoft@@QEAA@XZ510x14016a410
??0ILogManager@Events@Applications@Microsoft@@QEAA@AEBV0123@@Z520x14016a420
??0ILogManager@Events@Applications@Microsoft@@QEAA@XZ530x14016a420
??0ILogger@Events@Applications@Microsoft@@QEAA@AEBV0123@@Z540x14016a450
??0ILogger@Events@Applications@Microsoft@@QEAA@XZ550x14016a450
??0IModule@Events@Applications@Microsoft@@QEAA@AEBV0123@@Z560x14016a460
??0IModule@Events@Applications@Microsoft@@QEAA@XZ570x14016a460
??0ISemanticContext@Events@Applications@Microsoft@@QEAA@AEBV0123@@Z580x14016a470
??0ISemanticContext@Events@Applications@Microsoft@@QEAA@XZ590x14016a470
??0LogConfiguration@Telemetry@Applications@Microsoft@@QEAA@$$QEAU0123@@Z600x14016a480
??0LogConfiguration@Telemetry@Applications@Microsoft@@QEAA@AEBU0123@@Z610x14016a580
??0LogConfiguration@Telemetry@Applications@Microsoft@@QEAA@XZ620x14016a640
??0time_ticks_t@Events@Applications@Microsoft@@QEAA@AEBU0123@@Z630x14016b060
??0time_ticks_t@Events@Applications@Microsoft@@QEAA@PEB_J@Z640x1401775d0
??0time_ticks_t@Events@Applications@Microsoft@@QEAA@XZ650x1401775f0
??0time_ticks_t@Events@Applications@Microsoft@@QEAA@_K@Z660x140177600
??1DebugEventDispatcher@Events@Applications@Microsoft@@UEAA@XZ670x1400299a0
??1DebugEventListener@Events@Applications@Microsoft@@UEAA@XZ680x1400299a0
??1DebugEventSource@Events@Applications@Microsoft@@UEAA@XZ690x1400a7770
??1EventProperties@Events@Applications@Microsoft@@UEAA@XZ700x140171fe0
??1EventProperty@Events@Applications@Microsoft@@UEAA@XZ710x140177640
??1IAuthTokensController@Events@Applications@Microsoft@@UEAA@XZ720x14016a9e0
??1ILogConfiguration@Events@Applications@Microsoft@@QEAA@XZ730x1400b7ba0
??1ILogManager@Events@Applications@Microsoft@@UEAA@XZ740x14016a9f0
??1ILogger@Events@Applications@Microsoft@@UEAA@XZ750x14016aa20
??1IModule@Events@Applications@Microsoft@@UEAA@XZ760x1400299a0
??1ISemanticContext@Events@Applications@Microsoft@@UEAA@XZ770x14016aa30
??1LogConfiguration@Telemetry@Applications@Microsoft@@QEAA@XZ780x14016aa40
??4DebugEventDispatcher@Events@Applications@Microsoft@@QEAAAEAV0123@AEBV0123@@Z790x140019ae0
??4DebugEventListener@Events@Applications@Microsoft@@QEAAAEAV0123@AEBV0123@@Z800x140019ae0
??4DebugEventSource@Events@Applications@Microsoft@@QEAAAEAV0123@$$QEAV0123@@Z810x14016acf0
??4DebugEventSource@Events@Applications@Microsoft@@QEAAAEAV0123@AEBV0123@@Z820x14016ada0
??4EventProperties@Events@Applications@Microsoft@@QEAAAEAV0123@AEBV0123@@Z830x140172110
??4EventProperties@Events@Applications@Microsoft@@QEAAAEAV0123@AEBV?$map@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@UEventProperty@Events@Applications@Microsoft@@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@V?$allocator@U?$pair@$$CBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@UEventProperty@Events@Applications@Microsoft@@@std@@@2@@std@@@Z840x140172130
??4EventProperties@Events@Applications@Microsoft@@QEAAAEAV0123@V?$initializer_list@U?$pair@$$CBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@UEventProperty@Events@Applications@Microsoft@@@std@@@std@@@Z850x140172170
??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@AEBU0123@@Z860x140177650
??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z870x140177690
??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@AEBV?$vector@NV?$allocator@N@std@@@std@@@Z880x140177710
??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@AEBV?$vector@UGUID_t@Events@Applications@Microsoft@@V?$allocator@UGUID_t@Events@Applications@Microsoft@@@std@@@std@@@Z890x140177770
??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@AEBV?$vector@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$allocator@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@std@@@Z900x1401777d0
??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@AEBV?$vector@_JV?$allocator@_J@std@@@std@@@Z910x140177830
??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@C@Z920x140177890
??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@E@Z930x1401778a0
??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@F@Z940x1401778b0
??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@G@Z950x1401778c0
??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@H@Z960x1401778d0
??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@I@Z970x1401778e0
??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@J@Z980x1401778d0
??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@N@Z990x1401778f0
??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@PEBD@Z1000x140177920
??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@UGUID_t@123@@Z1010x140177980
??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@Utime_ticks_t@123@@Z1020x1401779c0
??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@_J@Z1030x140177a00
??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@_K@Z1040x140177a30
??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@_N@Z1050x140177a40
??4GUID_t@Events@Applications@Microsoft@@QEAAAEAU0123@AEBU0123@@Z1060x14016ae30
??4IAuthTokensController@Events@Applications@Microsoft@@QEAAAEAV0123@AEBV0123@@Z1070x140019ae0
??4ILogConfiguration@Events@Applications@Microsoft@@QEAAAEAV0123@$$QEAV0123@@Z1080x14016ae40
??4ILogConfiguration@Events@Applications@Microsoft@@QEAAAEAV0123@AEBV0123@@Z1090x14016aed0
??4ILogController@Events@Applications@Microsoft@@QEAAAEAV0123@$$QEAV0123@@Z1100x140019ae0
??4ILogController@Events@Applications@Microsoft@@QEAAAEAV0123@AEBV0123@@Z1110x140019ae0
??4ILogManager@Events@Applications@Microsoft@@QEAAAEAV0123@AEBV0123@@Z1120x140019ae0
??4ILogger@Events@Applications@Microsoft@@QEAAAEAV0123@AEBV0123@@Z1130x140019ae0
??4IModule@Events@Applications@Microsoft@@QEAAAEAV0123@AEBV0123@@Z1140x140019ae0
??4ISemanticContext@Events@Applications@Microsoft@@QEAAAEAV0123@AEBV0123@@Z1150x140019ae0
??4LogConfiguration@Telemetry@Applications@Microsoft@@QEAAAEAU0123@$$QEAU0123@@Z1160x14016af40
??4LogConfiguration@Telemetry@Applications@Microsoft@@QEAAAEAU0123@AEBU0123@@Z1170x14016afd0
??4LogManagerProvider@Events@Applications@Microsoft@@QEAAAEAV0123@$$QEAV0123@@Z1180x140019ae0
??4LogManagerProvider@Events@Applications@Microsoft@@QEAAAEAV0123@AEBV0123@@Z1190x140019ae0
??4time_ticks_t@Events@Applications@Microsoft@@QEAAAEAU0123@AEBU0123@@Z1200x14016b060
??8EventProperty@Events@Applications@Microsoft@@QEBA_NAEBU0123@@Z1210x140177a70
??8GUID_t@Events@Applications@Microsoft@@QEBA_NAEBU0123@@Z1220x140177f90
??AILogConfiguration@Events@Applications@Microsoft@@QEAAAEAVVariant@123@PEBD@Z1230x140174970
??DILogConfiguration@Events@Applications@Microsoft@@QEAAAEAV?$map@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@VVariant@Events@Applications@Microsoft@@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@V?$allocator@U?$pair@$$CBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@VVariant@Events@Applications@Microsoft@@@std@@@2@@std@@XZ1240x140019ae0
??MGUID_t@Events@Applications@Microsoft@@QEBA_NAEBU0123@@Z1250x140177fe0
??YEventProperties@Events@Applications@Microsoft@@QEAAAEAV0123@AEBV?$map@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@UEventProperty@Events@Applications@Microsoft@@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@V?$allocator@U?$pair@$$CBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@UEventProperty@Events@Applications@Microsoft@@@std@@@2@@std@@@Z1260x140172350
??_7DebugEventDispatcher@Events@Applications@Microsoft@@6B@1270x1402fea30
??_7DebugEventListener@Events@Applications@Microsoft@@6B@1280x140300898
??_7DebugEventSource@Events@Applications@Microsoft@@6B@1290x1402fea48
??_7EventProperties@Events@Applications@Microsoft@@6B@1300x14032eb28
??_7EventProperty@Events@Applications@Microsoft@@6B@1310x14032f220
??_7IAuthTokensController@Events@Applications@Microsoft@@6B@1320x14032e280
??_7ILogController@Events@Applications@Microsoft@@6B@1330x14032e2c8
??_7ILogManager@Events@Applications@Microsoft@@6BDebugEventDispatcher@123@@1340x14032e4a8
??_7ILogManager@Events@Applications@Microsoft@@6BIContextProvider@123@@1350x14032e490
??_7ILogManager@Events@Applications@Microsoft@@6BILogController@123@@1360x14032e330
??_7ILogger@Events@Applications@Microsoft@@6B@1370x14032e128
??_7IModule@Events@Applications@Microsoft@@6B@1380x14032ddd8
??_7ISemanticContext@Events@Applications@Microsoft@@6B@1390x14032de08
?AddEventListener@DebugEventSource@Events@Applications@Microsoft@@UEAAXW4DebugEventType@234@AEAVDebugEventListener@234@@Z1400x1401707d0
?AddModule@ILogConfiguration@Events@Applications@Microsoft@@QEAAXPEBDAEBV?$shared_ptr@VIModule@Events@Applications@Microsoft@@@std@@@Z1410x140174a20
?AttachEventSource@DebugEventSource@Events@Applications@Microsoft@@UEAA_NAEAV1234@@Z1420x140170880
?ClearExperimentIds@ISemanticContext@Events@Applications@Microsoft@@UEAAXXZ1430x1400299a0
?CreateLogManager@LogManagerProvider@Events@Applications@Microsoft@@SAPEAVILogManager@234@AEAVILogConfiguration@234@AEAW4status_t@234@@Z1440x14016b6b0
?CreateLogManager@LogManagerProvider@Events@Applications@Microsoft@@SAPEAVILogManager@234@PEBDAEAW4status_t@234@_K@Z1450x14016b6c0
?CreateLogManager@LogManagerProvider@Events@Applications@Microsoft@@SAPEAVILogManager@234@PEBD_NAEAVILogConfiguration@234@AEAW4status_t@234@_K@Z1460x14016b6d0
?DestroyLogManager@LogManagerProvider@Events@Applications@Microsoft@@SA?AW4status_t@234@PEBD@Z1470x14016b7e0
?DetachEventSource@DebugEventSource@Events@Applications@Microsoft@@UEAA_NAEAV1234@@Z1480x140170920
?DispatchEvent@DebugEventSource@Events@Applications@Microsoft@@UEAA_NVDebugEvent@234@@Z1490x1401709a0
?DispatchEventBroadcast@ILogManager@Events@Applications@Microsoft@@SA_NVDebugEvent@234@@Z1500x14018c9f0
?FromJSON@Events@Applications@Microsoft@@YA?AVILogConfiguration@123@PEBD@Z1510x140183cb0
?FromLogConfiguration@Events@Applications@Microsoft@@YA?AVILogConfiguration@123@AEAULogConfiguration@Telemetry@23@@Z1520x140183e70
?Get@LogManagerProvider@Events@Applications@Microsoft@@CAPEAVILogManager@234@AEAVILogConfiguration@234@AEAW4status_t@234@@Z1530x1401750c0
?Get@LogManagerProvider@Events@Applications@Microsoft@@CAPEAVILogManager@234@PEBDAEAW4status_t@234@@Z1540x140175100
?GetDefaultConfiguration@Events@Applications@Microsoft@@YAAEBVILogConfiguration@123@XZ1550x140184260
?GetLatency@EventProperties@Events@Applications@Microsoft@@QEBA?AW4EventLatency@234@XZ1560x140172530
?GetLogObfuscationKeyManger@@YAJPEAPEAVILogObfuscationKeyManager@@@Z1570x1400bb050
?GetLogObfuscatorAes@@YAJPEAPEAVILogObfuscatorAes@@@Z1580x1400b8a30
?GetModule@ILogConfiguration@Events@Applications@Microsoft@@QEAA?AV?$shared_ptr@VIModule@Events@Applications@Microsoft@@@std@@PEBD@Z1590x140174af0
?GetModules@ILogConfiguration@Events@Applications@Microsoft@@QEAAAEAV?$map@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$shared_ptr@VIModule@Events@Applications@Microsoft@@@2@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@V?$allocator@U?$pair@$$CBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$shared_ptr@VIModule@Events@Applications@Microsoft@@@2@@std@@@2@@std@@XZ1600x140174d40
?GetName@EventProperties@Events@Applications@Microsoft@@QEBAAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ1610x1400855e0
?GetPersistence@EventProperties@Events@Applications@Microsoft@@QEBA?AW4EventPersistence@234@XZ1620x140172540
?GetPiiProperties@EventProperties@Events@Applications@Microsoft@@QEBA?BV?$map@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@U?$pair@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@W4PiiKind@Events@Applications@Microsoft@@@2@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@V?$allocator@U?$pair@$$CBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@U?$pair@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@W4PiiKind@Events@Application1630x140172550
?GetPolicyBitFlags@EventProperties@Events@Applications@Microsoft@@QEBA_KXZ1640x1401727c0
?GetPopSample@EventProperties@Events@Applications@Microsoft@@QEBANXZ1650x1401727d0
?GetPriority@EventProperties@Events@Applications@Microsoft@@QEBA?AW4EventPriority@234@XZ1660x140172530
?GetProperties@EventProperties@Events@Applications@Microsoft@@QEBAAEBV?$map@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@UEventProperty@Events@Applications@Microsoft@@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@V?$allocator@U?$pair@$$CBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@UEventProperty@Events@Applications@Microsoft@@@std@@@2@@std@@W4DataCategory@234@@Z1670x1401727e0
?GetTimestamp@EventProperties@Events@Applications@Microsoft@@QEBA_JXZ1680x140172800
?GetType@EventProperties@Events@Applications@Microsoft@@QEBAAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ1690x140172810
?HasConfig@ILogConfiguration@Events@Applications@Microsoft@@QEAA_NPEBD@Z1700x140174d50
?Hash@GUID_t@Events@Applications@Microsoft@@QEBA_KXZ1710x1401781c0
?Initialize@IModule@Events@Applications@Microsoft@@UEAAXPEAVILogManager@234@@Z1720x1400299a0
?Release@LogManagerProvider@Events@Applications@Microsoft@@SA?AW4status_t@234@AEAVILogConfiguration@234@@Z1730x1401751c0
?Release@LogManagerProvider@Events@Applications@Microsoft@@SA?AW4status_t@234@PEBD@Z1740x1401751f0
?RemoveEventListener@DebugEventSource@Events@Applications@Microsoft@@UEAAXW4DebugEventType@234@AEAVDebugEventListener@234@@Z1750x140170b60
?SetAppEnv@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z1760x14016b7f0
?SetAppExperimentETag@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z1770x14016b8e0
?SetAppExperimentIds@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z1780x14016b9e0
?SetAppExperimentImpressionId@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z1790x14016bad0
?SetAppId@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z1800x14016bbc0
?SetAppLanguage@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z1810x14016bcb0
?SetAppName@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z1820x14016bda0
?SetAppVersion@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z1830x14016be90
?SetCommercialId@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z1840x14016bf80
?SetCommonField@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AEBUEventProperty@234@@Z1850x1400299a0
?SetCustomField@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AEBUEventProperty@234@@Z1860x1400299a0
?SetDeviceClass@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z1870x14016c070
?SetDeviceId@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z1880x14016c160
?SetDeviceMake@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z1890x14016c250
?SetDeviceModel@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z1900x14016c340
?SetDeviceOrgId@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z1910x14016c430
?SetEventExperimentIds@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0@Z1920x1400299a0
?SetLatency@EventProperties@Events@Applications@Microsoft@@QEAAXW4EventLatency@234@@Z1930x140172820
?SetLevel@EventProperties@Events@Applications@Microsoft@@QEAAXE@Z1940x14016c520
?SetName@EventProperties@Events@Applications@Microsoft@@QEAA_NAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z1950x140172830
?SetNetworkCost@ISemanticContext@Events@Applications@Microsoft@@UEAAXW4NetworkCost@234@@Z1960x14016c5e0
?SetNetworkProvider@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z1970x14016c710
?SetNetworkType@ISemanticContext@Events@Applications@Microsoft@@UEAAXW4NetworkType@234@@Z1980x14016c800
?SetOsBuild@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z1990x14016c930
?SetOsName@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z2000x14016ca20
?SetOsVersion@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z2010x14016cb10
?SetPersistence@EventProperties@Events@Applications@Microsoft@@QEAAXW4EventPersistence@234@@Z2020x140172970
?SetPolicyBitFlags@EventProperties@Events@Applications@Microsoft@@QEAAX_K@Z2030x140172980
?SetPopsample@EventProperties@Events@Applications@Microsoft@@QEAAXN@Z2040x140172990
?SetPriority@EventProperties@Events@Applications@Microsoft@@QEAAXW4EventPriority@234@@Z2050x1401729a0
?SetProperty@EventProperties@Events@Applications@Microsoft@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0W4PiiKind@234@W4DataCategory@234@@Z2060x1401729e0
?SetProperty@EventProperties@Events@Applications@Microsoft@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AEAV?$vector@NV?$allocator@N@std@@@6@W4PiiKind@234@W4DataCategory@234@@Z2070x140172a30
?SetProperty@EventProperties@Events@Applications@Microsoft@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AEAV?$vector@UGUID_t@Events@Applications@Microsoft@@V?$allocator@UGUID_t@Events@Applications@Microsoft@@@std@@@6@W4PiiKind@234@W4DataCategory@234@@Z2080x140172a80
?SetProperty@EventProperties@Events@Applications@Microsoft@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AEAV?$vector@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$allocator@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@6@W4PiiKind@234@W4DataCategory@234@@Z2090x140172ad0
?SetProperty@EventProperties@Events@Applications@Microsoft@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AEAV?$vector@_JV?$allocator@_J@std@@@6@W4PiiKind@234@W4DataCategory@234@@Z2100x140172b20
?SetProperty@EventProperties@Events@Applications@Microsoft@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CW4PiiKind@234@W4DataCategory@234@@Z2110x14016cc00
?SetProperty@EventProperties@Events@Applications@Microsoft@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@EW4PiiKind@234@W4DataCategory@234@@Z2120x14016cc10
?SetProperty@EventProperties@Events@Applications@Microsoft@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@FW4PiiKind@234@W4DataCategory@234@@Z2130x14016cc20
?SetProperty@EventProperties@Events@Applications@Microsoft@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@GW4PiiKind@234@W4DataCategory@234@@Z2140x14016cc30
?SetProperty@EventProperties@Events@Applications@Microsoft@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@HW4PiiKind@234@W4DataCategory@234@@Z2150x14016cc40
?SetProperty@EventProperties@Events@Applications@Microsoft@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IW4PiiKind@234@W4DataCategory@234@@Z2160x14016cc50
?SetProperty@EventProperties@Events@Applications@Microsoft@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@NW4PiiKind@234@W4DataCategory@234@@Z2170x140172b70
?SetProperty@EventProperties@Events@Applications@Microsoft@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PEBDW4PiiKind@234@W4DataCategory@234@@Z2180x140172bc0
?SetProperty@EventProperties@Events@Applications@Microsoft@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@UEventProperty@234@@Z2190x140172c10
?SetProperty@EventProperties@Events@Applications@Microsoft@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@UGUID_t@234@W4PiiKind@234@W4DataCategory@234@@Z2200x140172d10
?SetProperty@EventProperties@Events@Applications@Microsoft@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@Utime_ticks_t@234@W4PiiKind@234@W4DataCategory@234@@Z2210x140172d60
?SetProperty@EventProperties@Events@Applications@Microsoft@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@_JW4PiiKind@234@W4DataCategory@234@@Z2220x140172dc0
?SetProperty@EventProperties@Events@Applications@Microsoft@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@_KW4PiiKind@234@W4DataCategory@234@@Z2230x14016cc60
?SetProperty@EventProperties@Events@Applications@Microsoft@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@_NW4PiiKind@234@W4DataCategory@234@@Z2240x140172e10
?SetTicket@ISemanticContext@Events@Applications@Microsoft@@UEAAXW4TicketType@234@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z2250x1400299a0
?SetTimestamp@EventProperties@Events@Applications@Microsoft@@QEAAX_J@Z2260x140172e60
?SetType@EventProperties@Events@Applications@Microsoft@@QEAA_NAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z2270x140172e70
?SetUserANID@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z2280x14016cc70
?SetUserAdvertisingId@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z2290x14016cd60
?SetUserId@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@W4PiiKind@234@@Z2300x14016ce50
?SetUserLanguage@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z2310x14016cf30
?SetUserMsaId@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z2320x14016d020
?SetUserTimeZone@ISemanticContext@Events@Applications@Microsoft@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z2330x14016d110
?Teardown@IModule@Events@Applications@Microsoft@@UEAAXXZ2340x1400299a0
?TryGetLevel@EventProperties@Events@Applications@Microsoft@@QEBA?AV?$tuple@_NE@std@@XZ2350x140173010
?clear@EventProperty@Events@Applications@Microsoft@@QEAAXXZ2360x140178380
?convertUintVectorToGUID@GUID_t@Events@Applications@Microsoft@@SA?AU_GUID@@AEBV?$vector@EV?$allocator@E@std@@@std@@@Z2370x140178430
?copydata@EventProperty@Events@Applications@Microsoft@@AEAAXPEBU1234@@Z2380x140178490
?empty@EventProperty@Events@Applications@Microsoft@@QEAA_NXZ2390x140178620
?erase@EventProperties@Events@Applications@Microsoft@@QEAA_KAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@W4DataCategory@234@@Z2400x1401733f0
?lock@?1??stateLock@DebugEventSource@Events@Applications@Microsoft@@KAAEAVrecursive_mutex@std@@XZ@4V67@A2410x1403e1610
?pack@EventProperties@Events@Applications@Microsoft@@QEAAPEAUevt_prop@@XZ2420x140173410
?stateLock@DebugEventSource@Events@Applications@Microsoft@@KAAEAVrecursive_mutex@std@@XZ2430x14016fbc0
?to_bytes@GUID_t@Events@Applications@Microsoft@@QEBAXAEAY0BA@E@Z2440x140178650
?to_string@EventProperty@Events@Applications@Microsoft@@UEBA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ2450x1401786a0
?to_string@GUID_t@Events@Applications@Microsoft@@QEBA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ2460x140178f50
?type_name@EventProperty@Events@Applications@Microsoft@@SAPEBDI@Z2470x140178f70
?unpack@EventProperties@Events@Applications@Microsoft@@QEAA_NPEAUevt_prop@@_K@Z2480x1401736e0
evt_api_call_default2490x140167850

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:19:40:35
Start date:04/07/2024
Path:C:\Users\user\Desktop\OneDriveUpdater.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\OneDriveUpdater.exe"
Imagebase:0x7ff7c4000000
File size:4'200'864 bytes
MD5 hash:792E95B64B9CF45AC8BC10D4D0F077C2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:7.5%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:14.4%
    Total number of Nodes:2000
    Total number of Limit Nodes:55
    execution_graph 153393 7ff7c4088fdf 153399 7ff7c4088e50 _DeleteExceptionPtr 153393->153399 153394 7ff7c4089022 153399->153394 153402 7ff7c408afe8 153399->153402 153419 7ff7c408be40 153399->153419 153437 7ff7c402de0c 153399->153437 153440 7ff7c403a478 153399->153440 153445 7ff7c402c5f0 153399->153445 153449 7ff7c4075ed4 50 API calls 6 library calls 153399->153449 153403 7ff7c408b03d 153402->153403 153404 7ff7c408b00e _DeleteExceptionPtr 153402->153404 153407 7ff7c408b04c 153403->153407 153450 7ff7c402c250 153403->153450 153405 7ff7c408b036 153404->153405 153408 7ff7c402de0c std::ios_base::failure::failure 50 API calls 153404->153408 153405->153399 153407->153405 153462 7ff7c402cbe4 153407->153462 153410 7ff7c408b1eb 153408->153410 153411 7ff7c403a478 std::_Xinvalid_argument 2 API calls 153410->153411 153412 7ff7c408b098 _DeleteExceptionPtr 153411->153412 153412->153405 153413 7ff7c402de0c std::ios_base::failure::failure 50 API calls 153412->153413 153414 7ff7c408b23f 153413->153414 153415 7ff7c403a478 std::_Xinvalid_argument 2 API calls 153414->153415 153416 7ff7c408b250 153415->153416 153417 7ff7c408b275 153416->153417 153477 7ff7c4054d24 EnterCriticalSection 153416->153477 153417->153399 153420 7ff7c408be74 153419->153420 153421 7ff7c408bf0f _Yarn 153420->153421 153422 7ff7c408bef4 153420->153422 153428 7ff7c408be84 ISource 153420->153428 153429 7ff7c408c030 153421->153429 153433 7ff7c408c048 153421->153433 153536 7ff7c42bda84 153421->153536 153563 7ff7c4076030 50 API calls 5 library calls 153421->153563 153562 7ff7c42bd6fc 50 API calls 3 library calls 153422->153562 153423 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 153425 7ff7c408c0d4 153423->153425 153425->153399 153428->153423 153429->153428 153430 7ff7c408c0e9 153429->153430 153557 7ff7c40468ac 153430->153557 153433->153429 153564 7ff7c42be71c 49 API calls 3 library calls 153433->153564 153606 7ff7c402dd5c 153437->153606 153439 7ff7c402de2c 153439->153399 153441 7ff7c403a497 153440->153441 153442 7ff7c403a4b4 RtlPcToFileHeader 153440->153442 153441->153442 153443 7ff7c403a4cc 153442->153443 153444 7ff7c403a4db RaiseException 153442->153444 153443->153444 153444->153399 153446 7ff7c402c612 153445->153446 153447 7ff7c402cbe4 _DeleteExceptionPtr 83 API calls 153446->153447 153448 7ff7c402c61d 153447->153448 153448->153399 153449->153399 153451 7ff7c402c27d 153450->153451 153460 7ff7c402c2d1 153450->153460 153478 7ff7c402b228 153451->153478 153457 7ff7c402c2bd 153457->153460 153504 7ff7c402c314 50 API calls _DeleteExceptionPtr 153457->153504 153486 7ff7c4038920 153460->153486 153522 7ff7c4148798 153462->153522 153464 7ff7c402cc15 153526 7ff7c402dbac 153464->153526 153466 7ff7c402cc6f tidy_global 153468 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 153466->153468 153467 7ff7c402cc2e _DeleteExceptionPtr 153467->153466 153532 7ff7c402da2c 83 API calls 5 library calls 153467->153532 153469 7ff7c402ccca 153468->153469 153469->153412 153471 7ff7c402cc81 153472 7ff7c402cc87 153471->153472 153473 7ff7c402ccdf 153471->153473 153533 7ff7c414842c 50 API calls std::_Facet_Register 153472->153533 153534 7ff7c402db8c RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc std::_Xinvalid_argument 153473->153534 153479 7ff7c402b258 153478->153479 153480 7ff7c402c250 _DeleteExceptionPtr 78 API calls 153479->153480 153481 7ff7c402b286 153479->153481 153480->153481 153481->153457 153482 7ff7c408bde0 153481->153482 153483 7ff7c402c2a2 153482->153483 153484 7ff7c408bdf7 153482->153484 153483->153457 153495 7ff7c402b4e8 153483->153495 153484->153483 153505 7ff7c4054ad8 153484->153505 153487 7ff7c4038929 153486->153487 153488 7ff7c402c306 153487->153488 153489 7ff7c4039000 IsProcessorFeaturePresent 153487->153489 153488->153407 153490 7ff7c4039018 153489->153490 153520 7ff7c40391f4 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 153490->153520 153492 7ff7c403902b 153521 7ff7c4038fc4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 153492->153521 153496 7ff7c402b51b 153495->153496 153497 7ff7c402b514 153495->153497 153496->153457 153498 7ff7c403a478 std::_Xinvalid_argument 2 API calls 153497->153498 153499 7ff7c402b52a _DeleteExceptionPtr 153497->153499 153498->153499 153500 7ff7c402de0c std::ios_base::failure::failure 50 API calls 153499->153500 153501 7ff7c402b56f 153500->153501 153502 7ff7c403a478 std::_Xinvalid_argument 2 API calls 153501->153502 153503 7ff7c402b580 ISource 153502->153503 153503->153457 153504->153460 153506 7ff7c4054aed 153505->153506 153507 7ff7c4054ae6 153505->153507 153509 7ff7c4054aeb 153506->153509 153511 7ff7c40548d0 153506->153511 153518 7ff7c4054910 75 API calls 153507->153518 153509->153483 153519 7ff7c4054d24 EnterCriticalSection 153511->153519 153518->153509 153520->153492 153523 7ff7c41487a7 153522->153523 153525 7ff7c41487ac 153522->153525 153535 7ff7c40517b4 6 API calls std::_Locinfo::_Locinfo_ctor 153523->153535 153525->153464 153527 7ff7c402dbcc 153526->153527 153531 7ff7c402dbd8 tidy_global 153526->153531 153528 7ff7c4148798 std::_Lockit::_Lockit 6 API calls 153527->153528 153528->153531 153529 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 153530 7ff7c402dc0b 153529->153530 153530->153467 153531->153529 153532->153471 153533->153466 153537 7ff7c42bdaa0 153536->153537 153538 7ff7c42bdabe 153536->153538 153566 7ff7c40469f8 153537->153566 153565 7ff7c4054d24 EnterCriticalSection 153538->153565 153545 7ff7c42bdab0 153545->153421 153600 7ff7c4046720 47 API calls _invalid_parameter_noinfo 153557->153600 153559 7ff7c40468c5 153601 7ff7c40468dc IsProcessorFeaturePresent 153559->153601 153562->153428 153563->153421 153564->153433 153570 7ff7c4051438 GetLastError 153566->153570 153568 7ff7c4046a01 153569 7ff7c404688c 47 API calls _invalid_parameter_noinfo 153568->153569 153569->153545 153571 7ff7c4051479 FlsSetValue 153570->153571 153572 7ff7c405145c 153570->153572 153573 7ff7c405148b 153571->153573 153576 7ff7c4051469 153571->153576 153572->153571 153572->153576 153587 7ff7c4051870 153573->153587 153574 7ff7c40514e5 SetLastError 153574->153568 153576->153574 153578 7ff7c40514b8 FlsSetValue 153581 7ff7c40514c4 FlsSetValue 153578->153581 153582 7ff7c40514d6 153578->153582 153579 7ff7c40514a8 FlsSetValue 153580 7ff7c40514b1 153579->153580 153593 7ff7c4050f00 153580->153593 153581->153580 153599 7ff7c4051064 11 API calls _get_daylight 153582->153599 153585 7ff7c40514de 153586 7ff7c4050f00 __free_lconv_mon 5 API calls 153585->153586 153586->153574 153588 7ff7c4051881 _Getvals 153587->153588 153589 7ff7c40518d2 153588->153589 153590 7ff7c40518b6 RtlAllocateHeap 153588->153590 153592 7ff7c40469f8 _get_daylight 10 API calls 153589->153592 153590->153588 153591 7ff7c405149a 153590->153591 153591->153578 153591->153579 153592->153591 153594 7ff7c4050f34 153593->153594 153595 7ff7c4050f05 RtlRestoreThreadPreferredUILanguages 153593->153595 153594->153576 153595->153594 153596 7ff7c4050f20 GetLastError 153595->153596 153597 7ff7c4050f2d __free_lconv_mon 153596->153597 153598 7ff7c40469f8 _get_daylight 9 API calls 153597->153598 153598->153594 153599->153585 153600->153559 153602 7ff7c40468ef 153601->153602 153605 7ff7c40465bc 14 API calls 3 library calls 153602->153605 153604 7ff7c404690a GetCurrentProcess TerminateProcess 153605->153604 153607 7ff7c402dd95 std::ios_base::failure::failure 153606->153607 153615 7ff7c402e708 50 API calls 3 library calls 153607->153615 153609 7ff7c402dde6 ISource 153609->153439 153610 7ff7c402ddb1 153610->153609 153611 7ff7c40468ac _invalid_parameter_noinfo_noreturn 47 API calls 153610->153611 153612 7ff7c402de08 153611->153612 153613 7ff7c402dd5c std::ios_base::failure::failure 50 API calls 153612->153613 153614 7ff7c402de2c 153613->153614 153614->153439 153615->153610 153616 7ff7c412fe98 153617 7ff7c412ff11 153616->153617 153618 7ff7c41300bf 153616->153618 153620 7ff7c412ff41 153617->153620 153621 7ff7c412ff69 153617->153621 153622 7ff7c41300c4 153617->153622 153650 7ff7c401a654 49 API calls _DeleteExceptionPtr 153618->153650 153638 7ff7c401b82c 153620->153638 153621->153620 153624 7ff7c412ffa7 153621->153624 153651 7ff7c401b80c 153622->153651 153628 7ff7c412ff8a 153624->153628 153631 7ff7c4038858 153624->153631 153626 7ff7c41300ca 153649 7ff7c41330b0 47 API calls 3 library calls 153628->153649 153630 7ff7c41300ac 153633 7ff7c4038863 153631->153633 153632 7ff7c403887c 153632->153628 153633->153632 153634 7ff7c403888d 153633->153634 153664 7ff7c4038140 std::bad_alloc::bad_alloc RtlPcToFileHeader RaiseException std::_Xinvalid_argument 153633->153664 153636 7ff7c401b80c Concurrency::cancel_current_task 50 API calls 153634->153636 153637 7ff7c4038893 __GSHandlerCheckCommon 153636->153637 153637->153628 153639 7ff7c401b839 153638->153639 153648 7ff7c401b85f 153638->153648 153640 7ff7c4038858 std::_Facet_Register 50 API calls 153639->153640 153643 7ff7c401b841 153640->153643 153641 7ff7c401b80c Concurrency::cancel_current_task 50 API calls 153642 7ff7c401b865 153641->153642 153665 7ff7c403a3c0 47 API calls 2 library calls 153642->153665 153645 7ff7c401b849 153643->153645 153647 7ff7c40468ac _invalid_parameter_noinfo_noreturn 47 API calls 153643->153647 153645->153628 153646 7ff7c401b891 153646->153628 153647->153648 153648->153641 153649->153630 153652 7ff7c401b81a Concurrency::cancel_current_task 153651->153652 153653 7ff7c403a478 std::_Xinvalid_argument 2 API calls 153652->153653 153654 7ff7c401b82b 153653->153654 153655 7ff7c401b85f 153654->153655 153656 7ff7c4038858 std::_Facet_Register 50 API calls 153654->153656 153657 7ff7c401b80c Concurrency::cancel_current_task 50 API calls 153655->153657 153659 7ff7c401b841 153656->153659 153658 7ff7c401b865 153657->153658 153666 7ff7c403a3c0 47 API calls 2 library calls 153658->153666 153661 7ff7c401b849 153659->153661 153663 7ff7c40468ac _invalid_parameter_noinfo_noreturn 47 API calls 153659->153663 153661->153626 153662 7ff7c401b891 153662->153626 153663->153655 153665->153646 153666->153662 153667 7ff7c4106d60 153668 7ff7c4106dc7 153667->153668 153672 7ff7c4106da9 153667->153672 153694 7ff7c4064b6c 153668->153694 153670 7ff7c4106dd1 153670->153672 153674 7ff7c4106df6 WaitForSingleObject 153670->153674 153736 7ff7c4064448 153672->153736 153673 7ff7c4106dc2 153739 7ff7c40649a8 EnterCriticalSection 153673->153739 153674->153672 153675 7ff7c4106e16 153674->153675 153675->153672 153678 7ff7c4106e34 EnterCriticalSection 153675->153678 153677 7ff7c4106f5d SetEvent 153682 7ff7c4106f8f 153677->153682 153679 7ff7c4106e6c SHCreateStreamOnFileEx 153678->153679 153680 7ff7c4106e69 153678->153680 153687 7ff7c4106ead 153679->153687 153689 7ff7c4106e8d 153679->153689 153680->153679 153683 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 153682->153683 153684 7ff7c4106fac 153683->153684 153685 7ff7c4064448 134 API calls 153686 7ff7c4106ea1 LeaveCriticalSection 153685->153686 153686->153673 153688 7ff7c4106ee6 LeaveCriticalSection 153687->153688 153687->153689 153690 7ff7c4106efd 153688->153690 153689->153685 153721 7ff7c4065bc0 EnterCriticalSection 153690->153721 153692 7ff7c4106f22 153724 7ff7c4105ab4 153692->153724 153695 7ff7c4064c8d 153694->153695 153696 7ff7c4064baa 153694->153696 153749 7ff7c40383d8 5 API calls UnDecorator::getPointerType 153695->153749 153698 7ff7c4064bc0 EnterCriticalSection 153696->153698 153750 7ff7c40383d8 5 API calls UnDecorator::getPointerType 153696->153750 153701 7ff7c4064bf3 153698->153701 153712 7ff7c4064bda 153698->153712 153703 7ff7c4064bf1 LeaveCriticalSection 153701->153703 153744 7ff7c406fff4 134 API calls 2 library calls 153701->153744 153703->153670 153709 7ff7c4064448 130 API calls 153709->153703 153712->153703 153712->153709 153756 7ff7c4065fc4 153721->153756 153725 7ff7c4105ad5 153724->153725 153735 7ff7c4105b65 153724->153735 153725->153735 154081 7ff7c407190c 153725->154081 153729 7ff7c407190c 62 API calls 153730 7ff7c4105b14 SHDeleteValueW 153729->153730 153732 7ff7c407190c 62 API calls 153730->153732 153733 7ff7c4105b3a SHDeleteKeyW 153732->153733 153733->153735 153735->153673 154092 7ff7c40642ac GetLastError 153736->154092 153740 7ff7c40649dc 153739->153740 153741 7ff7c40649f1 LeaveCriticalSection 153739->153741 153742 7ff7c4065e80 132 API calls 153740->153742 153741->153677 153743 7ff7c40649f0 153742->153743 153743->153741 153744->153712 153757 7ff7c4065fd6 _Strcoll memcpy_s 153756->153757 153768 7ff7c4064f8c 153757->153768 153760 7ff7c406609e 153761 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 153760->153761 153763 7ff7c4065c04 LeaveCriticalSection 153761->153763 153763->153692 153764 7ff7c406604e 153764->153760 153797 7ff7c40648e8 153764->153797 153766 7ff7c4066062 153766->153760 153811 7ff7c4065c18 153766->153811 153769 7ff7c4064fcc memcpy_s 153768->153769 153770 7ff7c40651f0 153768->153770 153773 7ff7c4064b6c 132 API calls 153769->153773 153771 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 153770->153771 153772 7ff7c4065201 153771->153772 153772->153760 153793 7ff7c40658e4 153772->153793 153774 7ff7c4065021 153773->153774 153775 7ff7c40651bc 153774->153775 153820 7ff7c4064d10 EnterCriticalSection 153774->153820 153778 7ff7c401b694 _DeleteExceptionPtr 47 API calls 153775->153778 153780 7ff7c40651e5 153778->153780 153779 7ff7c406504c 153840 7ff7c401b694 153779->153840 153783 7ff7c401b694 _DeleteExceptionPtr 47 API calls 153780->153783 153782 7ff7c401b694 _DeleteExceptionPtr 47 API calls 153782->153779 153783->153770 153784 7ff7c4065076 153784->153775 153844 7ff7c4064a04 153784->153844 153786 7ff7c40650b4 153786->153775 153884 7ff7c4020bc0 153786->153884 153789 7ff7c406514f CreateFileW 153790 7ff7c4065189 GetLastError 153789->153790 153791 7ff7c4065180 153789->153791 153790->153775 153790->153791 153888 7ff7c406521c 153791->153888 153794 7ff7c4065936 snprintf 153793->153794 153796 7ff7c4065996 memcpy_s 153794->153796 154066 7ff7c404e750 49 API calls 4 library calls 153794->154066 153796->153764 153798 7ff7c406491b GetSystemTime 153797->153798 153799 7ff7c406499a 153797->153799 153800 7ff7c401b584 49 API calls 153798->153800 153801 7ff7c401b630 49 API calls 153799->153801 153802 7ff7c406497f 153800->153802 153803 7ff7c40649a4 EnterCriticalSection 153801->153803 153804 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 153802->153804 153807 7ff7c40649dc 153803->153807 153808 7ff7c40649f1 LeaveCriticalSection 153803->153808 153806 7ff7c406498c 153804->153806 153806->153766 154067 7ff7c4065e80 153807->154067 153808->153766 153812 7ff7c4065cb6 153811->153812 153815 7ff7c4065c3b 153811->153815 153813 7ff7c401b630 49 API calls 153812->153813 153814 7ff7c4065cc0 153813->153814 153816 7ff7c4065c95 153815->153816 153817 7ff7c4065c68 WriteFile 153815->153817 153818 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 153816->153818 153817->153816 153819 7ff7c4065cab 153818->153819 153819->153760 153821 7ff7c4064d74 153820->153821 153838 7ff7c4064ea1 153820->153838 153823 7ff7c4064b6c 131 API calls 153821->153823 153825 7ff7c4064d97 _Aligned_get_default_resource 153823->153825 153824 7ff7c4064ede LeaveCriticalSection 153826 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 153824->153826 153938 7ff7c4116710 153825->153938 153827 7ff7c4064efa 153826->153827 153827->153779 153827->153782 153828 7ff7c4064db1 memcpy_s 153829 7ff7c4064de5 SHGetFolderPathW 153828->153829 153828->153838 153830 7ff7c4064e05 153829->153830 153829->153838 153957 7ff7c401b4e4 153830->153957 153832 7ff7c4064e4a 153833 7ff7c4020bc0 10 API calls 153832->153833 153834 7ff7c4064e6d 153833->153834 153835 7ff7c401b694 _DeleteExceptionPtr 47 API calls 153834->153835 153836 7ff7c4064e79 153835->153836 153837 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 153836->153837 153836->153838 153837->153838 153944 7ff7c4019af8 153838->153944 153841 7ff7c401b6d0 ISource 153840->153841 153843 7ff7c401b6a7 153840->153843 153841->153784 153842 7ff7c40468ac _invalid_parameter_noinfo_noreturn 47 API calls 153842->153843 153843->153840 153843->153841 153843->153842 153845 7ff7c4064a4c memcpy_s 153844->153845 153846 7ff7c4064a60 GetSystemTime GetCurrentThreadId GetCurrentProcessId 153845->153846 153847 7ff7c4064b61 153845->153847 153849 7ff7c4064a8c 153846->153849 153850 7ff7c4064a9f 153846->153850 153966 7ff7c401b630 153847->153966 153853 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 153849->153853 153962 7ff7c401b584 153850->153962 153853->153850 153854 7ff7c4064b33 153856 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 153854->153856 153861 7ff7c4064b44 153856->153861 153861->153786 153864 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 153864->153854 153885 7ff7c4020be5 153884->153885 153973 7ff7c4020978 153885->153973 153889 7ff7c406526a 153888->153889 153890 7ff7c4065774 153888->153890 153892 7ff7c4065291 153889->153892 153894 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 153889->153894 153891 7ff7c401b630 49 API calls 153890->153891 153893 7ff7c406577e 153891->153893 153895 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 153892->153895 153894->153892 153896 7ff7c40652cd 153895->153896 153982 7ff7c406619c 153896->153982 153898 7ff7c40652ed 153989 7ff7c4019d08 153898->153989 153900 7ff7c4065332 153901 7ff7c4019d08 UnDecorator::getPointerType 50 API calls 153900->153901 153902 7ff7c4065374 153901->153902 153903 7ff7c401b694 _DeleteExceptionPtr 47 API calls 153902->153903 153904 7ff7c40653a5 153903->153904 153905 7ff7c401b694 _DeleteExceptionPtr 47 API calls 153904->153905 153906 7ff7c40653b0 153905->153906 153907 7ff7c401b694 _DeleteExceptionPtr 47 API calls 153906->153907 153908 7ff7c40653ba memcpy_s 153907->153908 153909 7ff7c40653d0 FindFirstFileW 153908->153909 153910 7ff7c4065403 GetLastError 153909->153910 153937 7ff7c4065414 153909->153937 153910->153937 153911 7ff7c4065712 153993 7ff7c4065dd0 153911->153993 153913 7ff7c40655eb CompareFileTime 153925 7ff7c4065591 153913->153925 153914 7ff7c406571c 153915 7ff7c406573b 153914->153915 153916 7ff7c4065723 FindClose 153914->153916 153917 7ff7c401b694 _DeleteExceptionPtr 47 API calls 153915->153917 153916->153915 153919 7ff7c4065744 153917->153919 153918 7ff7c406554c FindNextFileW 153920 7ff7c406556b GetLastError 153918->153920 153918->153937 153921 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 153919->153921 153920->153925 153920->153937 153924 7ff7c4065753 153921->153924 153924->153775 153925->153911 153925->153913 153929 7ff7c4065696 153925->153929 154013 7ff7c4109938 153925->154013 154016 7ff7c4066108 50 API calls _DeleteExceptionPtr 153925->154016 153926 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 153926->153937 153927 7ff7c4065bc0 126 API calls 153928 7ff7c40656b4 DeleteFileW 153927->153928 153928->153929 153930 7ff7c4065701 GetLastError 153928->153930 153929->153925 153929->153927 153931 7ff7c401b694 _DeleteExceptionPtr 47 API calls 153929->153931 153932 7ff7c401b694 _DeleteExceptionPtr 47 API calls 153930->153932 153931->153929 153933 7ff7c4065711 153932->153933 153933->153911 153934 7ff7c4019af8 50 API calls UnDecorator::getPointerType 153934->153937 153936 7ff7c401b694 47 API calls _DeleteExceptionPtr 153936->153937 153937->153918 153937->153925 153937->153926 153937->153934 153937->153936 154012 7ff7c4064478 50 API calls 4 library calls 153937->154012 153939 7ff7c4116750 153938->153939 153940 7ff7c4116772 GetTokenInformation 153939->153940 153941 7ff7c41167b7 153939->153941 153940->153941 153942 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 153941->153942 153943 7ff7c41167ee 153942->153943 153943->153828 153945 7ff7c4019b1d 153944->153945 153946 7ff7c4019b74 153945->153946 153947 7ff7c4019bc6 153945->153947 153952 7ff7c4019b26 _Yarn 153945->153952 153948 7ff7c4019b87 153946->153948 153949 7ff7c4019b80 153946->153949 153950 7ff7c401b80c Concurrency::cancel_current_task 50 API calls 153947->153950 153948->153952 153954 7ff7c4038858 std::_Facet_Register 50 API calls 153948->153954 153951 7ff7c401b82c _DeleteExceptionPtr 50 API calls 153949->153951 153956 7ff7c4019bcb 153950->153956 153951->153952 153952->153824 153953 7ff7c4019bfb 153953->153824 153954->153952 153955 7ff7c401b694 47 API calls _DeleteExceptionPtr 153955->153956 153956->153953 153956->153955 153958 7ff7c401b52a 153957->153958 153959 7ff7c401b4ff _Yarn 153957->153959 153958->153959 153961 7ff7c401b3c4 50 API calls 6 library calls 153958->153961 153959->153832 153961->153959 153963 7ff7c401b5ae 153962->153963 153964 7ff7c401b5bd snprintf 153962->153964 153963->153854 153963->153864 153972 7ff7c404e750 49 API calls 4 library calls 153964->153972 153967 7ff7c401b640 153966->153967 153968 7ff7c403a478 std::_Xinvalid_argument 2 API calls 153967->153968 153969 7ff7c401b651 153968->153969 153970 7ff7c40468ac _invalid_parameter_noinfo_noreturn 47 API calls 153969->153970 153971 7ff7c401b691 153970->153971 153972->153963 153974 7ff7c4020b92 153973->153974 153977 7ff7c40209bb 153973->153977 153975 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 153974->153975 153976 7ff7c4020bab 153975->153976 153976->153775 153976->153789 153977->153974 153978 7ff7c4020a3d LocalAlloc 153977->153978 153981 7ff7c40209df 153977->153981 153979 7ff7c4020a56 153978->153979 153978->153981 153979->153981 153980 7ff7c4020b89 LocalFree 153980->153974 153981->153974 153981->153980 153983 7ff7c40661cb 153982->153983 153984 7ff7c4066298 153982->153984 153987 7ff7c40661de _Yarn 153983->153987 154017 7ff7c4064648 50 API calls 6 library calls 153983->154017 154018 7ff7c4019d84 49 API calls 153984->154018 153987->153898 153990 7ff7c4019d59 153989->153990 153992 7ff7c4019d2d _Yarn 153989->153992 154019 7ff7c401a488 153990->154019 153992->153900 153994 7ff7c4065dea 153993->153994 153997 7ff7c4065e4f ISource 153993->153997 153995 7ff7c4065e04 153994->153995 153996 7ff7c401b694 _DeleteExceptionPtr 47 API calls 153994->153996 153995->153997 153998 7ff7c40468ac _invalid_parameter_noinfo_noreturn 47 API calls 153995->153998 153996->153994 153997->153914 153999 7ff7c4065e7d _Strcoll memcpy_s 153998->153999 154000 7ff7c4064f8c 134 API calls 153999->154000 154001 7ff7c4065ec6 154000->154001 154002 7ff7c4065fa8 154001->154002 154005 7ff7c40658e4 49 API calls 154001->154005 154003 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 154002->154003 154004 7ff7c4065fb8 154003->154004 154004->153914 154006 7ff7c4065f06 154005->154006 154006->154002 154007 7ff7c40648e8 134 API calls 154006->154007 154008 7ff7c4065f1e memcpy_s 154007->154008 154008->154002 154009 7ff7c401b584 49 API calls 154008->154009 154010 7ff7c4065f54 154009->154010 154010->154002 154011 7ff7c4065c18 50 API calls 154010->154011 154011->154002 154012->153937 154042 7ff7c4109088 154013->154042 154016->153925 154017->153987 154020 7ff7c401a4bf 154019->154020 154021 7ff7c401a5f2 154019->154021 154023 7ff7c401a5f8 154020->154023 154025 7ff7c401a52d 154020->154025 154026 7ff7c401a526 154020->154026 154033 7ff7c401b708 154021->154033 154024 7ff7c401b80c Concurrency::cancel_current_task 50 API calls 154023->154024 154027 7ff7c401a5fe 154024->154027 154029 7ff7c4038858 std::_Facet_Register 50 API calls 154025->154029 154031 7ff7c401a52b _Yarn 154025->154031 154028 7ff7c401b82c _DeleteExceptionPtr 50 API calls 154026->154028 154027->153992 154028->154031 154029->154031 154030 7ff7c401a5a8 ISource _Yarn 154030->153992 154031->154030 154032 7ff7c40468ac _invalid_parameter_noinfo_noreturn 47 API calls 154031->154032 154032->154021 154036 7ff7c40381a4 154033->154036 154041 7ff7c4037e24 47 API calls __std_exception_copy 154036->154041 154038 7ff7c40381b5 154039 7ff7c403a478 std::_Xinvalid_argument 2 API calls 154038->154039 154040 7ff7c40381c6 154039->154040 154041->154038 154043 7ff7c4109101 154042->154043 154046 7ff7c41090eb 154042->154046 154045 7ff7c410911f 154043->154045 154050 7ff7c4019d08 UnDecorator::getPointerType 50 API calls 154043->154050 154044 7ff7c410916d 154047 7ff7c4019d08 UnDecorator::getPointerType 50 API calls 154044->154047 154045->154044 154064 7ff7c41095a4 94 API calls 3 library calls 154045->154064 154048 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154046->154048 154049 7ff7c4109188 154047->154049 154048->154043 154051 7ff7c4019af8 UnDecorator::getPointerType 50 API calls 154049->154051 154050->154045 154053 7ff7c410919e 154051->154053 154055 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154053->154055 154054 7ff7c410913e 154054->154044 154065 7ff7c410b03c 94 API calls 3 library calls 154054->154065 154056 7ff7c41091a8 154055->154056 154058 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154056->154058 154060 7ff7c41091b2 154058->154060 154059 7ff7c4109150 154059->154044 154063 7ff7c4019d08 UnDecorator::getPointerType 50 API calls 154059->154063 154061 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 154060->154061 154062 7ff7c41091c1 154061->154062 154062->153925 154063->154044 154064->154054 154065->154059 154066->153796 154068 7ff7c4065e8f _Strcoll memcpy_s 154067->154068 154069 7ff7c4064f8c 134 API calls 154068->154069 154070 7ff7c4065ec6 154069->154070 154071 7ff7c4065fa8 154070->154071 154074 7ff7c40658e4 49 API calls 154070->154074 154072 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 154071->154072 154073 7ff7c40649f0 154072->154073 154073->153808 154075 7ff7c4065f06 154074->154075 154075->154071 154076 7ff7c40648e8 134 API calls 154075->154076 154077 7ff7c4065f1e memcpy_s 154076->154077 154077->154071 154078 7ff7c401b584 49 API calls 154077->154078 154079 7ff7c4065f54 154078->154079 154079->154071 154080 7ff7c4065c18 50 API calls 154079->154080 154080->154071 154082 7ff7c4071935 SHDeleteValueW 154081->154082 154083 7ff7c4071941 154081->154083 154082->153729 154091 7ff7c40383d8 5 API calls UnDecorator::getPointerType 154083->154091 154093 7ff7c406431f memcpy_s 154092->154093 154095 7ff7c4064340 memcpy_s 154093->154095 154118 7ff7c406583c 47 API calls snprintf 154093->154118 154104 7ff7c42babc4 154095->154104 154097 7ff7c4064395 memcpy_s 154107 7ff7c42ba774 154097->154107 154100 7ff7c40649a8 132 API calls 154101 7ff7c4064414 SetLastError 154100->154101 154102 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 154101->154102 154103 7ff7c4064431 154102->154103 154103->153673 154119 7ff7c42ba8f4 154104->154119 154108 7ff7c42ba7a0 154107->154108 154109 7ff7c42ba8c4 154107->154109 154108->154109 154111 7ff7c42ba7a9 154108->154111 154110 7ff7c40469f8 _get_daylight 11 API calls 154109->154110 154116 7ff7c42ba7df 154110->154116 154115 7ff7c42ba7d7 154111->154115 154150 7ff7c405cb30 47 API calls 3 library calls 154111->154150 154113 7ff7c40469f8 _get_daylight 11 API calls 154113->154116 154114 7ff7c40643d2 154114->154100 154115->154113 154115->154114 154151 7ff7c404688c 47 API calls _invalid_parameter_noinfo 154116->154151 154118->154095 154120 7ff7c42bab40 154119->154120 154121 7ff7c42ba91e 154119->154121 154122 7ff7c40469f8 _get_daylight 11 API calls 154120->154122 154121->154120 154125 7ff7c42ba99c 154121->154125 154123 7ff7c42bab9a 154122->154123 154149 7ff7c404688c 47 API calls _invalid_parameter_noinfo 154123->154149 154135 7ff7c42baa03 154125->154135 154140 7ff7c42ba9b8 154125->154140 154143 7ff7c405ca40 47 API calls 2 library calls 154125->154143 154126 7ff7c42baa9f 154129 7ff7c42bab10 154126->154129 154130 7ff7c42baaba 154126->154130 154131 7ff7c42ba9e4 154129->154131 154133 7ff7c42bab25 154129->154133 154129->154140 154132 7ff7c42baaee 154130->154132 154130->154140 154146 7ff7c405ca40 47 API calls 2 library calls 154130->154146 154131->154097 154132->154131 154138 7ff7c42bab03 154132->154138 154132->154140 154148 7ff7c405ca40 47 API calls 2 library calls 154133->154148 154134 7ff7c40469f8 _get_daylight 11 API calls 154134->154131 154135->154126 154139 7ff7c42baa5a 154135->154139 154144 7ff7c4052c5c 47 API calls sscanf_s 154135->154144 154147 7ff7c405ca40 47 API calls 2 library calls 154138->154147 154139->154126 154139->154140 154145 7ff7c405ca40 47 API calls 2 library calls 154139->154145 154140->154134 154143->154135 154144->154135 154145->154126 154146->154132 154147->154131 154148->154131 154149->154131 154150->154115 154151->154114 154152 7ff7c40475cc 154153 7ff7c40475e5 154152->154153 154154 7ff7c40475dc 154152->154154 154154->154153 154158 7ff7c4047308 154154->154158 154159 7ff7c4047321 154158->154159 154160 7ff7c404731d 154158->154160 154172 7ff7c4052e8c GetEnvironmentStringsW 154159->154172 154160->154153 154171 7ff7c40474d8 12 API calls 3 library calls 154160->154171 154163 7ff7c404733a 154179 7ff7c4047378 47 API calls 5 library calls 154163->154179 154164 7ff7c404732e 154166 7ff7c4050f00 __free_lconv_mon 11 API calls 154164->154166 154166->154160 154167 7ff7c4047342 154168 7ff7c4050f00 __free_lconv_mon 11 API calls 154167->154168 154169 7ff7c4047361 154168->154169 154170 7ff7c4050f00 __free_lconv_mon 11 API calls 154169->154170 154170->154160 154171->154153 154173 7ff7c4047326 154172->154173 154174 7ff7c4052eb0 154172->154174 154173->154163 154173->154164 154180 7ff7c4054e88 154174->154180 154176 7ff7c4052ee7 _Yarn 154177 7ff7c4050f00 __free_lconv_mon 11 API calls 154176->154177 154178 7ff7c4052f07 FreeEnvironmentStringsW 154177->154178 154178->154173 154179->154167 154181 7ff7c4054ed3 154180->154181 154185 7ff7c4054e97 _Getvals 154180->154185 154182 7ff7c40469f8 _get_daylight 11 API calls 154181->154182 154184 7ff7c4054ed1 154182->154184 154183 7ff7c4054eba RtlAllocateHeap 154183->154184 154183->154185 154184->154176 154185->154181 154185->154183 154186 7ff7c4038a2c 154211 7ff7c4038638 154186->154211 154189 7ff7c4038b78 154258 7ff7c4038bbc 7 API calls 2 library calls 154189->154258 154190 7ff7c4038a48 __scrt_acquire_startup_lock 154192 7ff7c4038b82 154190->154192 154193 7ff7c4038a66 154190->154193 154259 7ff7c4038bbc 7 API calls 2 library calls 154192->154259 154203 7ff7c4038aa8 __scrt_release_startup_lock 154193->154203 154217 7ff7c4047da8 154193->154217 154195 7ff7c4038b8d BuildCatchObjectHelperInternal 154198 7ff7c4038a8b 154200 7ff7c4038b11 154226 7ff7c4038d08 154200->154226 154202 7ff7c4038b16 154229 7ff7c4037a28 154202->154229 154203->154200 154255 7ff7c4046f34 47 API calls __std_fs_get_file_id 154203->154255 154260 7ff7c4038e0c 154211->154260 154214 7ff7c4038663 154214->154189 154214->154190 154215 7ff7c4038667 154215->154214 154262 7ff7c403adfc 7 API calls 2 library calls 154215->154262 154219 7ff7c4047dbb 154217->154219 154218 7ff7c4038a87 154218->154198 154221 7ff7c4047d64 154218->154221 154219->154218 154263 7ff7c4038940 154219->154263 154222 7ff7c4047d9a 154221->154222 154223 7ff7c4047d69 154221->154223 154222->154203 154223->154222 154323 7ff7c4001a10 154223->154323 154328 7ff7c4001ab0 154223->154328 154386 7ff7c403a230 154226->154386 154228 7ff7c4038d1f GetStartupInfoW 154228->154202 154230 7ff7c4037a76 154229->154230 154230->154230 154231 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154230->154231 154232 7ff7c4037a8d memcpy_s 154231->154232 154388 7ff7c400f8b0 154232->154388 154237 7ff7c4037b29 154679 7ff7c400fa54 48 API calls _DeleteExceptionPtr 154237->154679 154248 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154249 7ff7c4037b06 154248->154249 154449 7ff7c4010490 154249->154449 154255->154200 154258->154192 154259->154195 154261 7ff7c403865a __scrt_dllmain_crt_thread_attach 154260->154261 154261->154214 154261->154215 154262->154214 154264 7ff7c4038950 154263->154264 154280 7ff7c4047e20 154264->154280 154266 7ff7c403895c 154286 7ff7c4038684 154266->154286 154269 7ff7c40389f5 154269->154219 154270 7ff7c4038974 _RTC_Initialize 154271 7ff7c4038834 UnDecorator::getPointerType 50 API calls 154270->154271 154278 7ff7c40389c9 154270->154278 154272 7ff7c4038989 154271->154272 154291 7ff7c4047184 154272->154291 154279 7ff7c40389e5 154278->154279 154318 7ff7c4038bbc 7 API calls 2 library calls 154278->154318 154279->154219 154281 7ff7c4047e31 154280->154281 154282 7ff7c4047e39 154281->154282 154283 7ff7c40469f8 _get_daylight 11 API calls 154281->154283 154282->154266 154284 7ff7c4047e48 154283->154284 154319 7ff7c404688c 47 API calls _invalid_parameter_noinfo 154284->154319 154287 7ff7c4038695 154286->154287 154290 7ff7c403869a __scrt_release_startup_lock 154286->154290 154287->154290 154320 7ff7c4038bbc 7 API calls 2 library calls 154287->154320 154289 7ff7c403870e 154290->154270 154292 7ff7c40471a4 154291->154292 154293 7ff7c4038995 154291->154293 154294 7ff7c40471ac 154292->154294 154295 7ff7c40471c2 GetModuleFileNameW 154292->154295 154293->154278 154317 7ff7c403931c InitializeSListHead 154293->154317 154296 7ff7c40469f8 _get_daylight 11 API calls 154294->154296 154299 7ff7c40471ed 154295->154299 154297 7ff7c40471b1 154296->154297 154321 7ff7c404688c 47 API calls _invalid_parameter_noinfo 154297->154321 154322 7ff7c4047124 11 API calls 2 library calls 154299->154322 154301 7ff7c404722d 154302 7ff7c4047235 154301->154302 154309 7ff7c404724d 154301->154309 154303 7ff7c40469f8 _get_daylight 11 API calls 154302->154303 154304 7ff7c404723a 154303->154304 154305 7ff7c4050f00 __free_lconv_mon 11 API calls 154304->154305 154306 7ff7c4047248 154305->154306 154306->154293 154307 7ff7c404726f 154308 7ff7c4050f00 __free_lconv_mon 11 API calls 154307->154308 154308->154293 154309->154307 154310 7ff7c404729b 154309->154310 154311 7ff7c40472b4 154309->154311 154312 7ff7c4050f00 __free_lconv_mon 11 API calls 154310->154312 154311->154311 154313 7ff7c4050f00 __free_lconv_mon 11 API calls 154311->154313 154314 7ff7c40472a4 154312->154314 154313->154307 154315 7ff7c4050f00 __free_lconv_mon 11 API calls 154314->154315 154316 7ff7c40472b0 154315->154316 154316->154293 154318->154269 154319->154282 154320->154289 154321->154293 154322->154301 154332 7ff7c4084be4 154323->154332 154326 7ff7c40387f8 UnDecorator::getPointerType 50 API calls 154327 7ff7c403883d 154326->154327 154327->154223 154329 7ff7c4001abe 154328->154329 154330 7ff7c40387f8 UnDecorator::getPointerType 50 API calls 154329->154330 154331 7ff7c403883d 154330->154331 154331->154223 154333 7ff7c4038858 std::_Facet_Register 50 API calls 154332->154333 154334 7ff7c4084c1a 154333->154334 154341 7ff7c414dcb8 154334->154341 154336 7ff7c4084c97 154337 7ff7c4038858 std::_Facet_Register 50 API calls 154336->154337 154338 7ff7c4084ca5 154337->154338 154351 7ff7c4084b54 50 API calls std::_Facet_Register 154338->154351 154340 7ff7c4001a20 154340->154326 154352 7ff7c42cd5d4 154341->154352 154344 7ff7c414dcca 154344->154336 154351->154340 154353 7ff7c42cd5f4 154352->154353 154354 7ff7c42cd5dd 154352->154354 154369 7ff7c4053e40 154353->154369 154355 7ff7c40469f8 _get_daylight 11 API calls 154354->154355 154357 7ff7c42cd5e2 154355->154357 154374 7ff7c404688c 47 API calls _invalid_parameter_noinfo 154357->154374 154360 7ff7c414dcc6 154360->154344 154364 7ff7c40381c8 154360->154364 154385 7ff7c4037ee4 47 API calls __std_exception_copy 154364->154385 154366 7ff7c40381d9 154367 7ff7c403a478 std::_Xinvalid_argument 2 API calls 154366->154367 154368 7ff7c40381ea 154367->154368 154375 7ff7c4053440 154369->154375 154374->154360 154376 7ff7c405349c __vcrt_FlsAlloc 154375->154376 154377 7ff7c40534a1 154375->154377 154376->154377 154378 7ff7c40534d0 LoadLibraryExW 154376->154378 154379 7ff7c40535c5 GetProcAddressForCaller 154376->154379 154383 7ff7c405352f LoadLibraryExW 154376->154383 154384 7ff7c4050db8 47 API calls BuildCatchObjectHelperInternal 154377->154384 154380 7ff7c40535a5 154378->154380 154381 7ff7c40534f5 GetLastError 154378->154381 154379->154377 154380->154379 154382 7ff7c40535bc FreeLibrary 154380->154382 154381->154376 154382->154379 154383->154376 154383->154380 154385->154366 154387 7ff7c403a210 154386->154387 154387->154228 154387->154387 154389 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154388->154389 154390 7ff7c400f9cb 154389->154390 154391 7ff7c4038858 std::_Facet_Register 50 API calls 154390->154391 154392 7ff7c400f9e4 154391->154392 154393 7ff7c401602c GetCommandLineW CommandLineToArgvW 154392->154393 154394 7ff7c401607f _Aligned_get_default_resource 154393->154394 154395 7ff7c40160ba 154393->154395 154397 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154394->154397 154396 7ff7c40160f3 _Aligned_get_default_resource 154395->154396 154398 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154395->154398 154680 7ff7c4116324 154396->154680 154397->154395 154398->154396 154399 7ff7c401610b _Aligned_get_default_resource 154697 7ff7c410f304 154399->154697 154400 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 154401 7ff7c4016209 154400->154401 154401->154237 154411 7ff7c4016354 GetCommandLineW CommandLineToArgvW 154401->154411 154402 7ff7c4016134 _Aligned_get_default_resource 154406 7ff7c40161f1 _DeleteExceptionPtr 154402->154406 154710 7ff7c402fbc0 154402->154710 154403 7ff7c4016157 154403->154406 154722 7ff7c4077444 154403->154722 154405 7ff7c401619d _DeleteExceptionPtr 154405->154406 154726 7ff7c40779c4 154405->154726 154406->154400 154412 7ff7c40163b0 _Aligned_get_default_resource 154411->154412 154413 7ff7c40163ed 154411->154413 154414 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154412->154414 154415 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154413->154415 154417 7ff7c401642e _Aligned_get_default_resource 154413->154417 154414->154413 154415->154417 154416 7ff7c4016470 154419 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154416->154419 154423 7ff7c40164a9 _Aligned_get_default_resource 154416->154423 154417->154416 154418 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154417->154418 154418->154416 154419->154423 154420 7ff7c4016b40 154421 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 154420->154421 154422 7ff7c4016b4f 154421->154422 154422->154237 154439 7ff7c4016228 154422->154439 154423->154420 154424 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154423->154424 154425 7ff7c40164fe 154424->154425 154426 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154425->154426 154427 7ff7c4016536 _Aligned_get_default_resource 154426->154427 154428 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154427->154428 154429 7ff7c4016540 154427->154429 154430 7ff7c4016590 154428->154430 154431 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154429->154431 154438 7ff7c4016660 _Aligned_get_default_resource 154429->154438 154433 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154430->154433 154432 7ff7c4016639 154431->154432 154434 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154432->154434 154433->154429 154434->154438 154436 7ff7c401673f _DeleteExceptionPtr _Aligned_get_default_resource 154436->154420 158394 7ff7c4009384 145 API calls 2 library calls 154436->158394 154438->154420 154438->154436 158393 7ff7c411b2b4 167 API calls 154438->158393 158395 7ff7c4135c10 154439->158395 158427 7ff7c4124180 154439->158427 154440 7ff7c4016333 _DeleteExceptionPtr 154441 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 154440->154441 154443 7ff7c401634a 154441->154443 154442 7ff7c401625b _Aligned_get_default_resource 154442->154440 154444 7ff7c4077444 207 API calls 154442->154444 154443->154237 154443->154248 154445 7ff7c40162dc _DeleteExceptionPtr 154444->154445 154445->154440 154446 7ff7c40779c4 _DeleteExceptionPtr 145 API calls 154445->154446 154446->154440 154450 7ff7c4038858 std::_Facet_Register 50 API calls 154449->154450 154451 7ff7c40104d6 CoInitializeEx 154450->154451 154453 7ff7c40105d2 _DeleteExceptionPtr 154451->154453 154454 7ff7c40779c4 _DeleteExceptionPtr 145 API calls 154453->154454 154455 7ff7c40105e5 _DeleteExceptionPtr 154454->154455 154456 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154455->154456 154457 7ff7c401062f 154456->154457 154458 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154457->154458 154459 7ff7c4010660 _Aligned_get_default_resource 154458->154459 154460 7ff7c4038858 std::_Facet_Register 50 API calls 154459->154460 154461 7ff7c40106a3 154460->154461 158492 7ff7c40101d0 154461->158492 154465 7ff7c40106e6 158538 7ff7c400ffb4 154465->158538 154468 7ff7c4010774 158572 7ff7c400fe20 154468->158572 154472 7ff7c401079c 158752 7ff7c4001128 13 API calls __std_fs_get_file_attributes_by_handle 154472->158752 154473 7ff7c4010713 _Aligned_get_default_resource 154473->154468 158751 7ff7c411b2b4 167 API calls 154473->158751 154476 7ff7c40107a1 154477 7ff7c40107ac _Aligned_get_default_resource 154476->154477 154478 7ff7c4010870 154477->154478 154480 7ff7c4111bd0 98 API calls 154477->154480 154479 7ff7c4077444 207 API calls 154478->154479 154481 7ff7c40108c9 154479->154481 154482 7ff7c40107fc 154480->154482 158598 7ff7c400f60c 154481->158598 154484 7ff7c401085a 154482->154484 154487 7ff7c4019d08 UnDecorator::getPointerType 50 API calls 154482->154487 154488 7ff7c4010819 154487->154488 154488->154478 154683 7ff7c4116353 _Aligned_get_default_resource 154680->154683 154687 7ff7c4116417 _Aligned_get_default_resource 154680->154687 154681 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 154682 7ff7c4116576 154681->154682 154682->154399 154683->154687 154733 7ff7c4116aa8 154683->154733 154685 7ff7c4116393 154685->154685 154686 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154685->154686 154685->154687 154688 7ff7c41163d9 154686->154688 154687->154681 154690 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154688->154690 154689 7ff7c4116438 _Aligned_get_default_resource 154689->154687 154691 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154689->154691 154692 7ff7c41164a5 _Aligned_get_default_resource 154689->154692 154690->154687 154691->154692 154694 7ff7c41164d5 154692->154694 154741 7ff7c411625c 154692->154741 154693 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154693->154687 154694->154693 154698 7ff7c4038858 std::_Facet_Register 50 API calls 154697->154698 154700 7ff7c410f341 memcpy_s 154698->154700 154699 7ff7c410f363 154701 7ff7c4038858 std::_Facet_Register 50 API calls 154699->154701 154700->154699 154787 7ff7c4127360 InitializeCriticalSectionEx 154700->154787 154703 7ff7c410f379 154701->154703 154774 7ff7c4128dd0 154703->154774 154706 7ff7c410f409 154707 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 154706->154707 154708 7ff7c410f457 154707->154708 154708->154402 154710->154403 154711 7ff7c411715c 154710->154711 155384 7ff7c4130490 154711->155384 154723 7ff7c407745f 154722->154723 154725 7ff7c40774c5 154722->154725 156141 7ff7c4077024 154723->156141 154725->154405 154727 7ff7c40779e6 _DeleteExceptionPtr 154726->154727 154730 7ff7c4077a41 154727->154730 158329 7ff7c407f746 154727->158329 158335 7ff7c407f570 154727->158335 154728 7ff7c4077a07 158361 7ff7c4077280 50 API calls _DeleteExceptionPtr 154728->158361 154730->154406 154734 7ff7c4116b74 154733->154734 154736 7ff7c4116acb _Aligned_get_default_resource 154733->154736 154735 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 154734->154735 154737 7ff7c411638b 154735->154737 154747 7ff7c410fe2c 154736->154747 154737->154685 154737->154689 154738 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154738->154734 154739 7ff7c4116b03 154739->154738 154743 7ff7c411628b memcpy_s 154741->154743 154742 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 154744 7ff7c411631b 154742->154744 154746 7ff7c4116307 154743->154746 154773 7ff7c410b03c 94 API calls 3 library calls 154743->154773 154744->154694 154746->154742 154748 7ff7c410fe74 memcpy_s 154747->154748 154749 7ff7c410fee5 154748->154749 154750 7ff7c410fec1 GetFileVersionInfoSizeW 154748->154750 154758 7ff7c410ff5c 154749->154758 154768 7ff7c402ff58 154749->154768 154750->154749 154751 7ff7c410ff87 VerQueryValueW 154752 7ff7c410ffcc memcpy_s 154751->154752 154756 7ff7c410ffbd 154751->154756 154752->154756 154759 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154752->154759 154754 7ff7c410ff2a GetFileVersionInfoW 154754->154758 154755 7ff7c4110108 ISource 154757 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 154755->154757 154756->154755 154760 7ff7c4110136 154756->154760 154761 7ff7c411011e 154757->154761 154758->154751 154758->154752 154764 7ff7c4110019 154759->154764 154762 7ff7c40468ac _invalid_parameter_noinfo_noreturn 47 API calls 154760->154762 154761->154739 154763 7ff7c411013b 154762->154763 154765 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154764->154765 154766 7ff7c41100b5 154765->154766 154766->154756 154767 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154766->154767 154767->154756 154769 7ff7c402ff85 154768->154769 154770 7ff7c402ff7f memcpy_s 154768->154770 154769->154770 154772 7ff7c4030044 50 API calls 6 library calls 154769->154772 154770->154754 154772->154770 154773->154746 154775 7ff7c410f3dd 154774->154775 154776 7ff7c4128e04 154774->154776 154778 7ff7c4036970 154775->154778 154795 7ff7c412a8e0 154776->154795 154779 7ff7c403698a 154778->154779 154782 7ff7c40369e8 ISource 154778->154782 154780 7ff7c40369a7 154779->154780 155382 7ff7c403765c 47 API calls 3 library calls 154779->155382 154780->154782 154783 7ff7c40468ac _invalid_parameter_noinfo_noreturn 47 API calls 154780->154783 154782->154706 154786 7ff7c4036a16 154783->154786 154784 7ff7c4036a41 154784->154706 154786->154784 155383 7ff7c403765c 47 API calls 3 library calls 154786->155383 154788 7ff7c41273b9 154787->154788 154789 7ff7c41273a1 GetLastError 154787->154789 154788->154699 154789->154788 154790 7ff7c41273eb 154789->154790 154791 7ff7c401b630 49 API calls 154790->154791 154792 7ff7c41273f0 ISource 154791->154792 154793 7ff7c412743d 154792->154793 154794 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154792->154794 154793->154699 154794->154792 155118 7ff7c4095480 154795->155118 154798 7ff7c412a95f ISource 155222 7ff7c403785c 47 API calls 2 library calls 154798->155222 154799 7ff7c412a98f 154800 7ff7c40468ac _invalid_parameter_noinfo_noreturn 47 API calls 154799->154800 154802 7ff7c412a994 RegOpenKeyExW 154800->154802 154804 7ff7c412ae80 154802->154804 154807 7ff7c412aa3b _Aligned_get_default_resource 154802->154807 154805 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 154804->154805 154806 7ff7c412aeaa 154805->154806 154806->154775 154807->154804 154808 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154807->154808 154809 7ff7c412aae2 154808->154809 154810 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154809->154810 154811 7ff7c412ab10 154810->154811 155123 7ff7c4112834 154811->155123 154813 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154814 7ff7c412ab43 154813->154814 154815 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154814->154815 154832 7ff7c412ab4d ISource memcpy_s _Aligned_get_default_resource 154815->154832 154817 7ff7c412aec5 154818 7ff7c40468ac _invalid_parameter_noinfo_noreturn 47 API calls 154817->154818 154819 7ff7c412aeca 154818->154819 154820 7ff7c4038858 std::_Facet_Register 50 API calls 154819->154820 154821 7ff7c412af25 154820->154821 154822 7ff7c412af39 154821->154822 155225 7ff7c4127270 50 API calls _DeleteExceptionPtr 154821->155225 154824 7ff7c4038858 std::_Facet_Register 50 API calls 154822->154824 154828 7ff7c412af52 154824->154828 154827 7ff7c412afab _Aligned_get_default_resource 154831 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154827->154831 154828->154827 154830 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154828->154830 154829 7ff7c401b694 47 API calls _DeleteExceptionPtr 154829->154832 154830->154827 154833 7ff7c412aff8 154831->154833 154832->154804 154832->154817 154832->154829 154834 7ff7c401b4e4 50 API calls _DeleteExceptionPtr 154832->154834 155089 7ff7c412a8e0 162 API calls 154832->155089 155135 7ff7c411ff6c 154832->155135 155148 7ff7c4123110 RegEnumKeyExW 154832->155148 155223 7ff7c4126b6c 50 API calls 2 library calls 154832->155223 155224 7ff7c4125fd8 50 API calls 3 library calls 154832->155224 155078 7ff7c4112834 53 API calls 154833->155078 154834->154832 154835 7ff7c412b01d 154836 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154835->154836 154837 7ff7c412b02a _Aligned_get_default_resource 154836->154837 154838 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154837->154838 154839 7ff7c412b077 154838->154839 155092 7ff7c4112834 53 API calls 154839->155092 154840 7ff7c412b09c 154841 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154840->154841 154844 7ff7c412b0a9 154841->154844 154842 7ff7c412b103 _Aligned_get_default_resource 154843 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154842->154843 154845 7ff7c412b153 154843->154845 154844->154842 154846 7ff7c412c734 154844->154846 154848 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154845->154848 154847 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154846->154847 154850 7ff7c412b207 _Aligned_get_default_resource 154847->154850 154849 7ff7c412b185 _Aligned_get_default_resource 154848->154849 154853 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154849->154853 154851 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154850->154851 154852 7ff7c412b257 154851->154852 155116 7ff7c4112834 53 API calls 154852->155116 154854 7ff7c412b1d5 154853->154854 154858 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154854->154858 154855 7ff7c412b27c 154856 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154855->154856 154857 7ff7c412b289 _Aligned_get_default_resource 154856->154857 154859 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154857->154859 154858->154850 154860 7ff7c412b2d9 154859->154860 155075 7ff7c4112834 53 API calls 154860->155075 154861 7ff7c412b2fe 154862 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154861->154862 154863 7ff7c412b30b _Aligned_get_default_resource 154862->154863 154864 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154863->154864 154865 7ff7c412b35a 154864->154865 155149 7ff7c411262c 154865->155149 155159 7ff7c4112620 154865->155159 154866 7ff7c412b385 154867 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154866->154867 154868 7ff7c412b393 _Aligned_get_default_resource 154867->154868 154869 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154868->154869 154870 7ff7c412b3fb 154869->154870 155087 7ff7c411262c 11 API calls 154870->155087 155088 7ff7c4112620 11 API calls 154870->155088 154871 7ff7c412b426 154872 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154871->154872 154873 7ff7c412b434 _Aligned_get_default_resource 154872->154873 154874 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154873->154874 154875 7ff7c412b49c 154874->154875 155095 7ff7c411262c 11 API calls 154875->155095 155096 7ff7c4112620 11 API calls 154875->155096 154876 7ff7c412b4c7 154877 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154876->154877 154878 7ff7c412b4d5 _Aligned_get_default_resource 154877->154878 154879 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154878->154879 154880 7ff7c412b53d 154879->154880 155104 7ff7c411262c 11 API calls 154880->155104 155105 7ff7c4112620 11 API calls 154880->155105 154881 7ff7c412b568 154882 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154881->154882 154883 7ff7c412b576 _Aligned_get_default_resource 154882->154883 154884 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154883->154884 154885 7ff7c412b655 154884->154885 155073 7ff7c411262c 11 API calls 154885->155073 155074 7ff7c4112620 11 API calls 154885->155074 154886 7ff7c412b680 154887 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154886->154887 154888 7ff7c412b68e _Aligned_get_default_resource 154887->154888 154889 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154888->154889 154890 7ff7c412b6f8 154889->154890 155083 7ff7c411262c 11 API calls 154890->155083 155084 7ff7c4112620 11 API calls 154890->155084 154891 7ff7c412b723 154892 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154891->154892 154893 7ff7c412b731 _Aligned_get_default_resource 154892->154893 154894 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154893->154894 154895 7ff7c412b79d 154894->154895 155090 7ff7c411262c 11 API calls 154895->155090 155091 7ff7c4112620 11 API calls 154895->155091 154896 7ff7c412b7c8 154897 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154896->154897 154898 7ff7c412b7d6 _Aligned_get_default_resource 154897->154898 154899 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154898->154899 154900 7ff7c412b83d 154899->154900 155097 7ff7c411262c 11 API calls 154900->155097 155098 7ff7c4112620 11 API calls 154900->155098 154901 7ff7c412b868 154902 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154901->154902 154903 7ff7c412b876 _Aligned_get_default_resource 154902->154903 154904 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154903->154904 154905 7ff7c412b8e2 154904->154905 155111 7ff7c411262c 11 API calls 154905->155111 155112 7ff7c4112620 11 API calls 154905->155112 154906 7ff7c412b90d 154907 7ff7c401b694 _DeleteExceptionPtr 47 API calls 154906->154907 154908 7ff7c412b91b _Aligned_get_default_resource 154907->154908 154909 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 154908->154909 154910 7ff7c412b985 154909->154910 155073->154886 155074->154886 155075->154861 155078->154835 155083->154891 155084->154891 155087->154871 155088->154871 155089->154832 155090->154896 155091->154896 155092->154840 155095->154876 155096->154876 155097->154901 155098->154901 155104->154881 155105->154881 155111->154906 155112->154906 155116->154855 155119 7ff7c4038858 std::_Facet_Register 50 API calls 155118->155119 155120 7ff7c40954a5 155119->155120 155266 7ff7c40740cc 155120->155266 155122 7ff7c40954e6 155122->154798 155122->154799 155124 7ff7c41128a7 RegOpenKeyExW 155123->155124 155125 7ff7c41128a4 155123->155125 155126 7ff7c411299e 155124->155126 155127 7ff7c41128f1 155124->155127 155125->155124 155128 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 155126->155128 155278 7ff7c41232f0 RegQueryValueExW 155127->155278 155129 7ff7c41129af 155128->155129 155129->154813 155130 7ff7c4112982 RegCloseKey 155130->155126 155131 7ff7c4112958 155131->155130 155132 7ff7c411293b 155132->155130 155132->155131 155133 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 155132->155133 155133->155130 155136 7ff7c411ff75 155135->155136 155147 7ff7c412001a 155135->155147 155137 7ff7c412002b 155136->155137 155138 7ff7c411ffa3 155136->155138 155280 7ff7c401a654 49 API calls _DeleteExceptionPtr 155137->155280 155139 7ff7c411ffbd 155138->155139 155140 7ff7c411ffb0 155138->155140 155144 7ff7c4038858 std::_Facet_Register 50 API calls 155139->155144 155145 7ff7c411ffb8 memcpy_s 155139->155145 155143 7ff7c401b82c _DeleteExceptionPtr 50 API calls 155140->155143 155143->155145 155144->155145 155279 7ff7c40da254 47 API calls 3 library calls 155145->155279 155147->154832 155148->154832 155150 7ff7c411267f 155149->155150 155151 7ff7c4112682 RegOpenKeyExW 155149->155151 155150->155151 155152 7ff7c4112719 155151->155152 155153 7ff7c41126b2 RegQueryValueExW 155151->155153 155155 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 155152->155155 155156 7ff7c41126f8 155153->155156 155157 7ff7c411270e RegCloseKey 155153->155157 155158 7ff7c4112728 155155->155158 155156->155157 155157->155152 155158->154866 155160 7ff7c411262c RegOpenKeyExW 155159->155160 155162 7ff7c4112719 155160->155162 155163 7ff7c41126b2 RegQueryValueExW 155160->155163 155165 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 155162->155165 155166 7ff7c41126f8 155163->155166 155167 7ff7c411270e RegCloseKey 155163->155167 155168 7ff7c4112728 155165->155168 155166->155167 155167->155162 155168->154866 155223->154832 155224->154832 155225->154822 155267 7ff7c4074165 ISource 155266->155267 155268 7ff7c40740f5 155266->155268 155267->155122 155270 7ff7c4074119 155268->155270 155271 7ff7c4074126 155268->155271 155277 7ff7c40741ad 155268->155277 155269 7ff7c401b80c Concurrency::cancel_current_task 50 API calls 155272 7ff7c40741b3 155269->155272 155273 7ff7c401b82c _DeleteExceptionPtr 50 API calls 155270->155273 155274 7ff7c4038858 std::_Facet_Register 50 API calls 155271->155274 155275 7ff7c4074121 155271->155275 155273->155275 155274->155275 155275->155267 155276 7ff7c40468ac _invalid_parameter_noinfo_noreturn 47 API calls 155275->155276 155276->155277 155277->155269 155278->155132 155279->155147 155385 7ff7c4038858 std::_Facet_Register 50 API calls 155384->155385 155386 7ff7c41304b3 155385->155386 155387 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 155386->155387 155388 7ff7c4130507 155387->155388 155410 7ff7c41317b8 155388->155410 155411 7ff7c4131807 155410->155411 155412 7ff7c41317f1 155410->155412 155413 7ff7c41330a7 155411->155413 155414 7ff7c4131827 155411->155414 155416 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 155412->155416 155415 7ff7c401b708 _DeleteExceptionPtr 49 API calls 155413->155415 155417 7ff7c401a9c0 50 API calls 155414->155417 155418 7ff7c41330ac 155415->155418 155416->155411 155419 7ff7c4131859 155417->155419 155880 7ff7c4130de4 155419->155880 155881 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 155880->155881 155882 7ff7c4130e32 155881->155882 155883 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 155882->155883 155884 7ff7c4130e5d 155883->155884 155885 7ff7c413068c 50 API calls 155884->155885 155886 7ff7c4130e85 155885->155886 155887 7ff7c401b694 _DeleteExceptionPtr 47 API calls 155886->155887 155888 7ff7c4130e8f 155887->155888 155889 7ff7c401b694 _DeleteExceptionPtr 47 API calls 155888->155889 155890 7ff7c4130e99 155889->155890 155891 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 155890->155891 155892 7ff7c4130ec2 155891->155892 155893 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 155892->155893 155894 7ff7c4130eed 155893->155894 155895 7ff7c413068c 50 API calls 155894->155895 155896 7ff7c4130f0e 155895->155896 155897 7ff7c401b694 _DeleteExceptionPtr 47 API calls 155896->155897 155898 7ff7c4130f18 155897->155898 155899 7ff7c401b694 _DeleteExceptionPtr 47 API calls 155898->155899 155900 7ff7c4130f22 155899->155900 155901 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 155900->155901 155902 7ff7c4130f4f 155901->155902 155903 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 155902->155903 155904 7ff7c4130f7a 155903->155904 155905 7ff7c413068c 50 API calls 155904->155905 155906 7ff7c4130f9b 155905->155906 155907 7ff7c401b694 _DeleteExceptionPtr 47 API calls 155906->155907 155908 7ff7c4130fa5 155907->155908 155909 7ff7c401b694 _DeleteExceptionPtr 47 API calls 155908->155909 155910 7ff7c4130faf 155909->155910 155911 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 155910->155911 155912 7ff7c4130fd8 155911->155912 155913 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 155912->155913 155914 7ff7c4131003 155913->155914 155915 7ff7c413068c 50 API calls 155914->155915 155916 7ff7c4131024 155915->155916 155917 7ff7c401b694 _DeleteExceptionPtr 47 API calls 155916->155917 155918 7ff7c413102e 155917->155918 155919 7ff7c401b694 _DeleteExceptionPtr 47 API calls 155918->155919 155920 7ff7c4131038 155919->155920 155921 7ff7c4131238 155920->155921 155922 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 155921->155922 155923 7ff7c4131285 155922->155923 155924 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 155923->155924 155925 7ff7c41312b5 155924->155925 155926 7ff7c413068c 50 API calls 155925->155926 155927 7ff7c41312df 155926->155927 155928 7ff7c401b694 _DeleteExceptionPtr 47 API calls 155927->155928 155929 7ff7c41312e9 155928->155929 155930 7ff7c401b694 _DeleteExceptionPtr 47 API calls 155929->155930 155931 7ff7c41312f3 155930->155931 155932 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 155931->155932 155933 7ff7c413131f 155932->155933 155934 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 155933->155934 155935 7ff7c4131344 155934->155935 155936 7ff7c413068c 50 API calls 155935->155936 155937 7ff7c4131365 155936->155937 155938 7ff7c401b694 _DeleteExceptionPtr 47 API calls 155937->155938 155939 7ff7c413136f 155938->155939 155940 7ff7c401b694 _DeleteExceptionPtr 47 API calls 155939->155940 155941 7ff7c4131379 155940->155941 155942 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 155941->155942 155943 7ff7c41313a1 155942->155943 155944 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 155943->155944 155945 7ff7c41313c8 155944->155945 155946 7ff7c413068c 50 API calls 155945->155946 155947 7ff7c41313e9 155946->155947 155948 7ff7c401b694 _DeleteExceptionPtr 47 API calls 155947->155948 155949 7ff7c41313f3 155948->155949 155950 7ff7c401b694 _DeleteExceptionPtr 47 API calls 155949->155950 155951 7ff7c41313fd 155950->155951 155952 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 155951->155952 155953 7ff7c4131426 155952->155953 155954 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 155953->155954 155955 7ff7c413144b 155954->155955 155956 7ff7c413068c 50 API calls 155955->155956 155957 7ff7c413146c 155956->155957 155958 7ff7c401b694 _DeleteExceptionPtr 47 API calls 155957->155958 155959 7ff7c4131476 155958->155959 155960 7ff7c401b694 _DeleteExceptionPtr 47 API calls 155959->155960 155961 7ff7c4131480 155960->155961 155962 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 155961->155962 155963 7ff7c41314a9 155962->155963 155964 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 155963->155964 155965 7ff7c41314ce 155964->155965 155966 7ff7c413068c 50 API calls 155965->155966 155967 7ff7c41314ef 155966->155967 155968 7ff7c401b694 _DeleteExceptionPtr 47 API calls 155967->155968 155969 7ff7c41314f9 155968->155969 155970 7ff7c401b694 _DeleteExceptionPtr 47 API calls 155969->155970 155971 7ff7c4131503 155970->155971 155972 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 155971->155972 155973 7ff7c413152e 155972->155973 155974 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 155973->155974 155975 7ff7c4131553 155974->155975 155976 7ff7c413068c 50 API calls 155975->155976 155977 7ff7c4131574 155976->155977 155978 7ff7c401b694 _DeleteExceptionPtr 47 API calls 155977->155978 155979 7ff7c413157e 155978->155979 155980 7ff7c401b694 _DeleteExceptionPtr 47 API calls 155979->155980 155981 7ff7c4131588 155980->155981 156167 7ff7c407ee84 156141->156167 156147 7ff7c40770a3 156153 7ff7c40770c6 156147->156153 156270 7ff7c4076c34 95 API calls 2 library calls 156147->156270 156148 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 156156 7ff7c407710b 156148->156156 156150 7ff7c407713d PathIsRelativeW 156151 7ff7c4077174 156150->156151 156152 7ff7c4077181 156150->156152 156193 7ff7c4076d98 156151->156193 156160 7ff7c407717d _Yarn 156152->156160 156271 7ff7c401b3c4 50 API calls 6 library calls 156152->156271 156153->156148 156156->156150 156156->156156 156157 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 156156->156157 156157->156150 156158 7ff7c4077242 156159 7ff7c401b694 _DeleteExceptionPtr 47 API calls 156158->156159 156161 7ff7c4077254 156159->156161 156160->156158 156213 7ff7c4080440 156160->156213 156162 7ff7c401b694 _DeleteExceptionPtr 47 API calls 156161->156162 156163 7ff7c407725e 156162->156163 156164 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 156163->156164 156165 7ff7c407726c 156164->156165 156165->154725 156168 7ff7c4038858 std::_Facet_Register 50 API calls 156167->156168 156169 7ff7c407eebe memcpy_s 156168->156169 156172 7ff7c407eef4 156169->156172 156272 7ff7c408ed00 156169->156272 156278 7ff7c4088208 156172->156278 156177 7ff7c407ef62 156178 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 156177->156178 156179 7ff7c407707e 156178->156179 156180 7ff7c407635c 156179->156180 156181 7ff7c4038858 std::_Facet_Register 50 API calls 156180->156181 156182 7ff7c407637b 156181->156182 156183 7ff7c40769d4 156182->156183 156184 7ff7c40769fc 156183->156184 156378 7ff7c4076bf4 156184->156378 156186 7ff7c4076a17 156187 7ff7c4076a7e 156186->156187 156188 7ff7c4038858 std::_Facet_Register 50 API calls 156186->156188 156187->156147 156191 7ff7c4076a46 memcpy_s 156188->156191 156189 7ff7c4076a68 156384 7ff7c40bb050 50 API calls std::_Facet_Register 156189->156384 156191->156189 156383 7ff7c4081770 54 API calls 3 library calls 156191->156383 156194 7ff7c4076dd9 156193->156194 156195 7ff7c4076ecb 156194->156195 156403 7ff7c407abc0 156194->156403 156197 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 156195->156197 156199 7ff7c4076eda 156197->156199 156199->156160 156200 7ff7c4076e09 156202 7ff7c401b694 _DeleteExceptionPtr 47 API calls 156200->156202 156201 7ff7c401b694 _DeleteExceptionPtr 47 API calls 156201->156200 156203 7ff7c4076e30 156202->156203 156204 7ff7c4076e91 SHCreateDirectoryExW 156203->156204 156208 7ff7c407abc0 115 API calls 156203->156208 156206 7ff7c4076ead CoTaskMemFree 156204->156206 156206->156195 156209 7ff7c4076e5a 156208->156209 156210 7ff7c401b694 _DeleteExceptionPtr 47 API calls 156209->156210 156212 7ff7c4076e6a 156209->156212 156210->156212 156211 7ff7c401b694 _DeleteExceptionPtr 47 API calls 156211->156204 156212->156211 156214 7ff7c4080493 _DeleteExceptionPtr 156213->156214 156215 7ff7c408049d 156214->156215 156216 7ff7c4080761 156214->156216 156218 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 156215->156218 156217 7ff7c4149284 _DeleteExceptionPtr 50 API calls 156216->156217 156226 7ff7c4080768 _DeleteExceptionPtr 156217->156226 156219 7ff7c40804bd 156218->156219 156222 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 156219->156222 156220 7ff7c4149284 _DeleteExceptionPtr 50 API calls 156221 7ff7c4080832 _DeleteExceptionPtr 156220->156221 156224 7ff7c4080940 156221->156224 156232 7ff7c408086e 156221->156232 156223 7ff7c40804dc 156222->156223 156223->156223 156225 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 156223->156225 156228 7ff7c4149284 _DeleteExceptionPtr 50 API calls 156224->156228 156227 7ff7c40804ff 156225->156227 156226->156220 156472 7ff7c407b214 CreateFileW 156227->156472 156240 7ff7c4080947 _DeleteExceptionPtr 156228->156240 156238 7ff7c4080925 _Mtx_unlock 156232->156238 157281 7ff7c40869dc 52 API calls 2 library calls 156232->157281 156235 7ff7c4149284 _DeleteExceptionPtr 50 API calls 156256 7ff7c40809c6 _DeleteExceptionPtr 156235->156256 156238->156158 156240->156235 156242 7ff7c408091b 156244 7ff7c401b694 _DeleteExceptionPtr 47 API calls 156242->156244 156243 7ff7c4149284 _DeleteExceptionPtr 50 API calls 156247 7ff7c4080ac1 _DeleteExceptionPtr 156243->156247 156244->156238 156248 7ff7c4080b08 156247->156248 157282 7ff7c4080b28 47 API calls TranslateName 156247->157282 156252 7ff7c4149284 _DeleteExceptionPtr 50 API calls 156248->156252 156254 7ff7c4080b27 156252->156254 156256->156243 156270->156153 156271->156160 156294 7ff7c408da88 156272->156294 156275 7ff7c407e528 156300 7ff7c407e398 156275->156300 156350 7ff7c4087dac 156278->156350 156284 7ff7c4088266 156285 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 156284->156285 156286 7ff7c407ef51 156285->156286 156287 7ff7c4089b38 156286->156287 156288 7ff7c4087dac 50 API calls 156287->156288 156289 7ff7c4089b6b 156288->156289 156372 7ff7c40890f4 156289->156372 156292 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 156293 7ff7c4089bda 156292->156293 156293->156177 156295 7ff7c4038858 std::_Facet_Register 50 API calls 156294->156295 156296 7ff7c408daa4 156295->156296 156298 7ff7c407eee0 156296->156298 156299 7ff7c408de90 53 API calls 2 library calls 156296->156299 156298->156275 156299->156298 156301 7ff7c407e3c3 156300->156301 156312 7ff7c407649c 156301->156312 156305 7ff7c407e460 156306 7ff7c4038858 std::_Facet_Register 50 API calls 156305->156306 156307 7ff7c407e485 156306->156307 156322 7ff7c4148fdc 156307->156322 156313 7ff7c414846c _DeleteExceptionPtr 57 API calls 156312->156313 156314 7ff7c40764c4 156313->156314 156315 7ff7c4038858 std::_Facet_Register 50 API calls 156314->156315 156316 7ff7c4076502 156315->156316 156317 7ff7c4076519 156316->156317 156333 7ff7c40763f8 82 API calls 5 library calls 156316->156333 156330 7ff7c40780b4 156317->156330 156321 7ff7c4086530 50 API calls _Mtx_init_in_situ 156321->156305 156341 7ff7c4148cac 156322->156341 156334 7ff7c4075cac 156330->156334 156332 7ff7c4076533 156332->156321 156333->156317 156335 7ff7c4148668 86 API calls 156334->156335 156336 7ff7c4075cd0 156335->156336 156337 7ff7c402dbac _DeleteExceptionPtr 14 API calls 156336->156337 156340 7ff7c4075cf6 _Yarn 156336->156340 156338 7ff7c4075ce8 156337->156338 156339 7ff7c414c0dc 86 API calls 156338->156339 156339->156340 156340->156332 156342 7ff7c4148cba 156341->156342 156343 7ff7c4148ce9 InitializeCriticalSectionEx 156342->156343 156344 7ff7c4148cd0 InitializeSRWLock 156342->156344 156345 7ff7c4148cbf 156342->156345 156346 7ff7c4148d0a 156343->156346 156344->156343 156345->156343 156345->156346 156349 7ff7c4050db8 47 API calls BuildCatchObjectHelperInternal 156346->156349 156351 7ff7c4038858 std::_Facet_Register 50 API calls 156350->156351 156352 7ff7c4087dbf 156351->156352 156353 7ff7c409fee4 156352->156353 156363 7ff7c409f8a4 156353->156363 156357 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 156358 7ff7c4088255 156357->156358 156360 7ff7c4087d48 156358->156360 156361 7ff7c4038858 std::_Facet_Register 50 API calls 156360->156361 156362 7ff7c4087d5b 156361->156362 156362->156284 156364 7ff7c4038858 std::_Facet_Register 50 API calls 156363->156364 156365 7ff7c409f8b7 156364->156365 156366 7ff7c409f824 156365->156366 156367 7ff7c4038858 std::_Facet_Register 50 API calls 156366->156367 156368 7ff7c409f848 156367->156368 156369 7ff7c409f87c 156368->156369 156371 7ff7c409e348 50 API calls 156368->156371 156369->156357 156371->156369 156373 7ff7c4038858 std::_Facet_Register 50 API calls 156372->156373 156374 7ff7c4089118 156373->156374 156376 7ff7c408914c 156374->156376 156377 7ff7c4088c18 51 API calls 156374->156377 156376->156292 156377->156376 156379 7ff7c4076c0d _DeleteExceptionPtr 156378->156379 156380 7ff7c4076c11 _Mtx_unlock 156379->156380 156385 7ff7c4149284 156379->156385 156380->156186 156383->156189 156384->156187 156387 7ff7c414928d 156385->156387 156393 7ff7c41492b4 156385->156393 156388 7ff7c41492a1 156387->156388 156387->156393 156394 7ff7c41492ac 156387->156394 156399 7ff7c4050db8 47 API calls BuildCatchObjectHelperInternal 156387->156399 156400 7ff7c41492c0 50 API calls 2 library calls 156388->156400 156402 7ff7c41492c0 50 API calls 2 library calls 156393->156402 156401 7ff7c41492c0 50 API calls 2 library calls 156394->156401 156404 7ff7c407ac09 memcpy_s 156403->156404 156419 7ff7c4029cd8 156404->156419 156409 7ff7c402c7d8 114 API calls 156410 7ff7c407ac34 156409->156410 156411 7ff7c402c7d8 114 API calls 156410->156411 156412 7ff7c407ac3f _DeleteExceptionPtr 156411->156412 156413 7ff7c407ac81 156412->156413 156414 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 156412->156414 156415 7ff7c4029bf4 _DeleteExceptionPtr 47 API calls 156413->156415 156414->156413 156416 7ff7c407ac8b _DeleteExceptionPtr 156415->156416 156417 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 156416->156417 156418 7ff7c4076df9 156417->156418 156418->156200 156418->156201 156420 7ff7c4029cf3 156419->156420 156421 7ff7c402b368 _DeleteExceptionPtr 84 API calls 156420->156421 156422 7ff7c4029d4d 156421->156422 156423 7ff7c402c1c4 _DeleteExceptionPtr 57 API calls 156422->156423 156424 7ff7c4029d79 156423->156424 156425 7ff7c402c7d8 156424->156425 156426 7ff7c402c806 156425->156426 156427 7ff7c402b228 _DeleteExceptionPtr 78 API calls 156426->156427 156429 7ff7c402c83b 156427->156429 156428 7ff7c402b4e8 _DeleteExceptionPtr 50 API calls 156431 7ff7c402c986 156428->156431 156432 7ff7c402c843 156429->156432 156435 7ff7c40299d0 156429->156435 156430 7ff7c402c99a 156430->156409 156431->156430 156439 7ff7c402c314 50 API calls _DeleteExceptionPtr 156431->156439 156432->156428 156436 7ff7c4029a70 156435->156436 156437 7ff7c40299f9 _Yarn 156435->156437 156436->156432 156437->156436 156440 7ff7c408b578 156437->156440 156439->156430 156459 7ff7c408b374 156440->156459 156442 7ff7c408b58e _DeleteExceptionPtr 156443 7ff7c408b5b3 156442->156443 156444 7ff7c402de0c std::ios_base::failure::failure 50 API calls 156442->156444 156445 7ff7c408b5b5 _DeleteExceptionPtr 156442->156445 156443->156437 156446 7ff7c408b604 156444->156446 156445->156443 156447 7ff7c402de0c std::ios_base::failure::failure 50 API calls 156445->156447 156448 7ff7c403a478 std::_Xinvalid_argument 2 API calls 156446->156448 156449 7ff7c408b658 156447->156449 156448->156445 156450 7ff7c403a478 std::_Xinvalid_argument 2 API calls 156449->156450 156456 7ff7c408b669 156450->156456 156451 7ff7c408b6ab 156452 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 156451->156452 156453 7ff7c408b7f6 156452->156453 156453->156437 156454 7ff7c408b737 156454->156451 156471 7ff7c405a1d4 78 API calls _invalid_parameter_noinfo 156454->156471 156456->156451 156456->156454 156457 7ff7c408b7ac 156456->156457 156457->156451 156463 7ff7c42be2f8 156457->156463 156460 7ff7c408b394 156459->156460 156462 7ff7c408b438 156459->156462 156461 7ff7c4089174 83 API calls 156460->156461 156460->156462 156461->156462 156462->156442 156464 7ff7c42be328 156463->156464 156465 7ff7c42be05c 78 API calls 156464->156465 156466 7ff7c42be346 156465->156466 156467 7ff7c404649c _invalid_parameter_noinfo 47 API calls 156466->156467 156468 7ff7c42be36c 156466->156468 156467->156468 156469 7ff7c404649c _invalid_parameter_noinfo 47 API calls 156468->156469 156470 7ff7c42be381 156468->156470 156469->156470 156470->156451 156471->156451 156473 7ff7c407b2f8 156472->156473 156474 7ff7c407b271 DeviceIoControl 156472->156474 156477 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 156473->156477 156475 7ff7c407b2ae 156474->156475 156476 7ff7c407b2ef FindCloseChangeNotification 156474->156476 156475->156476 156478 7ff7c407b2b5 DeviceIoControl 156475->156478 156476->156473 156479 7ff7c407b308 156477->156479 156478->156476 156480 7ff7c408676c 156479->156480 156481 7ff7c407abc0 115 API calls 156480->156481 156482 7ff7c40867b9 156481->156482 157283 7ff7c4050184 GetSystemTimeAsFileTime 156482->157283 156484 7ff7c40867c1 memcpy_s 156485 7ff7c4029cd8 _DeleteExceptionPtr 84 API calls 156484->156485 156486 7ff7c40867f4 156485->156486 157285 7ff7c4086070 156486->157285 156489 7ff7c402c7d8 114 API calls 156490 7ff7c4086823 156489->156490 157297 7ff7c4085be8 156490->157297 156493 7ff7c402c7d8 114 API calls 156494 7ff7c4086864 GetCurrentProcessId 156493->156494 157312 7ff7c4029f7c 156494->157312 156497 7ff7c402c7d8 114 API calls 156498 7ff7c4086887 156497->156498 156499 7ff7c4029f7c 109 API calls 156498->156499 156500 7ff7c4086891 156499->156500 156501 7ff7c402c7d8 114 API calls 156500->156501 156502 7ff7c40868a0 156501->156502 156503 7ff7c402c7d8 114 API calls 156502->156503 156505 7ff7c40868ab _DeleteExceptionPtr 156503->156505 156504 7ff7c40868ec 156507 7ff7c4029bf4 _DeleteExceptionPtr 47 API calls 156504->156507 156505->156504 156506 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 156505->156506 156506->156504 156508 7ff7c40868f6 _DeleteExceptionPtr 156507->156508 156509 7ff7c401b694 _DeleteExceptionPtr 47 API calls 156508->156509 157281->156242 157282->156248 157284 7ff7c40501bc 157283->157284 157284->156484 157286 7ff7c40860a7 157285->157286 157287 7ff7c402b228 _DeleteExceptionPtr 78 API calls 157286->157287 157288 7ff7c40860c1 157287->157288 157289 7ff7c4086292 _DeleteExceptionPtr 157288->157289 157290 7ff7c4086241 157288->157290 157293 7ff7c402de0c std::ios_base::failure::failure 50 API calls 157289->157293 157291 7ff7c4086254 157290->157291 157321 7ff7c402c314 50 API calls _DeleteExceptionPtr 157290->157321 157291->156489 157294 7ff7c40862d4 157293->157294 157295 7ff7c403a478 std::_Xinvalid_argument 2 API calls 157294->157295 157296 7ff7c40862e5 157295->157296 157298 7ff7c402b228 _DeleteExceptionPtr 78 API calls 157297->157298 157299 7ff7c4085c19 157298->157299 157300 7ff7c4085cdf 157299->157300 157322 7ff7c408642c 157299->157322 157302 7ff7c4085d81 _DeleteExceptionPtr 157300->157302 157303 7ff7c4085d32 157300->157303 157307 7ff7c402de0c std::ios_base::failure::failure 50 API calls 157302->157307 157304 7ff7c4085d45 157303->157304 157338 7ff7c402c314 50 API calls _DeleteExceptionPtr 157303->157338 157304->156493 157308 7ff7c4085dc3 157307->157308 157310 7ff7c403a478 std::_Xinvalid_argument 2 API calls 157308->157310 157311 7ff7c4085dd4 157310->157311 157313 7ff7c402b228 _DeleteExceptionPtr 78 API calls 157312->157313 157314 7ff7c4029fa9 157313->157314 157317 7ff7c4029fe1 157314->157317 157364 7ff7c402c9dc 83 API calls 6 library calls 157314->157364 157315 7ff7c402b4e8 _DeleteExceptionPtr 50 API calls 157319 7ff7c402a09a 157315->157319 157317->157315 157318 7ff7c402a0ae 157318->156497 157319->157318 157365 7ff7c402c314 50 API calls _DeleteExceptionPtr 157319->157365 157321->157291 157323 7ff7c4148798 std::_Lockit::_Lockit 6 API calls 157322->157323 157324 7ff7c408645d 157323->157324 157325 7ff7c402dbac _DeleteExceptionPtr 14 API calls 157324->157325 157328 7ff7c4086476 _DeleteExceptionPtr 157325->157328 157326 7ff7c40864b7 tidy_global 157327 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 157326->157327 157330 7ff7c4085c51 157327->157330 157328->157326 157339 7ff7c408715c 157328->157339 157337 7ff7c408782c 83 API calls _DeleteExceptionPtr 157330->157337 157332 7ff7c4086527 157350 7ff7c402db8c RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc std::_Xinvalid_argument 157332->157350 157333 7ff7c40864cf 157349 7ff7c414842c 50 API calls std::_Facet_Register 157333->157349 157337->157300 157338->157304 157340 7ff7c40864c9 157339->157340 157341 7ff7c4087189 157339->157341 157340->157332 157340->157333 157341->157340 157342 7ff7c4038858 std::_Facet_Register 50 API calls 157341->157342 157343 7ff7c408719a 157342->157343 157348 7ff7c40871ff _Yarn 157343->157348 157354 7ff7c402d904 157343->157354 157346 7ff7c40871df 157363 7ff7c42bcce0 48 API calls 5 library calls 157346->157363 157348->157340 157351 7ff7c402d99c 157348->157351 157349->157326 157352 7ff7c414864c std::_Locinfo::~_Locinfo 79 API calls 157351->157352 157353 7ff7c402d9aa _Yarn 157352->157353 157355 7ff7c4148798 std::_Lockit::_Lockit 6 API calls 157354->157355 157356 7ff7c402d920 157355->157356 157357 7ff7c402d96e 157356->157357 157358 7ff7c402d954 157356->157358 157360 7ff7c4038210 std::_Locinfo::_Locinfo_ctor 49 API calls 157357->157360 157359 7ff7c41485e0 std::_Locinfo::_Locinfo_ctor 79 API calls 157358->157359 157361 7ff7c402d95f 157359->157361 157362 7ff7c402d97a _Yarn 157360->157362 157361->157346 157362->157346 157363->157348 157364->157317 157365->157318 158330 7ff7c407f75b 158329->158330 158334 7ff7c4081280 9 API calls 158330->158334 158331 7ff7c407f771 _Mtx_unlock 158332 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 158331->158332 158333 7ff7c407f78a 158332->158333 158333->154728 158334->158331 158336 7ff7c407f5c4 _DeleteExceptionPtr 158335->158336 158337 7ff7c407f79d 158336->158337 158347 7ff7c407f5cf 158336->158347 158339 7ff7c4149284 _DeleteExceptionPtr 50 API calls 158337->158339 158338 7ff7c407f771 _Mtx_unlock 158342 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 158338->158342 158340 7ff7c407f7a4 158339->158340 158341 7ff7c40468ac _invalid_parameter_noinfo_noreturn 47 API calls 158340->158341 158357 7ff7c407f7aa ISource memcpy_s 158341->158357 158343 7ff7c407f78a 158342->158343 158343->154728 158344 7ff7c407f8fa 158345 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 158344->158345 158346 7ff7c407f906 158345->158346 158346->154728 158347->158338 158349 7ff7c407f66b 158347->158349 158377 7ff7c409055c 119 API calls 2 library calls 158347->158377 158362 7ff7c40855e8 158349->158362 158355 7ff7c407f91f 158356 7ff7c40468ac _invalid_parameter_noinfo_noreturn 47 API calls 158355->158356 158358 7ff7c407f924 158356->158358 158357->158344 158357->158355 158378 7ff7c407e2b8 50 API calls std::_Facet_Register 158357->158378 158379 7ff7c408ee98 145 API calls 4 library calls 158357->158379 158380 7ff7c40810e8 47 API calls 2 library calls 158357->158380 158358->154728 158363 7ff7c4085661 158362->158363 158381 7ff7c408543c 158363->158381 158365 7ff7c408543c 50 API calls 158366 7ff7c4085782 158365->158366 158368 7ff7c40853f4 2 API calls 158366->158368 158367 7ff7c40856e6 158367->158365 158369 7ff7c4085790 158368->158369 158385 7ff7c4147edc 158369->158385 158377->158349 158378->158357 158379->158357 158382 7ff7c4085463 158381->158382 158383 7ff7c4085490 158381->158383 158382->158383 158389 7ff7c40854ac 50 API calls 2 library calls 158382->158389 158383->158367 158390 7ff7c414f6f8 158385->158390 158389->158382 158391 7ff7c414f70b GetSystemTimeAsFileTime 158390->158391 158392 7ff7c414f704 158390->158392 158392->158391 158393->154436 158394->154420 158396 7ff7c4135c40 _Aligned_get_default_resource 158395->158396 158397 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158396->158397 158398 7ff7c4135e2c 158396->158398 158399 7ff7c4135cba 158397->158399 158400 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 158398->158400 158401 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158399->158401 158402 7ff7c4135e3b 158400->158402 158403 7ff7c4135ce6 158401->158403 158402->154442 158426 7ff7c4112834 53 API calls 158403->158426 158404 7ff7c4135d13 158405 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158404->158405 158406 7ff7c4135d1e 158405->158406 158407 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158406->158407 158408 7ff7c4135d28 158407->158408 158409 7ff7c4135d49 158408->158409 158459 7ff7c410a2ec 158408->158459 158411 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158409->158411 158412 7ff7c4135d7e 158411->158412 158413 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158412->158413 158414 7ff7c4135daa 158413->158414 158415 7ff7c4112834 53 API calls 158414->158415 158416 7ff7c4135dce 158415->158416 158417 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158416->158417 158418 7ff7c4135dd9 158417->158418 158419 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158418->158419 158420 7ff7c4135de3 158419->158420 158421 7ff7c410a2ec 94 API calls 158420->158421 158422 7ff7c4135e04 158420->158422 158421->158422 158423 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158422->158423 158424 7ff7c4135e22 158423->158424 158425 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158424->158425 158425->158398 158426->158404 158428 7ff7c4135c10 _Aligned_get_default_resource 158427->158428 158429 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158428->158429 158430 7ff7c4135e2c 158428->158430 158431 7ff7c4135cba 158429->158431 158432 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 158430->158432 158433 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158431->158433 158434 7ff7c4135e3b 158432->158434 158435 7ff7c4135ce6 158433->158435 158434->154442 158458 7ff7c4112834 53 API calls 158435->158458 158436 7ff7c4135d13 158437 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158436->158437 158438 7ff7c4135d1e 158437->158438 158439 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158438->158439 158440 7ff7c4135d28 158439->158440 158441 7ff7c4135d49 158440->158441 158442 7ff7c410a2ec 94 API calls 158440->158442 158443 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158441->158443 158442->158441 158444 7ff7c4135d7e 158443->158444 158445 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158444->158445 158446 7ff7c4135daa 158445->158446 158447 7ff7c4112834 53 API calls 158446->158447 158448 7ff7c4135dce 158447->158448 158449 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158448->158449 158450 7ff7c4135dd9 158449->158450 158451 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158450->158451 158452 7ff7c4135de3 158451->158452 158453 7ff7c410a2ec 94 API calls 158452->158453 158454 7ff7c4135e04 158452->158454 158453->158454 158455 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158454->158455 158456 7ff7c4135e22 158455->158456 158457 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158456->158457 158457->158430 158458->158436 158460 7ff7c410a32b 158459->158460 158461 7ff7c410a33c 158459->158461 158488 7ff7c41094c4 94 API calls UnDecorator::getPointerType 158460->158488 158489 7ff7c410b390 50 API calls _DeleteExceptionPtr 158461->158489 158464 7ff7c410a337 158465 7ff7c4019af8 UnDecorator::getPointerType 50 API calls 158464->158465 158466 7ff7c410a369 158465->158466 158468 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158466->158468 158472 7ff7c410a37e 158466->158472 158467 7ff7c410a393 158470 7ff7c410a39b 158467->158470 158471 7ff7c410a3ad 158467->158471 158468->158472 158469 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158469->158467 158490 7ff7c41094c4 94 API calls UnDecorator::getPointerType 158470->158490 158491 7ff7c410b390 50 API calls _DeleteExceptionPtr 158471->158491 158472->158467 158472->158469 158475 7ff7c410a3a7 158476 7ff7c4019af8 UnDecorator::getPointerType 50 API calls 158475->158476 158477 7ff7c410a3d8 158476->158477 158478 7ff7c410a3ea 158477->158478 158479 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158477->158479 158480 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158478->158480 158481 7ff7c410a3f9 158478->158481 158479->158478 158480->158481 158482 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158481->158482 158483 7ff7c410a462 158482->158483 158484 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158483->158484 158485 7ff7c410a46c 158484->158485 158486 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 158485->158486 158487 7ff7c410a47b 158486->158487 158487->158409 158488->158464 158489->158464 158490->158475 158491->158475 158493 7ff7c401020e 158492->158493 158494 7ff7c4010211 CommandLineToArgvW 158492->158494 158493->158494 158809 7ff7c4019834 158494->158809 158496 7ff7c4010443 158497 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 158496->158497 158498 7ff7c401044f 158497->158498 158510 7ff7c4017678 158498->158510 158499 7ff7c401b4e4 50 API calls _DeleteExceptionPtr 158508 7ff7c4010229 _Yarn 158499->158508 158500 7ff7c401046a 158815 7ff7c4019d84 49 API calls 158500->158815 158501 7ff7c4019af8 50 API calls UnDecorator::getPointerType 158501->158508 158508->158496 158508->158499 158508->158500 158508->158501 158509 7ff7c401b694 47 API calls _DeleteExceptionPtr 158508->158509 158813 7ff7c401b3c4 50 API calls 6 library calls 158508->158813 158814 7ff7c401b1c8 50 API calls 2 library calls 158508->158814 158509->158508 158511 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158510->158511 158512 7ff7c40176c8 158511->158512 158513 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158512->158513 158514 7ff7c4017709 158513->158514 158515 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158514->158515 158535 7ff7c4017712 _Aligned_get_default_resource 158514->158535 158516 7ff7c40177c6 158515->158516 158517 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158516->158517 158518 7ff7c4017803 158517->158518 158519 7ff7c40178cc 158518->158519 158521 7ff7c401780c _Aligned_get_default_resource 158518->158521 158520 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158519->158520 158523 7ff7c40178f3 158520->158523 158522 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158521->158522 158524 7ff7c4017863 158522->158524 158525 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158523->158525 158527 7ff7c40179c0 158524->158527 158531 7ff7c401789a 158524->158531 158526 7ff7c401792d 158525->158526 158528 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158526->158528 158526->158535 158529 7ff7c40381c8 49 API calls 158527->158529 158533 7ff7c4017961 158528->158533 158530 7ff7c40179cc 158529->158530 158532 7ff7c40178bd 158531->158532 158537 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158531->158537 158534 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158532->158534 158536 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158533->158536 158534->158535 158535->154465 158536->158535 158537->158532 158539 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158538->158539 158540 7ff7c401001d 158539->158540 158541 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158540->158541 158542 7ff7c4010059 158541->158542 158543 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158542->158543 158544 7ff7c4010088 158543->158544 158545 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158544->158545 158546 7ff7c40100c4 158545->158546 158547 7ff7c4010126 158546->158547 158548 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158546->158548 158551 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158547->158551 158555 7ff7c401016b 158547->158555 158549 7ff7c40100f4 158548->158549 158552 7ff7c401a1c8 50 API calls 158549->158552 158550 7ff7c40101b1 158559 7ff7c400fd30 158550->158559 158551->158555 158554 7ff7c4010105 158552->158554 158553 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158553->158550 158816 7ff7c4050024 47 API calls 2 library calls 158554->158816 158555->158550 158555->158553 158557 7ff7c401011b 158558 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158557->158558 158558->158547 158560 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158559->158560 158561 7ff7c400fd81 158560->158561 158562 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158561->158562 158563 7ff7c400fdab 158562->158563 158564 7ff7c4112620 11 API calls 158563->158564 158565 7ff7c400fdcd 158564->158565 158566 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158565->158566 158567 7ff7c400fdd8 158566->158567 158568 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158567->158568 158569 7ff7c400fde2 158568->158569 158570 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 158569->158570 158571 7ff7c400fdfd 158570->158571 158571->154473 158573 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158572->158573 158574 7ff7c400fe7d 158573->158574 158575 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158574->158575 158576 7ff7c400fea9 158575->158576 158577 7ff7c4112620 11 API calls 158576->158577 158578 7ff7c400fecb 158577->158578 158579 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158578->158579 158580 7ff7c400fed5 158579->158580 158581 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158580->158581 158582 7ff7c400fedf 158581->158582 158583 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158582->158583 158584 7ff7c400ff27 158583->158584 158585 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 158584->158585 158586 7ff7c400ff53 158585->158586 158817 7ff7c402f220 158586->158817 158588 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158589 7ff7c400ff83 158588->158589 158590 7ff7c401b694 _DeleteExceptionPtr 47 API calls 158589->158590 158591 7ff7c400ff8d 158590->158591 158592 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 158591->158592 158593 7ff7c400ff99 158592->158593 158595 7ff7c411e28c 158593->158595 158825 7ff7c411df40 158595->158825 158751->154468 158752->154476 158811 7ff7c4019853 ISource 158809->158811 158810 7ff7c401988e 158810->158508 158811->158810 158812 7ff7c401b694 47 API calls _DeleteExceptionPtr 158811->158812 158812->158811 158813->158508 158814->158508 158816->158557 158818 7ff7c402f25e 158817->158818 158819 7ff7c402f261 RegCreateKeyExW 158817->158819 158818->158819 158820 7ff7c402f2e3 158819->158820 158823 7ff7c402f298 RegSetValueExW RegCloseKey 158819->158823 158821 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 158820->158821 158824 7ff7c400ff79 158821->158824 158823->158820 158824->158588 158826 7ff7c403a230 memcpy_s 158825->158826 158827 7ff7c411df86 VerSetConditionMask VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 158826->158827 158828 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 158827->158828 158829 7ff7c4010798 158828->158829 158829->154472 158829->154477 161987 7ff7c41080d0 161988 7ff7c41080fb 161987->161988 161989 7ff7c4108115 161988->161989 161990 7ff7c4108133 161988->161990 161991 7ff7c4064448 134 API calls 161989->161991 161992 7ff7c4065bc0 134 API calls 161990->161992 161993 7ff7c410812e 161991->161993 161994 7ff7c410814f WaitForSingleObject 161992->161994 161995 7ff7c4108171 CoInitializeEx 161994->161995 161999 7ff7c4108162 161994->161999 161996 7ff7c4108181 161995->161996 161996->161999 162007 7ff7c4105cf0 161996->162007 161997 7ff7c4064448 134 API calls 161998 7ff7c41081b5 WaitForSingleObject 161997->161998 162001 7ff7c41081c8 161998->162001 161999->161997 161999->161998 162002 7ff7c4065bc0 134 API calls 162001->162002 162003 7ff7c41081ff 162002->162003 162026 7ff7c4107f48 EnterCriticalSection 162003->162026 162023 7ff7c4105d0c 162007->162023 162008 7ff7c4105d1c ResetEvent 162008->162023 162010 7ff7c4105f54 162012 7ff7c4064448 134 API calls 162010->162012 162014 7ff7c4105f5a 162010->162014 162011 7ff7c4105d5c EnterCriticalSection LeaveCriticalSection 162011->162023 162012->162014 162013 7ff7c4105e3a WaitForSingleObject 162015 7ff7c4105e58 WaitForSingleObject 162013->162015 162013->162023 162016 7ff7c40649a8 134 API calls 162014->162016 162015->162023 162018 7ff7c4105fa8 162016->162018 162017 7ff7c4105ab4 65 API calls 162017->162023 162018->161999 162019 7ff7c4065bc0 134 API calls 162019->162023 162020 7ff7c4105f66 162021 7ff7c4065bc0 134 API calls 162020->162021 162021->162010 162022 7ff7c4105ebb CompareStringW 162022->162023 162023->162008 162023->162010 162023->162011 162023->162013 162023->162015 162023->162017 162023->162019 162023->162020 162023->162022 162024 7ff7c4105f3d WaitForSingleObject 162023->162024 162035 7ff7c41050cc WaitForSingleObject 162023->162035 162052 7ff7c4107df0 162023->162052 162024->162010 162024->162023 162027 7ff7c4107f7e 162026->162027 162029 7ff7c4107fe5 LeaveCriticalSection 162027->162029 162192 7ff7c401c900 162027->162192 162030 7ff7c41080ae SetEvent 162029->162030 162031 7ff7c410809e 162029->162031 162031->162030 162032 7ff7c41080a6 162031->162032 162199 7ff7c4105b88 135 API calls 3 library calls 162032->162199 162036 7ff7c41050fe EnterCriticalSection 162035->162036 162051 7ff7c41050ec 162035->162051 162037 7ff7c410512b LeaveCriticalSection 162036->162037 162038 7ff7c4105118 162036->162038 162040 7ff7c4065bc0 134 API calls 162037->162040 162038->162037 162039 7ff7c4064448 134 API calls 162041 7ff7c41051ca 162039->162041 162042 7ff7c410516e 162040->162042 162043 7ff7c40649a8 134 API calls 162041->162043 162044 7ff7c410518d 162042->162044 162045 7ff7c4105177 162042->162045 162046 7ff7c41051e2 162043->162046 162048 7ff7c407190c 62 API calls 162044->162048 162063 7ff7c4105208 EnterCriticalSection 162045->162063 162046->162023 162049 7ff7c4105192 URLOpenStreamW 162048->162049 162049->162041 162049->162051 162051->162039 162051->162041 162053 7ff7c4065bc0 134 API calls 162052->162053 162054 7ff7c4107e48 WaitForMultipleObjects 162053->162054 162055 7ff7c4107e9e 162054->162055 162056 7ff7c4107e62 162054->162056 162058 7ff7c4065bc0 134 API calls 162055->162058 162056->162055 162057 7ff7c4107e6c GetLastError 162056->162057 162059 7ff7c4065bc0 134 API calls 162057->162059 162060 7ff7c4107e9c 162058->162060 162059->162060 162061 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 162060->162061 162062 7ff7c4107ed7 162061->162062 162062->162013 162064 7ff7c410529e 162063->162064 162065 7ff7c410526c 162063->162065 162073 7ff7c41054e8 IUnknown_QueryInterface_Proxy 162064->162073 162110 7ff7c4106fc8 162064->162110 162103 7ff7c4105810 162065->162103 162069 7ff7c4105285 162071 7ff7c4064448 134 API calls 162069->162071 162070 7ff7c4105585 162072 7ff7c40649a8 134 API calls 162070->162072 162093 7ff7c4105299 162071->162093 162092 7ff7c4105551 162072->162092 162073->162070 162073->162092 162074 7ff7c4105ab4 65 API calls 162075 7ff7c4105322 162074->162075 162148 7ff7c4106684 162075->162148 162076 7ff7c40649a8 134 API calls 162079 7ff7c41056fe 162076->162079 162082 7ff7c4105724 162079->162082 162083 7ff7c410571b LeaveCriticalSection 162079->162083 162080 7ff7c41052dc 162081 7ff7c4105ab4 65 API calls 162080->162081 162088 7ff7c41052ee 162080->162088 162080->162093 162081->162088 162086 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 162082->162086 162083->162082 162084 7ff7c4064448 134 API calls 162084->162093 162085 7ff7c4105330 162090 7ff7c4064448 134 API calls 162085->162090 162091 7ff7c4105732 162086->162091 162087 7ff7c4105360 WaitForSingleObject 162087->162080 162088->162074 162097 7ff7c41053cd 162088->162097 162089 7ff7c41053fd 162089->162084 162089->162093 162090->162093 162091->162051 162092->162089 162092->162093 162095 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 162092->162095 162093->162076 162096 7ff7c4105658 162095->162096 162098 7ff7c4065bc0 134 API calls 162096->162098 162097->162073 162097->162089 162164 7ff7c4107a3c 162097->162164 162099 7ff7c41056af 162098->162099 162100 7ff7c401b694 _DeleteExceptionPtr 47 API calls 162099->162100 162100->162089 162104 7ff7c4105855 CoCreateInstance 162103->162104 162105 7ff7c4105837 162103->162105 162104->162105 162109 7ff7c410584e 162104->162109 162106 7ff7c4064448 134 API calls 162105->162106 162106->162109 162107 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 162108 7ff7c410527f 162107->162108 162108->162064 162108->162069 162109->162107 162111 7ff7c410700f memcpy_s 162110->162111 162112 7ff7c4107065 GetTempPathW 162111->162112 162114 7ff7c4107047 162111->162114 162113 7ff7c410707c GetLastError 162112->162113 162119 7ff7c41070a7 162112->162119 162113->162114 162115 7ff7c4107060 162113->162115 162117 7ff7c4064448 134 API calls 162114->162117 162116 7ff7c401b694 _DeleteExceptionPtr 47 API calls 162115->162116 162118 7ff7c4107409 162116->162118 162117->162115 162120 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 162118->162120 162119->162114 162122 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 162119->162122 162121 7ff7c41052b3 162120->162121 162121->162080 162121->162087 162121->162088 162123 7ff7c4107122 162122->162123 162180 7ff7c41059e4 162123->162180 162126 7ff7c410713d 162127 7ff7c407190c 62 API calls 162126->162127 162128 7ff7c410714a SHGetValueW 162127->162128 162130 7ff7c410718e 162128->162130 162131 7ff7c407190c 62 API calls 162130->162131 162132 7ff7c41071cf 162131->162132 162133 7ff7c41071d6 162132->162133 162134 7ff7c41071d9 SHGetValueW 162132->162134 162133->162134 162135 7ff7c410720c PathFindFileNameW 162134->162135 162137 7ff7c4107246 162135->162137 162189 7ff7c4109918 94 API calls UnDecorator::getPointerType 162137->162189 162139 7ff7c41072cb 162140 7ff7c41072f1 162139->162140 162142 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 162139->162142 162141 7ff7c401b694 _DeleteExceptionPtr 47 API calls 162140->162141 162143 7ff7c41072fc 162141->162143 162142->162140 162190 7ff7c41068f4 138 API calls __std_fs_get_file_attributes_by_handle 162143->162190 162145 7ff7c4107356 162146 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 162145->162146 162147 7ff7c41073ad 162145->162147 162146->162147 162147->162115 162149 7ff7c41066c6 memcpy_s 162148->162149 162150 7ff7c41066d5 GetTempPathW 162149->162150 162151 7ff7c4106725 GetTempFileNameW 162150->162151 162152 7ff7c41066f0 GetLastError 162150->162152 162153 7ff7c4106766 162151->162153 162154 7ff7c4106746 GetLastError 162151->162154 162155 7ff7c4106720 162152->162155 162156 7ff7c410670c 162152->162156 162153->162156 162160 7ff7c410679a 162153->162160 162154->162155 162154->162156 162157 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 162155->162157 162159 7ff7c4064448 134 API calls 162156->162159 162158 7ff7c410532a 162157->162158 162158->162085 162158->162097 162159->162155 162191 7ff7c4105b88 135 API calls 3 library calls 162160->162191 162162 7ff7c41067a2 162163 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 162162->162163 162163->162155 162165 7ff7c4107a6b 162164->162165 162166 7ff7c4107aba PathFindFileNameW 162165->162166 162167 7ff7c4107a78 162165->162167 162166->162167 162170 7ff7c4107ad7 162166->162170 162168 7ff7c4064448 134 API calls 162167->162168 162169 7ff7c4107a91 162168->162169 162169->162073 162170->162167 162171 7ff7c41059e4 135 API calls 162170->162171 162172 7ff7c4107b2b 162171->162172 162172->162167 162173 7ff7c4107b3e 162172->162173 162174 7ff7c407190c 62 API calls 162173->162174 162175 7ff7c4107b43 SHSetValueW 162174->162175 162177 7ff7c407190c 62 API calls 162175->162177 162179 7ff7c4107b83 SHSetValueW 162177->162179 162179->162169 162181 7ff7c4105a0f 162180->162181 162186 7ff7c4105a83 162180->162186 162182 7ff7c407190c 62 API calls 162181->162182 162185 7ff7c4105a19 RegCreateKeyExW 162182->162185 162183 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 162184 7ff7c4105aa8 162183->162184 162184->162114 162184->162126 162185->162186 162187 7ff7c4105a5d 162185->162187 162186->162183 162187->162186 162188 7ff7c4064448 134 API calls 162187->162188 162188->162186 162189->162139 162190->162145 162191->162162 162193 7ff7c401c965 _DeleteExceptionPtr 162192->162193 162194 7ff7c40779c4 _DeleteExceptionPtr 145 API calls 162193->162194 162195 7ff7c401c971 _DeleteExceptionPtr 162194->162195 162196 7ff7c401c976 SetEvent 162195->162196 162197 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 162196->162197 162198 7ff7c401c994 162197->162198 162198->162029 162199->162030 162200 7ff7c42ccdb8 162201 7ff7c42cce06 162200->162201 162202 7ff7c42ccdde 162200->162202 162201->162202 162204 7ff7c42cce11 162201->162204 162203 7ff7c40469f8 _get_daylight 11 API calls 162202->162203 162205 7ff7c42ccde3 162203->162205 162207 7ff7c42cce24 162204->162207 162208 7ff7c42cce17 162204->162208 162231 7ff7c404688c 47 API calls _invalid_parameter_noinfo 162205->162231 162219 7ff7c40637a0 162207->162219 162210 7ff7c40469f8 _get_daylight 11 API calls 162208->162210 162209 7ff7c42ccdee 162210->162209 162233 7ff7c4051738 EnterCriticalSection 162219->162233 162231->162209 162331 7ff7c414ddf0 162332 7ff7c414de56 162331->162332 162333 7ff7c414dea5 162332->162333 162336 7ff7c414de9d 162332->162336 162345 7ff7c42bdf00 75 API calls _invalid_parameter_noinfo 162332->162345 162336->162333 162337 7ff7c4062278 162336->162337 162338 7ff7c40622a8 162337->162338 162346 7ff7c4062158 162338->162346 162340 7ff7c40622c1 162343 7ff7c40622e6 162340->162343 162356 7ff7c404649c 47 API calls 2 library calls 162340->162356 162342 7ff7c40622fb 162342->162333 162343->162342 162357 7ff7c404649c 47 API calls 2 library calls 162343->162357 162345->162336 162347 7ff7c4062173 162346->162347 162349 7ff7c40621a1 162346->162349 162359 7ff7c40467bc 47 API calls 2 library calls 162347->162359 162350 7ff7c4062193 162349->162350 162358 7ff7c4054d24 EnterCriticalSection 162349->162358 162350->162340 162356->162343 162357->162342 162359->162350 162360 7ff7c4071ca0 162361 7ff7c4071e62 162360->162361 162362 7ff7c4071ce2 162360->162362 162363 7ff7c401b630 49 API calls 162361->162363 162362->162361 162364 7ff7c4071ceb 162362->162364 162365 7ff7c4071e6c 162363->162365 162366 7ff7c407190c 62 API calls 162364->162366 162367 7ff7c4071cf3 162366->162367 162393 7ff7c40719d8 162367->162393 162371 7ff7c401b694 _DeleteExceptionPtr 47 API calls 162372 7ff7c4071d36 162371->162372 162373 7ff7c4071e3c 162372->162373 162400 7ff7c40723d8 143 API calls 3 library calls 162372->162400 162374 7ff7c4038920 __std_fs_get_file_attributes_by_handle 8 API calls 162373->162374 162376 7ff7c4071e4b 162374->162376 162377 7ff7c4071d72 162378 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 162377->162378 162392 7ff7c4071e11 162377->162392 162380 7ff7c4071da7 162378->162380 162379 7ff7c407190c 62 API calls 162381 7ff7c4071e1e RegCloseKey 162379->162381 162401 7ff7c407329c 137 API calls 2 library calls 162380->162401 162383 7ff7c4019a44 47 API calls 162381->162383 162385 7ff7c4071e32 162383->162385 162384 7ff7c4071db9 162386 7ff7c401b694 _DeleteExceptionPtr 47 API calls 162384->162386 162387 7ff7c401b694 _DeleteExceptionPtr 47 API calls 162385->162387 162388 7ff7c4071dc3 162386->162388 162387->162373 162389 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 162388->162389 162390 7ff7c4071dee 162389->162390 162391 7ff7c401b694 _DeleteExceptionPtr 47 API calls 162390->162391 162391->162392 162392->162379 162394 7ff7c401b4e4 _DeleteExceptionPtr 50 API calls 162393->162394 162395 7ff7c4071a12 162394->162395 162396 7ff7c4019d08 UnDecorator::getPointerType 50 API calls 162395->162396 162397 7ff7c4071a3b 162396->162397 162398 7ff7c401b694 _DeleteExceptionPtr 47 API calls 162397->162398 162399 7ff7c4071a6d RegOpenKeyExW 162398->162399 162399->162371 162400->162377 162401->162384

    Executed Functions

    Function 00007FF7C40A97C0 Relevance: 156.9, APIs: 23, Strings: 65, Instructions: 2922COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Mtx_unlock
    • String ID: #$#$00000000-0000-0000-0000-000000000000$ANID$AccountType$AddedScopesCount$AppId$AppVersion$App_Name$BuildArchitecture$CID$CrossTenantScopeCount$DeviceInfo.OsBuild$DeviceInfo.OsVersion$Environment$FALType$FeatureSet$FileSystemType$InGoSov$IsTestMachine$IsWCOSMachine$IsWOFCompressed$ItemCount$KnownOcsiVersions$MSFTInternal$MachineGuid$Market$None$OSArchitecture$OSDeviceName$OSSku$OSUserName$OfficeVersionString$OneDriveDeviceId$OneDriveUserId$PhysicalDeviceId$PlaceholdersEnabled$Prod$RampConfiguration$Retail$SPOServerVersion$Scenario$Setup$TeamSitesCount$TenantDisplayName$TenantOID$Unknown$UpdateGroupId$UpdateRing$UpdateRingRampGroup$UserGuid$VDIProvider$WipRing$Workload$false$m:0$n:0$primaryToken$'s$Bu$\p$mw$vr$vy$~{
    • API String ID: 1418687624-1402947493
    • Opcode ID: 50e74982eab5c58a5a1362675d5d92d4f5fe9fe05a0648c5fc0d1666501775f6
    • Instruction ID: fc89275a2086fd9e53f1f1cee6d0ab2cae63745e98106a07aa6112c71c49bb6a
    • Opcode Fuzzy Hash: 50e74982eab5c58a5a1362675d5d92d4f5fe9fe05a0648c5fc0d1666501775f6
    • Instruction Fuzzy Hash: 9A53C523A59AC296EB10EF65E8801EDA370FB8135CFC15132EA8D57AA9DF7CD644C710
    Function 00007FF7C412A8E0 Relevance: 143.7, APIs: 41, Strings: 40, Instructions: 1907registryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource$_invalid_parameter_noinfo_noreturn$Open
    • String ID: AccountHints$AuthenticationURLs$Authority$Business$ConfiguredTenantId$CrashDetectionKey$DiscoveryApi$DiscoveryResourceId$DisplayName$EdpManaged$EnableADALForSilentBusinessConfig$ExpressSignInCompletedState$FirstRun$FirstRunSignInOrigin$ForceLogUpload$GraphApi$HasMadeFirstUpload$IsUpgradeAvailable$LastKnownCloudFilesEnabled$LastShutdownReason$LatestSignInStack$MainAccount$NamespaceRootId$NextEmailHRDUpdate$OneAuthAccountId$OneAuthClientIdUpperCase$OneAuthUnrecoverableFailureTimeStamp$OneDriveDeviceId$Personal$RootAddedToFavorites$SharePointOnPrem$Software\Microsoft\OneDrive$TenantAddedToFavorites$Tenants$UpdatedTenantValue$UserEmail$UserFolder$WamWebAccountId$cid${018D5C66-4533-4307-9B53-224DE2ED1FE6}
    • API String ID: 1019738232-855204990
    • Opcode ID: 099f38d17ae06991729c672905a3f6f1acc7d9e5174430b45af91a9420397539
    • Instruction ID: 96956f18d2ca89ddd9392143a0453f0998bdb8c974b9c6d56c390e5e889b5bd1
    • Opcode Fuzzy Hash: 099f38d17ae06991729c672905a3f6f1acc7d9e5174430b45af91a9420397539
    • Instruction Fuzzy Hash: 5D138162A04BC285D730EF26D8802EDB760FB95BACF945136DA4D57BA9DF38D285C310
    Function 00007FF7C4010490 Relevance: 78.5, APIs: 22, Strings: 22, Instructions: 1535COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource$ExistsFilePath$ErrorLast$CommandInitializeLineProfileType_invalid_parameter_noinfo_noreturn
    • String ID: /repair$19.0.0.0$D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\StandaloneUpdater.cpp$FileSyncClient.dll$FileSyncClientUpdaterNamedMutex$Global\PerMachineUpdaterNamedMutex$LoggingPlatform.dll$OneDrive.exe$OneDriveExeMissing$Result$StandaloneUpdate$StandaloneUpdater$StandaloneUpdater::InitializeWithDefaultImplementations$UnexpectedFailure$\StandaloneUpdater\logs$commandLineArgs$initLogResult$mode$remoteDebug$remotePort$version$wait
    • API String ID: 565533978-3225931203
    • Opcode ID: 31b260ee9ea95669a28c193130e44ca36715b23f32bc064c4f61e72e37b005c2
    • Instruction ID: b0c05afad9087777f5d570065f7c246ef6b697f327ed297e7140ec506dfb7e96
    • Opcode Fuzzy Hash: 31b260ee9ea95669a28c193130e44ca36715b23f32bc064c4f61e72e37b005c2
    • Instruction Fuzzy Hash: 5A034D32A05BC58ADB60EF22D8802EDB7B4FB84B68F854136DA8D47B65DF38D594C710
    Function 00007FF7C41317B8 Relevance: 73.3, APIs: 1, Strings: 40, Instructions: 1520COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2212 7ff7c41317b8-7ff7c41317ef 2213 7ff7c4131807-7ff7c4131821 2212->2213 2214 7ff7c41317f1-7ff7c41317f6 2212->2214 2217 7ff7c41330a7-7ff7c41330af call 7ff7c401b708 2213->2217 2218 7ff7c4131827-7ff7c413182f 2213->2218 2215 7ff7c41317f8 2214->2215 2216 7ff7c41317fb-7ff7c4131802 call 7ff7c401b4e4 2214->2216 2215->2216 2216->2213 2221 7ff7c4131831 2218->2221 2222 7ff7c4131834-7ff7c4131ac8 call 7ff7c401a9c0 call 7ff7c4130de4 call 7ff7c4131238 call 7ff7c4130c9c call 7ff7c4131054 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c41083e8 2218->2222 2221->2222 2277 7ff7c4131ace-7ff7c4131bc6 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c 2222->2277 2278 7ff7c4131bdf-7ff7c41330a6 call 7ff7c4109938 call 7ff7c413068c call 7ff7c401b694 call 7ff7c401b4e4 call 7ff7c413068c call 7ff7c401b694 call 7ff7c4109938 call 7ff7c413068c call 7ff7c401b694 call 7ff7c401b4e4 call 7ff7c413068c call 7ff7c401b694 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 call 7ff7c4109938 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c4109938 call 7ff7c413068c call 7ff7c401b694 call 7ff7c401b4e4 call 7ff7c413068c call 7ff7c401b694 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c4109938 call 7ff7c413068c call 7ff7c401b694 call 7ff7c4109938 call 7ff7c413068c call 7ff7c401b694 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 call 7ff7c4109938 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 call 7ff7c4109938 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 call 7ff7c4109938 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c413068c call 7ff7c401b694 * 3 call 7ff7c4038920 2222->2278 2309 7ff7c4131bcb-7ff7c4131bda call 7ff7c401b694 * 2 2277->2309 2309->2278
    APIs
    • _Aligned_get_default_resource.LIBCPMT ref: 00007FF7C4131AAB
      • Part of subcall function 00007FF7C401B694: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C401B6EF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource_invalid_parameter_noinfo_noreturn
    • String ID: AADJMachineDomainGuid$AllowTenantList$AutomaticUploadBandwidthPercentage$BlockTenantList$DefaultRootDir$DehydrateSyncedTeamSites$DisableCustomRoot$DisableFREAnimation$DisableFirstDeleteDialog$DisablePersonalSync$DisableTutorial$DiskSpaceCheckThresholdMB$DownloadBandwidthLimit$EnableAutomaticUploadBandwidthManagement$EnableEnterpriseUpdate$EnableODIgnoreListFromGPO$EnableOneNoteSupportPreview$EnableSyncAdminReports$FilesOnDemandEnabled$ForcedLocalMassDeleteDetection$GPOEnabled$GPOSetUpdateRing$LocalMassDeleteFileDeleteThreshold$MinDiskSpaceLimitInMB$PermitDisablePermissionInheritance$PreventNetworkTrafficPreUserSignIn$Remote Access$SOFTWARE\Microsoft\OneDrive\Tenants\$SharePointOnPremFrontDoorUrl$SharePointOnPremPrioritization$SharePointOnPremTenantName$SilentAccountConfig$Software\Microsoft\OneDrive$Software\Policies\Microsoft\OneDrive$SyncAdminReports$SyncAdminReportsPreview$TelemetryUploadUri$TenantAutoMount$UploadBandwidthLimit$WarningMinDiskSpaceLimitInMB
    • API String ID: 4266926526-3888118743
    • Opcode ID: 2feefac2649b41c539eeba882315d42c9b692e9e115e7e8a54eef6d2247de213
    • Instruction ID: 8144da952f917a9b3183b5a8a1c486415f2d8b16c08ae060779a3c636dff851a
    • Opcode Fuzzy Hash: 2feefac2649b41c539eeba882315d42c9b692e9e115e7e8a54eef6d2247de213
    • Instruction Fuzzy Hash: 20F28262F14A829AE720EF71D4800EDA771FF9575CB911139DE4C33A6AEF389215C398
    Function 00007FF7C4026C30 Relevance: 51.6, APIs: 6, Strings: 23, Instructions: 868COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2690 7ff7c4026c30-7ff7c4026ce7 call 7ff7c4019d08 call 7ff7c4022974 call 7ff7c4019af8 call 7ff7c4027d28 2700 7ff7c402735b-7ff7c4027396 call 7ff7c401b694 * 2 call 7ff7c4038920 2690->2700 2701 7ff7c4026ced-7ff7c4026d6c call 7ff7c4050184 call 7ff7c401b4e4 call 7ff7c4028de8 call 7ff7c401b694 2690->2701 2716 7ff7c4027397-7ff7c402745c call 7ff7c401b708 call 7ff7c4019d08 call 7ff7c4022974 2701->2716 2717 7ff7c4026d72-7ff7c4026e33 call 7ff7c401a9c0 call 7ff7c4019d08 call 7ff7c401b4e4 call 7ff7c401bd50 2701->2717 2732 7ff7c402772d-7ff7c4027771 call 7ff7c401b694 * 2 call 7ff7c4038920 2716->2732 2733 7ff7c4027462-7ff7c4027477 2716->2733 2731 7ff7c4026e39-7ff7c4026f95 call 7ff7c401b694 * 3 call 7ff7c4022a14 call 7ff7c4050184 call 7ff7c401b4e4 * 2 call 7ff7c4111b9c call 7ff7c411af40 call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c4111b9c call 7ff7c411af40 call 7ff7c401b694 * 2 2717->2731 2731->2700 2852 7ff7c4026f9b-7ff7c40272a7 call 7ff7c4023074 2731->2852 2735 7ff7c402747d-7ff7c4027569 call 7ff7c401a9c0 call 7ff7c4019d08 call 7ff7c401b694 * 3 call 7ff7c4022d3c 2733->2735 2736 7ff7c4027772-7ff7c40277cc call 7ff7c401b708 2733->2736 2735->2732 2792 7ff7c402756f-7ff7c4027583 2735->2792 2750 7ff7c40277ee-7ff7c40277f5 2736->2750 2751 7ff7c40277ce-7ff7c40277ec 2736->2751 2752 7ff7c40277fb-7ff7c4027806 call 7ff7c401b4e4 2750->2752 2751->2752 2763 7ff7c4027808-7ff7c4027819 call 7ff7c4019d08 2752->2763 2764 7ff7c402781e-7ff7c4027827 2752->2764 2763->2764 2768 7ff7c4027829-7ff7c4027834 2764->2768 2769 7ff7c4027836-7ff7c402783a 2764->2769 2774 7ff7c4027846-7ff7c402784a call 7ff7c4019d08 2768->2774 2772 7ff7c402783c-7ff7c402783f 2769->2772 2773 7ff7c402784f-7ff7c402786c call 7ff7c41083e8 2769->2773 2772->2774 2788 7ff7c402786e-7ff7c402787f call 7ff7c4019d08 2773->2788 2789 7ff7c4027884-7ff7c4027c1c call 7ff7c4019d08 call 7ff7c4019af8 call 7ff7c4022ea0 call 7ff7c4023cac 2773->2789 2774->2773 2788->2789 2825 7ff7c4027cf8-7ff7c4027d26 call 7ff7c401b694 call 7ff7c4038920 2789->2825 2826 7ff7c4027c22-7ff7c4027c26 2789->2826 2796 7ff7c4027588-7ff7c4027591 2792->2796 2797 7ff7c4027585 2792->2797 2800 7ff7c4027593 2796->2800 2801 7ff7c4027596-7ff7c402763c call 7ff7c40765d4 call 7ff7c40779c4 call 7ff7c4077510 2796->2801 2797->2796 2800->2801 2801->2732 2829 7ff7c4027642-7ff7c402765e 2801->2829 2826->2825 2830 7ff7c4027c2c-7ff7c4027cf7 call 7ff7c41083e8 call 7ff7c401b4e4 * 2 call 7ff7c41083e8 call 7ff7c401b694 * 2 2826->2830 2829->2732 2838 7ff7c4027664-7ff7c402767b call 7ff7c41083e8 2829->2838 2830->2825 2849 7ff7c402767d 2838->2849 2850 7ff7c4027680-7ff7c4027696 2838->2850 2849->2850 2853 7ff7c402769a-7ff7c40276a2 2850->2853 2860 7ff7c40272a9-7ff7c40272ba 2852->2860 2861 7ff7c402730c-7ff7c402735a call 7ff7c41083e8 2852->2861 2853->2853 2857 7ff7c40276a4-7ff7c402772c call 7ff7c401b4e4 * 2 call 7ff7c41083e8 call 7ff7c401b694 * 2 2853->2857 2857->2732 2860->2861 2864 7ff7c40272bc-7ff7c40272cd 2860->2864 2861->2700 2864->2861 2867 7ff7c40272cf-7ff7c4027307 call 7ff7c4001000 2864->2867 2867->2861
    APIs
      • Part of subcall function 00007FF7C4027D28: CoCreateGuid.OLE32 ref: 00007FF7C4027D6C
      • Part of subcall function 00007FF7C4050184: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7C4050198
      • Part of subcall function 00007FF7C4028DE8: _Aligned_get_default_resource.LIBCPMT ref: 00007FF7C4028EB5
      • Part of subcall function 00007FF7C4028DE8: _Aligned_get_default_resource.LIBCPMT ref: 00007FF7C4028EDF
      • Part of subcall function 00007FF7C401B694: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C401B6EF
      • Part of subcall function 00007FF7C4111B9C: _Aligned_get_default_resource.LIBCPMT ref: 00007FF7C4111BA0
      • Part of subcall function 00007FF7C411AF40: RegCreateKeyExW.KERNELBASE ref: 00007FF7C411AF9F
      • Part of subcall function 00007FF7C411AF40: RegSetValueExW.KERNELBASE ref: 00007FF7C411AFDE
      • Part of subcall function 00007FF7C411AF40: RegCloseKey.ADVAPI32 ref: 00007FF7C411AFEB
    • _Aligned_get_default_resource.LIBCPMT ref: 00007FF7C402731A
    • _Aligned_get_default_resource.LIBCPMT ref: 00007FF7C4027664
    • _Aligned_get_default_resource.LIBCPMT ref: 00007FF7C40276DE
    • _Aligned_get_default_resource.LIBCPMT ref: 00007FF7C402784F
      • Part of subcall function 00007FF7C4001000: EventWriteTransfer.ADVAPI32 ref: 00007FF7C4001097
    • _Aligned_get_default_resource.LIBCPMT ref: 00007FF7C4027C2C
    • _Aligned_get_default_resource.LIBCPMT ref: 00007FF7C4027C98
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource$CreateTime$CloseEventFileGuidSystemTransferValueWrite_invalid_parameter_noinfo_noreturn
    • String ID: /allusers$ /onedriverepair$ /restart$ /updateSource:ODSU$ /vermismatchrepair$/update$D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\StandaloneUpdaterController.cpp$OdsuDownloadOneDriveSetupEndTime$OdsuDownloadOneDriveSetupStartTime$OneDriveSetup.exe$SetupBinary$Software\Microsoft\OneDrive$Software\Microsoft\OneDrive\UpdateFailedReason$StandaloneUpdater$StandaloneUpdaterController::ApplyUpdate$StandaloneUpdaterController::DownloadUpdate$StandaloneUpdaterController::LaunchOneDriveSetup$StandaloneUpdaterDownloadSetupBinary$StandaloneUpdaterLaunchUpdateBinary$UnexpectedFailure$UpdateFailedReason$\StandaloneUpdater$result
    • API String ID: 3808290914-189878748
    • Opcode ID: 7f5e759b0c3b280685e2a6941011cb3509a9004ba38af63e72df46b675cc7f4a
    • Instruction ID: 0fc5aebf7f79513162ae3dbdf238052fec2b10322fb254a42170875acb103acf
    • Opcode Fuzzy Hash: 7f5e759b0c3b280685e2a6941011cb3509a9004ba38af63e72df46b675cc7f4a
    • Instruction Fuzzy Hash: BBA25172A08BC199E720DF65E8802EEBBB4F795358F910129DA8D13A69DF3CD195CB10
    Function 00007FF7C4103E90 Relevance: 46.3, APIs: 9, Strings: 17, Instructions: 808COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2887 7ff7c4103e90-7ff7c4103eda 2888 7ff7c4103edf-7ff7c4103ee2 2887->2888 2889 7ff7c4103edc 2887->2889 2890 7ff7c4103ee8-7ff7c4103eea 2888->2890 2891 7ff7c4104087-7ff7c4104099 SysAllocString 2888->2891 2889->2888 2892 7ff7c4103eef-7ff7c4103f13 SysFreeString 2890->2892 2891->2892 2893 7ff7c410409f-7ff7c4104110 call 7ff7c401b630 2891->2893 2897 7ff7c4103f15 2892->2897 2898 7ff7c4103f18-7ff7c4103f40 call 7ff7c4103bcc 2892->2898 2902 7ff7c4104122-7ff7c410413f call 7ff7c4103724 2893->2902 2903 7ff7c4104112-7ff7c4104115 2893->2903 2897->2898 2905 7ff7c4103f46-7ff7c4103f49 2898->2905 2906 7ff7c410403b-7ff7c4104043 2898->2906 2916 7ff7c4104145-7ff7c410416d call 7ff7c40e29ac 2902->2916 2917 7ff7c4104791-7ff7c4104799 2902->2917 2907 7ff7c410411d 2903->2907 2908 7ff7c4104117-7ff7c410411b 2903->2908 2905->2906 2910 7ff7c4103f4f-7ff7c4103f71 call 7ff7c410359c 2905->2910 2911 7ff7c4104045-7ff7c4104052 2906->2911 2912 7ff7c4104053-7ff7c4104059 2906->2912 2907->2902 2908->2902 2908->2907 2929 7ff7c4103f76-7ff7c4103f98 call 7ff7c41037c0 2910->2929 2930 7ff7c4103f73 2910->2930 2911->2912 2913 7ff7c410405b-7ff7c4104068 2912->2913 2914 7ff7c4104069-7ff7c4104086 call 7ff7c4038920 2912->2914 2913->2914 2933 7ff7c4104173-7ff7c41041be SysFreeString call 7ff7c4103bcc 2916->2933 2934 7ff7c41047ec-7ff7c41047f6 call 7ff7c401b630 2916->2934 2922 7ff7c410479b-7ff7c41047a8 2917->2922 2923 7ff7c41047a9-7ff7c41047b0 2917->2923 2922->2923 2924 7ff7c41047b2-7ff7c41047bf 2923->2924 2925 7ff7c41047c0-7ff7c41047eb call 7ff7c4038920 2923->2925 2924->2925 2929->2906 2942 7ff7c4103f9e-7ff7c4103fa1 2929->2942 2930->2929 2933->2917 2951 7ff7c41041c4-7ff7c4104201 call 7ff7c4103cb8 2933->2951 2945 7ff7c41047f7-7ff7c410483c call 7ff7c401b630 2934->2945 2942->2906 2944 7ff7c4103fa7-7ff7c4103fc9 call 7ff7c410359c 2942->2944 2952 7ff7c4103fce-7ff7c4103ff0 call 7ff7c41037c0 2944->2952 2953 7ff7c4103fcb 2944->2953 2954 7ff7c4104841-7ff7c4104844 2945->2954 2955 7ff7c410483e 2945->2955 2951->2917 2968 7ff7c4104207-7ff7c410420c 2951->2968 2952->2906 2966 7ff7c4103ff2-7ff7c4103ff5 2952->2966 2953->2952 2957 7ff7c4104961-7ff7c4104975 SysAllocString 2954->2957 2958 7ff7c410484a-7ff7c410484c 2954->2958 2955->2954 2960 7ff7c4104851-7ff7c4104894 CoCreateInstance call 7ff7c4103df0 2957->2960 2962 7ff7c410497b-7ff7c4104a01 call 7ff7c401b630 CoCreateInstance call 7ff7c4103df0 2957->2962 2958->2960 2974 7ff7c4104896-7ff7c41048b7 2960->2974 2975 7ff7c4104904-7ff7c4104932 call 7ff7c41039f8 SysFreeString 2960->2975 2982 7ff7c4104ad1-7ff7c4104ad9 2962->2982 2983 7ff7c4104a07-7ff7c4104a43 call 7ff7c4103b30 2962->2983 2966->2906 2969 7ff7c4103ff7-7ff7c4104015 call 7ff7c410359c 2966->2969 2972 7ff7c4104211-7ff7c410423b call 7ff7c4007924 2968->2972 2986 7ff7c410401a-7ff7c4104035 call 7ff7c41037c0 2969->2986 2987 7ff7c4104017 2969->2987 3006 7ff7c4104413 2972->3006 3007 7ff7c4104241-7ff7c4104249 2972->3007 2993 7ff7c41048cb-7ff7c41048e8 call 7ff7c410395c 2974->2993 2994 7ff7c41048b9-7ff7c41048bc 2974->2994 2990 7ff7c4104934-7ff7c4104941 2975->2990 2991 7ff7c4104942-7ff7c4104960 call 7ff7c4038920 2975->2991 2988 7ff7c4104adb-7ff7c4104ae8 2982->2988 2989 7ff7c4104ae9-7ff7c4104af1 2982->2989 2983->2982 3018 7ff7c4104a49-7ff7c4104a7f call 7ff7c4103a94 2983->3018 3002 7ff7c410403a 2986->3002 2987->2986 2988->2989 2997 7ff7c4104af3-7ff7c4104af6 2989->2997 2998 7ff7c4104b01-7ff7c4104b1f call 7ff7c4038920 2989->2998 2990->2991 2993->2975 3016 7ff7c41048ea-7ff7c4104902 2993->3016 3000 7ff7c41048c6 2994->3000 3001 7ff7c41048be-7ff7c41048c4 2994->3001 3015 7ff7c4104b00 2997->3015 3000->2993 3001->2993 3001->3000 3002->2906 3012 7ff7c4104418-7ff7c410441a 3006->3012 3007->3012 3014 7ff7c410424f-7ff7c410429b call 7ff7c410359c call 7ff7c41037c0 3007->3014 3019 7ff7c4104420-7ff7c4104485 call 7ff7c410359c call 7ff7c41037c0 3012->3019 3020 7ff7c4104749 3012->3020 3014->3006 3037 7ff7c41042a1-7ff7c41042a9 3014->3037 3015->2998 3016->2975 3018->2982 3038 7ff7c4104a81-7ff7c4104ab5 call 7ff7c41038c0 3018->3038 3041 7ff7c41044a5-7ff7c41044b6 call 7ff7c401b694 3019->3041 3042 7ff7c4104487-7ff7c41044a2 call 7ff7c4060c5c 3019->3042 3023 7ff7c4104750-7ff7c4104773 call 7ff7c41034b8 call 7ff7c4014438 3020->3023 3044 7ff7c4104775-7ff7c4104782 3023->3044 3045 7ff7c4104783-7ff7c410478b 3023->3045 3037->3012 3040 7ff7c41042af-7ff7c41042fb call 7ff7c410359c call 7ff7c41037c0 3037->3040 3038->2982 3062 7ff7c4104ab7-7ff7c4104ac9 call 7ff7c4103e90 3038->3062 3040->3006 3060 7ff7c4104301-7ff7c4104309 3040->3060 3041->3020 3052 7ff7c41044bc-7ff7c41044d5 3041->3052 3042->3041 3044->3045 3045->2917 3045->2972 3057 7ff7c41044e5-7ff7c410453f call 7ff7c401b4e4 call 7ff7c4103e90 call 7ff7c401b694 3052->3057 3058 7ff7c41044d7-7ff7c41044e4 3052->3058 3057->3020 3075 7ff7c4104545-7ff7c410455e 3057->3075 3058->3057 3060->3012 3064 7ff7c410430f-7ff7c410435b call 7ff7c410359c call 7ff7c41037c0 3060->3064 3066 7ff7c4104acf 3062->3066 3064->3006 3074 7ff7c4104361-7ff7c4104369 3064->3074 3066->2982 3074->3012 3076 7ff7c410436f-7ff7c41043cd call 7ff7c410359c call 7ff7c41037c0 3074->3076 3077 7ff7c4104560-7ff7c410456d 3075->3077 3078 7ff7c410456e-7ff7c41045c7 call 7ff7c401b4e4 call 7ff7c4103e90 call 7ff7c401b694 3075->3078 3086 7ff7c41043d2-7ff7c41043d4 3076->3086 3077->3078 3078->3020 3094 7ff7c41045cd-7ff7c41045e6 3078->3094 3088 7ff7c41043d6-7ff7c41043f6 call 7ff7c42c99d8 3086->3088 3089 7ff7c4104409-7ff7c410440e call 7ff7c401b694 3086->3089 3095 7ff7c4104401-7ff7c4104406 3088->3095 3096 7ff7c41043f8-7ff7c41043ff 3088->3096 3089->3006 3097 7ff7c41045f6-7ff7c4104678 call 7ff7c401b4e4 call 7ff7c4103e90 call 7ff7c401b694 SysAllocString 3094->3097 3098 7ff7c41045e8-7ff7c41045f5 3094->3098 3095->3089 3096->3089 3097->2945 3105 7ff7c410467e-7ff7c41046c2 SysFreeString call 7ff7c4103bcc 3097->3105 3098->3097 3108 7ff7c41046c7-7ff7c41046c9 3105->3108 3109 7ff7c41046cb-7ff7c41046ce 3108->3109 3110 7ff7c4104727-7ff7c4104732 3108->3110 3109->3110 3113 7ff7c41046d0-7ff7c4104726 call 7ff7c410359c call 7ff7c41037c0 3109->3113 3111 7ff7c4104734-7ff7c4104741 3110->3111 3112 7ff7c4104742-7ff7c4104747 3110->3112 3111->3112 3112->3023 3113->3110
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: FreeString
    • String ID: UpdateXMLParser::ParseUpdateNodeXML$UpdateXMLParser::ParseUpdateXML$amd64binary$arm64binary$binary$currentversion$d:\dbs\sh\odct\0223_153807_0\cmd\16\client\onedrive\Setup\standalone\UpdateXMLParser\UpdateXMLParser.cpp$maxapplicable$minapplicable$msixbinary$rescan$sha1hash$sha256hash$throttle$update$update$url
    • API String ID: 3341692771-466497408
    • Opcode ID: 8f8eb3d21b2e64c98929babaf0f0912ff557b99543e647e88257239bb34e27e3
    • Instruction ID: f2339b3903abd8b9e5703e4d55b8ba40cd3ed1eec1d174282ab1e68a47b06d65
    • Opcode Fuzzy Hash: 8f8eb3d21b2e64c98929babaf0f0912ff557b99543e647e88257239bb34e27e3
    • Instruction Fuzzy Hash: 10725F72A08B4686EB10EF57E8C41AAA3B0FB89BA8F940136DE8D53764DF3DD544C750
    Function 00007FF7C401D018 Relevance: 43.9, Strings: 34, Instructions: 1366COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 3123 7ff7c401d018-7ff7c401d1c5 call 7ff7c4038858 call 7ff7c401b4e4 call 7ff7c401a1c8 call 7ff7c401b4e4 call 7ff7c401b694 call 7ff7c401b4e4 call 7ff7c401a1c8 call 7ff7c401b4e4 call 7ff7c401b694 call 7ff7c4064264 call 7ff7c401b4e4 call 7ff7c401a1c8 3148 7ff7c401d1c8-7ff7c401d1d0 3123->3148 3148->3148 3149 7ff7c401d1d2-7ff7c401d266 call 7ff7c401b4e4 call 7ff7c401b694 call 7ff7c4111520 call 7ff7c401b4e4 call 7ff7c401a1c8 3148->3149 3160 7ff7c401d268-7ff7c401d28a call 7ff7c401b4e4 3149->3160 3161 7ff7c401d28b-7ff7c401d319 call 7ff7c401b694 * 2 call 7ff7c410fd00 call 7ff7c401b4e4 call 7ff7c401a1c8 3149->3161 3160->3161 3174 7ff7c401d31b-7ff7c401d33d call 7ff7c401b4e4 3161->3174 3175 7ff7c401d33e-7ff7c401d3e7 call 7ff7c401b694 * 2 call 7ff7c407773c call 7ff7c401b4e4 * 2 call 7ff7c401a1c8 3161->3175 3174->3175 3190 7ff7c401d3e9-7ff7c401d40b call 7ff7c401b4e4 3175->3190 3191 7ff7c401d40c-7ff7c401d49a call 7ff7c401b694 * 2 call 7ff7c4110d58 call 7ff7c401b4e4 call 7ff7c401a1c8 3175->3191 3190->3191 3204 7ff7c401d49c-7ff7c401d4be call 7ff7c401b4e4 3191->3204 3205 7ff7c401d4bf-7ff7c401d54d call 7ff7c401b694 * 2 call 7ff7c411105c call 7ff7c401b4e4 call 7ff7c401a1c8 3191->3205 3204->3205 3218 7ff7c401d54f-7ff7c401d571 call 7ff7c401b4e4 3205->3218 3219 7ff7c401d572-7ff7c401d5c8 call 7ff7c401b694 * 2 3205->3219 3218->3219 3227 7ff7c401d5cb-7ff7c401d5d3 3219->3227 3227->3227 3228 7ff7c401d5d5-7ff7c401d631 call 7ff7c401b4e4 * 2 call 7ff7c401a1c8 3227->3228 3235 7ff7c401d633-7ff7c401d655 call 7ff7c401b4e4 3228->3235 3236 7ff7c401d656-7ff7c401d6e4 call 7ff7c401b694 * 2 call 7ff7c411158c call 7ff7c401b4e4 call 7ff7c401a1c8 3228->3236 3235->3236 3249 7ff7c401d709-7ff7c401d797 call 7ff7c401b694 * 2 call 7ff7c411158c call 7ff7c401b4e4 call 7ff7c401a1c8 3236->3249 3250 7ff7c401d6e6-7ff7c401d708 call 7ff7c401b4e4 3236->3250 3263 7ff7c401d799-7ff7c401d7bb call 7ff7c401b4e4 3249->3263 3264 7ff7c401d7bc-7ff7c401d837 call 7ff7c401b694 * 2 call 7ff7c401b4e4 call 7ff7c4110600 3249->3264 3250->3249 3263->3264 3275 7ff7c401d83a-7ff7c401d842 3264->3275 3275->3275 3276 7ff7c401d844-7ff7c401d8ab call 7ff7c401b4e4 call 7ff7c401b694 call 7ff7c401b4e4 call 7ff7c401a1c8 3275->3276 3285 7ff7c401d8ad-7ff7c401d8cf call 7ff7c401b4e4 3276->3285 3286 7ff7c401d8d0-7ff7c401d948 call 7ff7c401b694 * 2 call 7ff7c401b4e4 call 7ff7c4120378 call 7ff7c401b694 3276->3286 3285->3286 3299 7ff7c401d94a-7ff7c401d95e call 7ff7c401b4e4 3286->3299 3300 7ff7c401d963-7ff7c401d9b4 call 7ff7c401b4e4 call 7ff7c401a1c8 3286->3300 3299->3300 3306 7ff7c401d9d9-7ff7c401da6a call 7ff7c401b694 * 2 call 7ff7c4113f98 call 7ff7c401b4e4 call 7ff7c401a1c8 3300->3306 3307 7ff7c401d9b6-7ff7c401d9d8 call 7ff7c401b4e4 3300->3307 3320 7ff7c401da6c-7ff7c401da8e call 7ff7c401b4e4 3306->3320 3321 7ff7c401da8f-7ff7c401dafa call 7ff7c401b694 * 2 call 7ff7c41245c8 3306->3321 3307->3306 3320->3321 3330 7ff7c401dafc-7ff7c401db27 call 7ff7c401b4e4 call 7ff7c401a1c8 3321->3330 3331 7ff7c401db4f-7ff7c401db7f call 7ff7c401b4e4 call 7ff7c401a1c8 call 7ff7c401b4e4 3321->3331 3341 7ff7c401db29-7ff7c401db4c call 7ff7c401b4e4 3330->3341 3342 7ff7c401db4d 3330->3342 3343 7ff7c401db80-7ff7c401dbec call 7ff7c401b694 * 2 call 7ff7c411f5a8 call 7ff7c401b4e4 call 7ff7c401a1c8 3331->3343 3341->3342 3342->3343 3357 7ff7c401dc17 3343->3357 3358 7ff7c401dbee-7ff7c401dc15 call 7ff7c401b694 3343->3358 3360 7ff7c401dc19-7ff7c401dcdd call 7ff7c401b694 * 2 call 7ff7c401b4e4 call 7ff7c401a1c8 call 7ff7c401b4e4 call 7ff7c401b694 call 7ff7c401b4e4 call 7ff7c401a1c8 3357->3360 3358->3360 3378 7ff7c401dcdf-7ff7c401dce8 3360->3378 3379 7ff7c401dcf6-7ff7c401dd33 call 7ff7c401b694 call 7ff7c401e994 3360->3379 3380 7ff7c401dcea 3378->3380 3381 7ff7c401dced-7ff7c401dcf5 call 7ff7c401b4e4 3378->3381 3388 7ff7c401dd3e-7ff7c401dd42 3379->3388 3389 7ff7c401dd35-7ff7c401dd3c 3379->3389 3380->3381 3381->3379 3391 7ff7c401dd52 3388->3391 3392 7ff7c401dd44-7ff7c401dd50 3388->3392 3390 7ff7c401dd59 3389->3390 3393 7ff7c401dd5f-7ff7c401ddc0 call 7ff7c401b4e4 * 2 call 7ff7c401a1c8 3390->3393 3391->3390 3392->3393 3400 7ff7c401ddc2-7ff7c401dde4 call 7ff7c401b4e4 3393->3400 3401 7ff7c401dde5-7ff7c401de52 call 7ff7c401b694 * 2 call 7ff7c411166c call 7ff7c401b4e4 call 7ff7c401a1c8 3393->3401 3400->3401 3414 7ff7c401de7a-7ff7c401df0c call 7ff7c401b694 * 2 call 7ff7c4114464 call 7ff7c401b4e4 call 7ff7c401a1c8 3401->3414 3415 7ff7c401de54-7ff7c401de76 call 7ff7c401b694 3401->3415 3428 7ff7c401df0e-7ff7c401df30 call 7ff7c401b4e4 3414->3428 3429 7ff7c401df31-7ff7c401dfb0 call 7ff7c401b694 * 2 call 7ff7c4124984 call 7ff7c401b4e4 call 7ff7c401a1c8 3414->3429 3415->3414 3428->3429 3442 7ff7c401dfc8-7ff7c401dfd9 call 7ff7c401b694 3429->3442 3443 7ff7c401dfb2-7ff7c401dfba 3429->3443 3449 7ff7c401dfdb-7ff7c401dfe8 3442->3449 3450 7ff7c401dff2-7ff7c401e048 call 7ff7c4115850 call 7ff7c401b4e4 call 7ff7c401a1c8 3442->3450 3444 7ff7c401dfbc 3443->3444 3445 7ff7c401dfbf-7ff7c401dfc7 call 7ff7c401b4e4 3443->3445 3444->3445 3445->3442 3449->3450 3458 7ff7c401e04b-7ff7c401e053 3450->3458 3458->3458 3459 7ff7c401e055-7ff7c401e077 call 7ff7c401b4e4 call 7ff7c401b694 3458->3459 3464 7ff7c401e12c-7ff7c401e133 3459->3464 3465 7ff7c401e07d-7ff7c401e088 3459->3465 3468 7ff7c401e139-7ff7c401e14a 3464->3468 3469 7ff7c401e950-7ff7c401e992 call 7ff7c401a32c call 7ff7c4038920 3464->3469 3466 7ff7c401e08a 3465->3466 3467 7ff7c401e08d-7ff7c401e098 3465->3467 3466->3467 3470 7ff7c401e09a 3467->3470 3471 7ff7c401e09d-7ff7c401e0be call 7ff7c401ccfc 3467->3471 3468->3469 3473 7ff7c401e150-7ff7c401e161 3468->3473 3470->3471 3480 7ff7c401e0c0 3471->3480 3481 7ff7c401e0c3-7ff7c401e0c7 3471->3481 3473->3469 3476 7ff7c401e167-7ff7c401e1b5 call 7ff7c401b4e4 call 7ff7c401a1c8 3473->3476 3490 7ff7c401e1b7 3476->3490 3491 7ff7c401e1ba-7ff7c401e21d call 7ff7c401b4e4 call 7ff7c401a1c8 3476->3491 3480->3481 3484 7ff7c401e0c9 3481->3484 3485 7ff7c401e0cc-7ff7c401e0d2 call 7ff7c4077684 3481->3485 3484->3485 3489 7ff7c401e0d7-7ff7c401e0df 3485->3489 3492 7ff7c401e0ff-7ff7c401e109 3489->3492 3493 7ff7c401e0e1-7ff7c401e0e5 3489->3493 3490->3491 3505 7ff7c401e21f 3491->3505 3506 7ff7c401e222-7ff7c401e285 call 7ff7c401b4e4 call 7ff7c401a1c8 3491->3506 3496 7ff7c401e11a-7ff7c401e121 3492->3496 3497 7ff7c401e10b-7ff7c401e118 3492->3497 3498 7ff7c401e0f4-7ff7c401e0f8 3493->3498 3496->3465 3502 7ff7c401e127 3496->3502 3497->3496 3497->3497 3499 7ff7c401e0e7-7ff7c401e0eb 3498->3499 3500 7ff7c401e0fa-7ff7c401e0fd 3498->3500 3499->3500 3504 7ff7c401e0ed-7ff7c401e0f0 3499->3504 3500->3496 3502->3464 3504->3498 3505->3506 3511 7ff7c401e287 3506->3511 3512 7ff7c401e28a-7ff7c401e2e5 call 7ff7c401b4e4 call 7ff7c401a1c8 3506->3512 3511->3512 3517 7ff7c401e2e7 3512->3517 3518 7ff7c401e2ea-7ff7c401e345 call 7ff7c401b4e4 call 7ff7c401a1c8 3512->3518 3517->3518 3523 7ff7c401e347 3518->3523 3524 7ff7c401e34a-7ff7c401e3a5 call 7ff7c401b4e4 call 7ff7c401a1c8 3518->3524 3523->3524 3529 7ff7c401e3a7 3524->3529 3530 7ff7c401e3aa-7ff7c401e405 call 7ff7c401b4e4 call 7ff7c401a1c8 3524->3530 3529->3530 3535 7ff7c401e407 3530->3535 3536 7ff7c401e40a-7ff7c401e46a call 7ff7c401b4e4 call 7ff7c401a1c8 3530->3536 3535->3536 3541 7ff7c401e46c 3536->3541 3542 7ff7c401e46f-7ff7c401e4ca call 7ff7c401b4e4 call 7ff7c401a1c8 3536->3542 3541->3542 3547 7ff7c401e4cc 3542->3547 3548 7ff7c401e4cf-7ff7c401e52a call 7ff7c401b4e4 call 7ff7c401a1c8 3542->3548 3547->3548 3553 7ff7c401e52c 3548->3553 3554 7ff7c401e52f-7ff7c401e58a call 7ff7c401b4e4 call 7ff7c401a1c8 3548->3554 3553->3554 3559 7ff7c401e58c 3554->3559 3560 7ff7c401e58f-7ff7c401e5ed call 7ff7c401b4e4 call 7ff7c401a1c8 3554->3560 3559->3560 3565 7ff7c401e5ef 3560->3565 3566 7ff7c401e5f2-7ff7c401e650 call 7ff7c401b4e4 call 7ff7c401a1c8 3560->3566 3565->3566 3571 7ff7c401e652 3566->3571 3572 7ff7c401e655-7ff7c401e6b3 call 7ff7c401b4e4 call 7ff7c401a1c8 3566->3572 3571->3572 3577 7ff7c401e6b8-7ff7c401e716 call 7ff7c401b4e4 call 7ff7c401a1c8 3572->3577 3578 7ff7c401e6b5 3572->3578 3583 7ff7c401e718 3577->3583 3584 7ff7c401e71b-7ff7c401e767 call 7ff7c401b4e4 call 7ff7c401a1c8 3577->3584 3578->3577 3583->3584 3589 7ff7c401e769 3584->3589 3590 7ff7c401e76c-7ff7c401e7b8 call 7ff7c401b4e4 call 7ff7c401a1c8 3584->3590 3589->3590 3595 7ff7c401e7ba 3590->3595 3596 7ff7c401e7bd-7ff7c401e94f call 7ff7c4001244 call 7ff7c401b694 * 17 3590->3596 3595->3596 3596->3469
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn
    • String ID: 00000000-0000-0000-0000-000000000000$ANID$AccountType$AppId$AppVersion$BuildArchitecture$D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\StandaloneUpdaterInstrumentation.cpp$Environment$FeatureSet$IsTestMachine$IsWOFCompressed$MSFTInternal$MachineGuid$Market$OSArchitecture$OSDeviceName$OSSku$OSUserName$OfficeVersionString$OneDriveDeviceId$OneDriveStandaloneUpdaterRepair$OneDriveStandaloneUpdaterUpdate$OneDriveStandaloneUpdaterVerMismatchRepair$Prod$Scenario$StandaloneUpdater$StandaloneUpdaterInstrumentation::SetCommonDatapoints$UpdateGroupId$UpdateRing$UserGuid$VDIProvider$WipRing$false$true
    • API String ID: 3668304517-366307451
    • Opcode ID: e3ac743c4aa71b00d21b0feb6d101fbf750d1f0bdf5e57a712e8f8bec0257ba7
    • Instruction ID: f307c7415b2c5656d05361a11ffbfabb228a7525de91faf6c77e96aa20032d78
    • Opcode Fuzzy Hash: e3ac743c4aa71b00d21b0feb6d101fbf750d1f0bdf5e57a712e8f8bec0257ba7
    • Instruction Fuzzy Hash: 52F27C22A54AC299EB20EF65DCD02EC6770FF9075CF815136CA4D5BAA9EF38D684C350
    Function 00007FF7C4014748 Relevance: 36.0, APIs: 7, Strings: 13, Instructions: 960COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 3633 7ff7c4014748-7ff7c40147b0 call 7ff7c4012e00 3635 7ff7c40147bf-7ff7c40147cb 3633->3635 3636 7ff7c40147b2-7ff7c40147ba 3633->3636 3638 7ff7c40147dd-7ff7c4014828 call 7ff7c411be6c 3635->3638 3639 7ff7c40147cd-7ff7c40147d3 3635->3639 3637 7ff7c401490d-7ff7c4014916 call 7ff7c40dcf6c 3636->3637 3644 7ff7c401491c-7ff7c40149a6 call 7ff7c40765d4 call 7ff7c40779c4 call 7ff7c4077510 3637->3644 3645 7ff7c40149d0-7ff7c40149df call 7ff7c40dcf6c 3637->3645 3646 7ff7c401482a-7ff7c4014841 3638->3646 3647 7ff7c4014845-7ff7c401484c 3638->3647 3639->3638 3684 7ff7c40149a8-7ff7c40149c7 call 7ff7c4007bd8 3644->3684 3685 7ff7c40149c9 3644->3685 3658 7ff7c40149ed-7ff7c4014a0a call 7ff7c41083e8 3645->3658 3659 7ff7c40149e1-7ff7c40149e7 3645->3659 3646->3647 3649 7ff7c401484e-7ff7c401485b 3647->3649 3650 7ff7c4014865-7ff7c4014867 3647->3650 3649->3650 3651 7ff7c40148d7-7ff7c40148df 3650->3651 3652 7ff7c4014869-7ff7c40148d2 call 7ff7c40765d4 call 7ff7c40779c4 call 7ff7c4077510 3650->3652 3660 7ff7c40148eb-7ff7c40148f5 call 7ff7c4013820 3651->3660 3661 7ff7c40148e1 3651->3661 3652->3651 3664 7ff7c4014f57-7ff7c4014f74 call 7ff7c41083e8 3658->3664 3681 7ff7c4014a10-7ff7c4014ad5 call 7ff7c40765d4 call 7ff7c40779c4 call 7ff7c4077510 3658->3681 3659->3658 3659->3664 3670 7ff7c40148fb-7ff7c401490a call 7ff7c4007bd8 3660->3670 3661->3660 3682 7ff7c4014f7a-7ff7c4014f88 3664->3682 3683 7ff7c401535e-7ff7c4015396 call 7ff7c401ed5c call 7ff7c40da234 call 7ff7c41083e8 3664->3683 3670->3637 3717 7ff7c4014ad7-7ff7c4014adf call 7ff7c400cf10 3681->3717 3718 7ff7c4014ae4-7ff7c4014b15 3681->3718 3688 7ff7c4014f92-7ff7c4014f95 3682->3688 3720 7ff7c4015398-7ff7c40153ba call 7ff7c40db6dc 3683->3720 3721 7ff7c40153c1-7ff7c401571c call 7ff7c4064264 call 7ff7c4007c80 3683->3721 3687 7ff7c40149ce 3684->3687 3685->3687 3687->3645 3691 7ff7c4014f97-7ff7c4014f9a 3688->3691 3692 7ff7c4014f8a-7ff7c4014f8c 3688->3692 3697 7ff7c4014fa0-7ff7c4014fa6 3691->3697 3698 7ff7c4015046-7ff7c401507c 3691->3698 3692->3691 3696 7ff7c4014f8e 3692->3696 3696->3688 3697->3698 3702 7ff7c4014fac-7ff7c4015041 call 7ff7c41083e8 call 7ff7c40765d4 call 7ff7c40779c4 call 7ff7c4077510 3697->3702 3698->3683 3711 7ff7c4015082-7ff7c4015359 call 7ff7c400cfb8 3698->3711 3702->3698 3711->3683 3717->3718 3729 7ff7c4014b1b-7ff7c4014b1d 3718->3729 3730 7ff7c4014bcd-7ff7c4014c3e call 7ff7c40765d4 3718->3730 3720->3721 3741 7ff7c40157f7 3721->3741 3742 7ff7c4015722-7ff7c4015733 3721->3742 3729->3730 3734 7ff7c4014b23-7ff7c4014b39 3729->3734 3739 7ff7c4014c45-7ff7c4014c4a call 7ff7c40779c4 call 7ff7c4077510 3730->3739 3745 7ff7c4014c4f-7ff7c4014c8e 3734->3745 3746 7ff7c4014b3f-7ff7c4014bcb GetLastError call 7ff7c40765d4 3734->3746 3739->3745 3744 7ff7c40157fa-7ff7c40157fd 3741->3744 3742->3741 3747 7ff7c4015739-7ff7c401574a 3742->3747 3751 7ff7c4015889-7ff7c40159fe call 7ff7c4018b04 call 7ff7c403a230 call 7ff7c401b4e4 * 4 call 7ff7c401fc68 call 7ff7c403851c call 7ff7c4038858 3744->3751 3752 7ff7c4015803-7ff7c401580a 3744->3752 3749 7ff7c4014eff 3745->3749 3750 7ff7c4014c94-7ff7c4014d1b call 7ff7c40765d4 call 7ff7c40779c4 call 7ff7c4077510 3745->3750 3746->3739 3747->3741 3754 7ff7c4015750-7ff7c4015790 call 7ff7c4064264 3747->3754 3755 7ff7c4014f01-7ff7c4014f03 3749->3755 3799 7ff7c4014d2a-7ff7c4014d40 3750->3799 3800 7ff7c4014d1d-7ff7c4014d25 call 7ff7c400cf10 3750->3800 3834 7ff7c4015a3a-7ff7c4015a4d call 7ff7c401f1e8 3751->3834 3835 7ff7c4015a00-7ff7c4015a0b 3751->3835 3759 7ff7c401580c-7ff7c4015813 3752->3759 3760 7ff7c4015863-7ff7c401587c call 7ff7c4018f14 3752->3760 3770 7ff7c40157a8-7ff7c40157af 3754->3770 3771 7ff7c4015792 3754->3771 3765 7ff7c4014f1d-7ff7c4014f50 call 7ff7c401b694 * 4 3755->3765 3766 7ff7c4014f05-7ff7c4014f1c 3755->3766 3759->3760 3769 7ff7c4015815-7ff7c401582e 3759->3769 3760->3751 3765->3664 3766->3765 3776 7ff7c4015839-7ff7c4015859 3769->3776 3777 7ff7c4015830-7ff7c4015835 3769->3777 3779 7ff7c40157b4-7ff7c40157f5 call 7ff7c4001000 3770->3779 3778 7ff7c4015795-7ff7c401579d 3771->3778 3776->3760 3777->3776 3778->3778 3785 7ff7c401579f-7ff7c40157a6 3778->3785 3779->3744 3785->3779 3799->3749 3809 7ff7c4014d46-7ff7c4014d4b 3799->3809 3800->3799 3811 7ff7c4014d51-7ff7c4014d90 3809->3811 3812 7ff7c4014dd2-7ff7c4014e6e call 7ff7c40765d4 call 7ff7c40779c4 call 7ff7c4077510 call 7ff7c4007bd8 3809->3812 3811->3812 3814 7ff7c4014d92-7ff7c4014d95 3811->3814 3812->3755 3817 7ff7c4014d9b-7ff7c4014da7 3814->3817 3818 7ff7c4014e73-7ff7c4014eaf 3814->3818 3817->3812 3822 7ff7c4014da9-7ff7c4014dac 3817->3822 3818->3812 3823 7ff7c4014eb5-7ff7c4014eb8 3818->3823 3826 7ff7c4014db0 3822->3826 3827 7ff7c4014efa-7ff7c4014efd 3823->3827 3828 7ff7c4014eba-7ff7c4014ec6 3823->3828 3826->3812 3831 7ff7c4014db2-7ff7c4014db6 3826->3831 3827->3755 3828->3812 3832 7ff7c4014ecc-7ff7c4014ecf 3828->3832 3831->3818 3836 7ff7c4014dbc-7ff7c4014dd0 3831->3836 3837 7ff7c4014ed3 3832->3837 3845 7ff7c4015a4f-7ff7c4015a61 call 7ff7c4020d34 3834->3845 3846 7ff7c4015a66-7ff7c4015a69 3834->3846 3835->3834 3839 7ff7c4015a0d-7ff7c4015a27 3835->3839 3836->3812 3836->3826 3837->3812 3840 7ff7c4014ed9-7ff7c4014edd 3837->3840 3839->3834 3852 7ff7c4015a29-7ff7c4015a39 3839->3852 3840->3827 3841 7ff7c4014edf-7ff7c4014ef3 3840->3841 3841->3837 3844 7ff7c4014ef5 3841->3844 3844->3812 3845->3846 3849 7ff7c4015a6b-7ff7c4015a72 3846->3849 3850 7ff7c4015ac6-7ff7c4015ad0 3846->3850 3849->3850 3855 7ff7c4015a74-7ff7c4015a91 call 7ff7c41083e8 3849->3855 3853 7ff7c4015b0b-7ff7c4015b6d call 7ff7c4019a44 call 7ff7c401b694 * 3 call 7ff7c4038920 3850->3853 3854 7ff7c4015ad2-7ff7c4015add 3850->3854 3852->3834 3854->3853 3857 7ff7c4015adf-7ff7c4015af9 3854->3857 3855->3850 3870 7ff7c4015a93-7ff7c4015ab2 call 7ff7c40e4c94 3855->3870 3857->3853 3866 7ff7c4015afb-7ff7c4015b01 3857->3866 3866->3853 3870->3850 3878 7ff7c4015ab4-7ff7c4015ac5 3870->3878 3878->3850
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource$ErrorLast
    • String ID: Business1$D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\StandaloneUpdater.cpp$LastReportAvailabilityTime$LastSignInTime$NetworkAvailable$ODSUPerMachineUpdateScheduledTaskResult$OneDriveStandaloneUpdaterOverallResult$Personal$StandaloneUpdater$StandaloneUpdater::RunUpdaterMode$Success$UnexpectedFailure$result
    • API String ID: 1546395303-11994698
    • Opcode ID: 330b15a735de4af00f8de270ca9b6b87ff3eb46813d58172cc3a3940b45ca7a4
    • Instruction ID: 78c8ee55db49fb5b796ba22b96ae962109b3eb21e9d8009d311e6f3835154684
    • Opcode Fuzzy Hash: 330b15a735de4af00f8de270ca9b6b87ff3eb46813d58172cc3a3940b45ca7a4
    • Instruction Fuzzy Hash: D4C23872608BC289D761AF26E8C03EDB7A4F794798F80413ADA8D47B69DF38D194C710
    Function 00007FF7C41129C0 Relevance: 32.0, APIs: 5, Strings: 13, Instructions: 529COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 4079 7ff7c41129c0-7ff7c4112a11 4080 7ff7c4112a13 4079->4080 4081 7ff7c4112a16-7ff7c4112a27 call 7ff7c4109a7c 4079->4081 4080->4081 4084 7ff7c4112a29-7ff7c4112a32 4081->4084 4085 7ff7c4112a43-7ff7c4112a56 call 7ff7c401b694 4081->4085 4086 7ff7c4112a37-7ff7c4112a42 call 7ff7c401b4e4 4084->4086 4087 7ff7c4112a34 4084->4087 4092 7ff7c4112a58 4085->4092 4093 7ff7c4112a5b-7ff7c4112a62 4085->4093 4086->4085 4087->4086 4092->4093 4094 7ff7c4112aba-7ff7c4112af2 call 7ff7c403a230 4093->4094 4095 7ff7c4112a64-7ff7c4112a7b 4093->4095 4105 7ff7c4112af6-7ff7c4112afe 4094->4105 4095->4094 4097 7ff7c4112a7d-7ff7c4112a80 4095->4097 4099 7ff7c4112a83 4097->4099 4099->4094 4100 7ff7c4112a85-7ff7c4112a89 4099->4100 4102 7ff7c4112a8b-7ff7c4112a9c 4100->4102 4103 7ff7c4112aa0-7ff7c4112aa3 4100->4103 4102->4099 4106 7ff7c4112a9e 4102->4106 4103->4094 4104 7ff7c4112aa5-7ff7c4112ab5 call 7ff7c401b4e4 4103->4104 4104->4094 4105->4105 4108 7ff7c4112b00-7ff7c4112b45 call 7ff7c401b4e4 call 7ff7c4019d08 4105->4108 4106->4094 4113 7ff7c4112b4b-7ff7c4112b53 4108->4113 4114 7ff7c4112bdc-7ff7c4112cdf call 7ff7c401b708 call 7ff7c41083e8 call 7ff7c401b4e4 * 2 call 7ff7c4134100 call 7ff7c401b694 * 2 GetCurrentProcessId 4108->4114 4115 7ff7c4112b58-7ff7c4112b8b call 7ff7c401a9c0 4113->4115 4116 7ff7c4112b55 4113->4116 4141 7ff7c4112ddb-7ff7c4112e11 call 7ff7c41083e8 call 7ff7c41107bc 4114->4141 4142 7ff7c4112ce5-7ff7c4112ce7 4114->4142 4123 7ff7c4112b8d-7ff7c4112bd5 call 7ff7c401b694 call 7ff7c4038920 4115->4123 4124 7ff7c4112bd6-7ff7c4112bdb call 7ff7c4038160 4115->4124 4116->4115 4124->4114 4152 7ff7c4113057-7ff7c411305e 4141->4152 4153 7ff7c4112e17-7ff7c4112e22 4141->4153 4144 7ff7c4112ce9-7ff7c4112cf0 4142->4144 4145 7ff7c4112cf2-7ff7c4112cf5 4142->4145 4144->4142 4144->4145 4145->4141 4147 7ff7c4112cfb-7ff7c4112d8d call 7ff7c40dff74 call 7ff7c406619c call 7ff7c4019d08 4145->4147 4175 7ff7c41131c9-7ff7c41131ce call 7ff7c4038160 4147->4175 4176 7ff7c4112d93-7ff7c4112dd6 call 7ff7c401b694 * 3 call 7ff7c403a550 4147->4176 4155 7ff7c4113110 4152->4155 4156 7ff7c4113064-7ff7c411309b call 7ff7c401b4e4 4152->4156 4157 7ff7c4112e28-7ff7c4112e33 4153->4157 4158 7ff7c4113114-7ff7c4113120 4153->4158 4155->4158 4178 7ff7c41131db-7ff7c41131e0 call 7ff7c4038160 4156->4178 4179 7ff7c41130a1-7ff7c41130ad call 7ff7c4008c0c 4156->4179 4163 7ff7c4112e39 4157->4163 4164 7ff7c4112f4b-7ff7c4112fed call 7ff7c40dff74 call 7ff7c406619c call 7ff7c4019d08 4157->4164 4161 7ff7c411316b-7ff7c411316e 4158->4161 4162 7ff7c4113122-7ff7c411313b 4158->4162 4170 7ff7c41131a0-7ff7c41131c2 call 7ff7c4038920 4161->4170 4171 7ff7c4113170-7ff7c4113181 4161->4171 4167 7ff7c411313d-7ff7c4113150 4162->4167 4168 7ff7c4113156-7ff7c4113167 call 7ff7c40385ec 4162->4168 4169 7ff7c4112e3b-7ff7c4112e3d 4163->4169 4214 7ff7c4112ff3-7ff7c411302d call 7ff7c401b694 * 3 4164->4214 4215 7ff7c41131d5-7ff7c41131da call 7ff7c4038160 4164->4215 4167->4168 4180 7ff7c41131e1-7ff7c41131e7 call 7ff7c40468ac 4167->4180 4168->4161 4181 7ff7c4112e48-7ff7c4112e4b 4169->4181 4182 7ff7c4112e3f-7ff7c4112e46 4169->4182 4183 7ff7c4113198-7ff7c411319b call 7ff7c40385ec 4171->4183 4184 7ff7c4113183-7ff7c4113196 4171->4184 4204 7ff7c41131cf-7ff7c41131d4 call 7ff7c4038160 4175->4204 4176->4141 4178->4180 4200 7ff7c41130b3-7ff7c41130c5 call 7ff7c401b694 4179->4200 4181->4164 4191 7ff7c4112e51-7ff7c4112ef3 call 7ff7c40dff74 call 7ff7c406619c call 7ff7c4019d08 4181->4191 4182->4169 4182->4181 4183->4170 4184->4183 4193 7ff7c41131c3-7ff7c41131c8 call 7ff7c40468ac 4184->4193 4191->4204 4231 7ff7c4112ef9-7ff7c4112f33 call 7ff7c401b694 * 3 4191->4231 4193->4175 4200->4155 4218 7ff7c41130c7-7ff7c41130ea 4200->4218 4204->4215 4247 7ff7c411303a 4214->4247 4248 7ff7c411302f-7ff7c4113038 4214->4248 4215->4178 4222 7ff7c41130f7-7ff7c411310c call 7ff7c403a550 4218->4222 4223 7ff7c41130ec-7ff7c41130f4 call 7ff7c40de490 4218->4223 4222->4155 4223->4222 4255 7ff7c4112f43-7ff7c4112f46 4231->4255 4256 7ff7c4112f35-7ff7c4112f3e 4231->4256 4249 7ff7c411303d-7ff7c4113040 call 7ff7c401a03c 4247->4249 4251 7ff7c4113045-7ff7c411304c 4248->4251 4249->4251 4251->4155 4253 7ff7c4113052 4251->4253 4253->4157 4255->4249 4256->4251
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource$CurrentProcess_invalid_parameter_noinfo_noreturn
    • String ID: from process list.$ to the list of known setup active processes$ to the list of unknown setup active processes$,-501$,-568$Adding process $CommonUtil::GetResourceStringsForSyncRoot got display name resource:$D$Excluding current process ID $OneDrive - Personal$OneDriveSetup.exe$Personal$Registry key LastKnownODSInfo was not found, adding all processes as unknown
    • API String ID: 3187539803-2963708809
    • Opcode ID: 42d9f2b8d44243dffae770ec3bb5aa7d9bef41e87b5b99861d982297cccebab8
    • Instruction ID: dd7edd9f3475c34c762ffb8f01bc52220496cfd2da1b0829012d9d5ba5343ef6
    • Opcode Fuzzy Hash: 42d9f2b8d44243dffae770ec3bb5aa7d9bef41e87b5b99861d982297cccebab8
    • Instruction Fuzzy Hash: 4732B822A18B8586EB10EF26E4805ADB770FB95BACF855132DE8D137A5DF7CE584C310
    Function 00007FF7C40E1558 Relevance: 32.0, APIs: 2, Strings: 16, Instructions: 480synchronizationCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 4260 7ff7c40e1558-7ff7c40e15cb call 7ff7c4038858 4263 7ff7c40e15e4 4260->4263 4264 7ff7c40e15cd-7ff7c40e15e2 call 7ff7c40e27fc 4260->4264 4266 7ff7c40e15e6-7ff7c40e15f4 4263->4266 4264->4266 4268 7ff7c40e1606-7ff7c40e160d 4266->4268 4269 7ff7c40e15f6-7ff7c40e15fc 4266->4269 4270 7ff7c40e1610-7ff7c40e161c call 7ff7c40e2884 4268->4270 4271 7ff7c40e160f 4268->4271 4269->4268 4274 7ff7c40e1622-7ff7c40e1629 4270->4274 4275 7ff7c40e181e 4270->4275 4271->4270 4276 7ff7c40e162c-7ff7c40e1631 4274->4276 4277 7ff7c40e162b 4274->4277 4278 7ff7c40e1821-7ff7c40e1824 4275->4278 4279 7ff7c40e1633 4276->4279 4280 7ff7c40e1636-7ff7c40e163c 4276->4280 4277->4276 4281 7ff7c40e1826-7ff7c40e1836 4278->4281 4282 7ff7c40e1837-7ff7c40e183e 4278->4282 4279->4280 4283 7ff7c40e1642-7ff7c40e164a 4280->4283 4284 7ff7c40e163e 4280->4284 4281->4282 4285 7ff7c40e1840-7ff7c40e184d 4282->4285 4286 7ff7c40e184e-7ff7c40e1863 4282->4286 4287 7ff7c40e164f-7ff7c40e166d call 7ff7c41062e4 4283->4287 4288 7ff7c40e164c 4283->4288 4284->4283 4285->4286 4290 7ff7c40e1873-7ff7c40e1894 call 7ff7c4038920 4286->4290 4291 7ff7c40e1865-7ff7c40e1872 4286->4291 4287->4278 4298 7ff7c40e1673-7ff7c40e1676 4287->4298 4288->4287 4291->4290 4299 7ff7c40e1678 4298->4299 4300 7ff7c40e1679-7ff7c40e167c 4298->4300 4299->4300 4301 7ff7c40e167f call 7ff7c40e2940 4300->4301 4302 7ff7c40e1684-7ff7c40e1688 4301->4302 4303 7ff7c40e16c8-7ff7c40e16cf 4302->4303 4304 7ff7c40e168a-7ff7c40e168f 4302->4304 4307 7ff7c40e16d2-7ff7c40e16e7 WaitForSingleObject 4303->4307 4308 7ff7c40e16d1 4303->4308 4305 7ff7c40e1694-7ff7c40e16ac call 7ff7c40649a8 4304->4305 4306 7ff7c40e1691 4304->4306 4316 7ff7c40e16af-7ff7c40e16bb call 7ff7c4104fb4 4305->4316 4317 7ff7c40e16ae 4305->4317 4306->4305 4309 7ff7c40e16f3-7ff7c40e16fb 4307->4309 4310 7ff7c40e16e9-7ff7c40e16ee 4307->4310 4308->4307 4309->4278 4312 7ff7c40e1701-7ff7c40e1708 4309->4312 4310->4278 4314 7ff7c40e170b-7ff7c40e1735 call 7ff7c41063d8 4312->4314 4315 7ff7c40e170a 4312->4315 4322 7ff7c40e1738-7ff7c40e174c call 7ff7c4106620 4314->4322 4323 7ff7c40e1737 4314->4323 4315->4314 4324 7ff7c40e16be-7ff7c40e16c3 call 7ff7c4107cf8 4316->4324 4325 7ff7c40e16bd 4316->4325 4317->4316 4330 7ff7c40e1751-7ff7c40e1768 call 7ff7c410a2ec 4322->4330 4331 7ff7c40e174e 4322->4331 4323->4322 4324->4278 4325->4324 4334 7ff7c40e1771-7ff7c40e1773 4330->4334 4335 7ff7c40e176a-7ff7c40e176e 4330->4335 4331->4330 4336 7ff7c40e1813-7ff7c40e181c call 7ff7c401b694 4334->4336 4337 7ff7c40e1779-7ff7c40e177f 4334->4337 4335->4334 4336->4278 4339 7ff7c40e1785-7ff7c40e178c 4337->4339 4340 7ff7c40e1811 4337->4340 4342 7ff7c40e178f-7ff7c40e179e WaitForSingleObject 4339->4342 4343 7ff7c40e178e 4339->4343 4340->4336 4344 7ff7c40e17a0-7ff7c40e17a5 4342->4344 4345 7ff7c40e17a7-7ff7c40e17af 4342->4345 4343->4342 4344->4336 4345->4336 4346 7ff7c40e17b1-7ff7c40e17c4 4345->4346 4347 7ff7c40e189b-7ff7c40e18f3 call 7ff7c4038160 4346->4347 4348 7ff7c40e17ca-7ff7c40e17df 4346->4348 4354 7ff7c40e1c13-7ff7c40e1c45 call 7ff7c401b694 call 7ff7c4038920 4347->4354 4355 7ff7c40e18f9-7ff7c40e1908 call 7ff7c40e2a5c 4347->4355 4348->4336 4353 7ff7c40e17e1-7ff7c40e17f2 4348->4353 4356 7ff7c40e1895-7ff7c40e189a call 7ff7c4038160 4353->4356 4357 7ff7c40e17f8-7ff7c40e180f 4353->4357 4363 7ff7c40e190d-7ff7c40e1913 4355->4363 4356->4347 4357->4336 4366 7ff7c40e1b09-7ff7c40e1b3d call 7ff7c40e4c30 call 7ff7c4065bc0 4363->4366 4367 7ff7c40e1919-7ff7c40e191d 4363->4367 4376 7ff7c40e1b42-7ff7c40e1b45 4366->4376 4367->4366 4370 7ff7c40e1923-7ff7c40e1a4b call 7ff7c401b4e4 call 7ff7c40e2e00 call 7ff7c401b694 call 7ff7c401b4e4 call 7ff7c40e2e00 call 7ff7c401b694 call 7ff7c401b4e4 call 7ff7c40e2e00 call 7ff7c401b694 4367->4370 4416 7ff7c40e1a4d-7ff7c40e1a56 4370->4416 4417 7ff7c40e1ab9 4370->4417 4376->4354 4378 7ff7c40e1b4b-7ff7c40e1b74 call 7ff7c411f364 call 7ff7c40e0ce0 4376->4378 4387 7ff7c40e1b76-7ff7c40e1b7e 4378->4387 4388 7ff7c40e1b8c-7ff7c40e1b93 4378->4388 4390 7ff7c40e1b83-7ff7c40e1b8a 4387->4390 4391 7ff7c40e1b80 4387->4391 4392 7ff7c40e1bc3-7ff7c40e1bca 4388->4392 4393 7ff7c40e1b95-7ff7c40e1b9d 4388->4393 4395 7ff7c40e1ba9-7ff7c40e1bc1 call 7ff7c4065bc0 4390->4395 4391->4390 4399 7ff7c40e1be2-7ff7c40e1c08 call 7ff7c4065bc0 4392->4399 4400 7ff7c40e1bcc-7ff7c40e1bdd call 7ff7c401b4e4 4392->4400 4396 7ff7c40e1b9f 4393->4396 4397 7ff7c40e1ba2 4393->4397 4408 7ff7c40e1c09-7ff7c40e1c12 call 7ff7c401b694 4395->4408 4396->4397 4397->4395 4399->4408 4400->4399 4408->4354 4418 7ff7c40e1abb-7ff7c40e1abf 4416->4418 4419 7ff7c40e1a58-7ff7c40e1a5b 4416->4419 4417->4418 4421 7ff7c40e1ac1-7ff7c40e1adc call 7ff7c4065bc0 4418->4421 4422 7ff7c40e1add-7ff7c40e1afd call 7ff7c401b694 * 3 4418->4422 4419->4418 4420 7ff7c40e1a5d-7ff7c40e1a61 4419->4420 4420->4418 4425 7ff7c40e1a63-7ff7c40e1a67 4420->4425 4421->4422 4422->4354 4439 7ff7c40e1b03 4422->4439 4425->4418 4428 7ff7c40e1a69-7ff7c40e1a6d 4425->4428 4428->4418 4430 7ff7c40e1a6f-7ff7c40e1a79 4428->4430 4432 7ff7c40e1a91-7ff7c40e1ab7 call 7ff7c4065bc0 4430->4432 4433 7ff7c40e1a7b-7ff7c40e1a8c call 7ff7c401b4e4 4430->4433 4432->4418 4433->4432 4439->4366
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ObjectSingleWait
    • String ID: Download failed$ODSUEnterprise64$ODSUUpdateXMLUrlFromOC$PreSignInSettingsConfigJSON$SendOfficeConfigToGetUrl Failed$SendOfficeConfigToGetUrl succeeded but emtpy url$SendOfficeConfigToGetUrl succeeded: %ls$SettingsDownloader$UpdateOfficeConfig$UpdateRingSettingURLFromOC$UpdateXMLUrlFromOC$don't use cached url$false$true$use office config update values %ls$using Cached url: %ls
    • API String ID: 24740636-1585111051
    • Opcode ID: a36152af70b704461a310ccbdfc678c566b085629e52db7c4f1da21ac80e3db8
    • Instruction ID: 0ff389310832a03a17a952d9cd8b34b544c488e46d325f318e58d1ff4afc1423
    • Opcode Fuzzy Hash: a36152af70b704461a310ccbdfc678c566b085629e52db7c4f1da21ac80e3db8
    • Instruction Fuzzy Hash: 5522A122F48B4685EB10EFA2D4802ACA3B1FF887ACF850076DE8D5B655DF38D596C354
    Function 00007FF7C406521C Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349filetimeCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 4440 7ff7c406521c-7ff7c4065264 4441 7ff7c406526a-7ff7c406527d 4440->4441 4442 7ff7c4065774-7ff7c406577f call 7ff7c401b630 4440->4442 4444 7ff7c406527f-7ff7c406528c call 7ff7c401b4e4 4441->4444 4445 7ff7c4065291-7ff7c40652d2 call 7ff7c401b4e4 4441->4445 4444->4445 4450 7ff7c40652d5-7ff7c40652dd 4445->4450 4450->4450 4451 7ff7c40652df-7ff7c4065318 call 7ff7c406619c 4450->4451 4454 7ff7c406531b-7ff7c4065323 4451->4454 4454->4454 4455 7ff7c4065325-7ff7c4065401 call 7ff7c4019d08 * 2 call 7ff7c401b694 * 3 call 7ff7c403a230 FindFirstFileW 4454->4455 4468 7ff7c4065403-7ff7c4065412 GetLastError 4455->4468 4469 7ff7c4065430 4455->4469 4470 7ff7c4065414-7ff7c4065417 4468->4470 4471 7ff7c4065420-7ff7c406542e 4468->4471 4472 7ff7c4065433-7ff7c406543c 4469->4472 4470->4471 4473 7ff7c4065419-7ff7c406541e 4470->4473 4471->4472 4474 7ff7c4065441-7ff7c4065443 4472->4474 4473->4472 4475 7ff7c406559d 4474->4475 4476 7ff7c4065449-7ff7c406544c 4474->4476 4478 7ff7c40655a2-7ff7c40655cd 4475->4478 4476->4475 4477 7ff7c4065452-7ff7c406545d call 7ff7c4064f18 4476->4477 4488 7ff7c4065543-7ff7c4065545 4477->4488 4489 7ff7c4065463-7ff7c4065467 4477->4489 4480 7ff7c40655d3-7ff7c40655dc 4478->4480 4481 7ff7c4065712-7ff7c4065721 call 7ff7c4065dd0 4478->4481 4483 7ff7c406563e-7ff7c4065644 4480->4483 4484 7ff7c40655de-7ff7c40655e1 4480->4484 4498 7ff7c406573b-7ff7c4065773 call 7ff7c401b694 call 7ff7c4038920 4481->4498 4499 7ff7c4065723-7ff7c406573a FindClose 4481->4499 4486 7ff7c406566c 4483->4486 4487 7ff7c4065646-7ff7c406564b 4483->4487 4490 7ff7c40655eb-7ff7c4065603 CompareFileTime 4484->4490 4494 7ff7c4065671-7ff7c4065673 4486->4494 4493 7ff7c406564e-7ff7c4065652 4487->4493 4488->4475 4492 7ff7c4065547-7ff7c406554a 4488->4492 4489->4488 4495 7ff7c406546d-7ff7c4065472 4489->4495 4496 7ff7c406560c-7ff7c4065632 4490->4496 4497 7ff7c4065605-7ff7c4065609 4490->4497 4502 7ff7c406554c-7ff7c4065569 FindNextFileW 4492->4502 4503 7ff7c4065598 4492->4503 4504 7ff7c406565e-7ff7c406566a 4493->4504 4505 7ff7c4065654-7ff7c406565c 4493->4505 4506 7ff7c40656da-7ff7c40656dc 4494->4506 4507 7ff7c4065675-7ff7c406567d 4494->4507 4508 7ff7c4065476-7ff7c406547a 4495->4508 4496->4490 4500 7ff7c4065634-7ff7c4065639 4496->4500 4497->4496 4499->4498 4500->4483 4510 7ff7c406556b-7ff7c4065574 GetLastError 4502->4510 4511 7ff7c4065589-7ff7c406558c 4502->4511 4503->4475 4504->4494 4505->4493 4505->4504 4506->4481 4512 7ff7c40656de-7ff7c40656fc call 7ff7c4066108 4506->4512 4513 7ff7c406567f 4507->4513 4514 7ff7c4065682-7ff7c4065694 call 7ff7c4109938 4507->4514 4515 7ff7c406547c-7ff7c4065484 4508->4515 4516 7ff7c4065486-7ff7c4065489 4508->4516 4518 7ff7c4065576-7ff7c4065584 4510->4518 4519 7ff7c4065591-7ff7c4065596 4510->4519 4511->4476 4512->4478 4513->4514 4528 7ff7c4065699-7ff7c40656ca call 7ff7c4065bc0 DeleteFileW 4514->4528 4529 7ff7c4065696 4514->4529 4515->4508 4515->4516 4516->4488 4522 7ff7c406548f-7ff7c40654a8 4516->4522 4518->4474 4519->4475 4523 7ff7c40654ab-7ff7c40654b3 4522->4523 4523->4523 4527 7ff7c40654b5-7ff7c40654f0 call 7ff7c401b4e4 call 7ff7c4019af8 4523->4527 4541 7ff7c4065519-7ff7c406552a call 7ff7c4064478 4527->4541 4542 7ff7c40654f2-7ff7c4065517 call 7ff7c4019af8 4527->4542 4534 7ff7c40656cc-7ff7c40656d5 call 7ff7c401b694 4528->4534 4535 7ff7c4065701-7ff7c4065711 GetLastError call 7ff7c401b694 4528->4535 4529->4528 4534->4506 4535->4481 4548 7ff7c406552b-7ff7c406553f call 7ff7c401b694 * 2 4541->4548 4542->4548 4548->4488
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: File$ErrorFindLast$CloseCompareDeleteFirstNextTime
    • String ID: ($*.log$Install$Logger$Removing old logfile : %ls$StandaloneUpdater::InitializeWithDefaultImplementations$d:\dbs\sh\odct\0223_153807_0\cmd\l\client\onedrive\Setup\Standalone\fsmanager\fsmanagerimpl.cpp$gfffffff$gfffffff
    • API String ID: 2234949267-4004574387
    • Opcode ID: 9cf696059ccc2d7e38f42494696a524cc6f1e85b82729d4fd9d799978f7d66fc
    • Instruction ID: 469f91f815729579f1eef2d8b0a06cfaae373a6c12100237cb6a530a9fb67225
    • Opcode Fuzzy Hash: 9cf696059ccc2d7e38f42494696a524cc6f1e85b82729d4fd9d799978f7d66fc
    • Instruction Fuzzy Hash: 86F1B322B58B4292EB10EF66E8801EDA771FB9476CF924275DE4E53695DF3CE580C310
    Function 00007FF7C4165224 Relevance: 27.5, APIs: 18, Instructions: 509COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 4553 7ff7c4165224-7ff7c416526c call 7ff7c40f36c8 4556 7ff7c416536e-7ff7c4165372 4553->4556 4557 7ff7c4165272-7ff7c4165275 4553->4557 4558 7ff7c4165378-7ff7c4165382 4556->4558 4559 7ff7c4165442-7ff7c4165446 4556->4559 4560 7ff7c416527b-7ff7c4165285 4557->4560 4561 7ff7c4165311-7ff7c416531b 4557->4561 4564 7ff7c41653ec-7ff7c41653ef 4558->4564 4565 7ff7c4165384-7ff7c4165387 4558->4565 4562 7ff7c416544c-7ff7c4165456 4559->4562 4563 7ff7c41657eb-7ff7c41657ef 4559->4563 4566 7ff7c4165287-7ff7c4165299 call 7ff7c4148798 4560->4566 4567 7ff7c41652c2-7ff7c41652d6 call 7ff7c4038858 4560->4567 4568 7ff7c416531d-7ff7c416532f call 7ff7c4148798 4561->4568 4569 7ff7c4165358-7ff7c4165369 call 7ff7c40eb2d8 call 7ff7c414c0dc 4561->4569 4571 7ff7c416545c-7ff7c416545f 4562->4571 4572 7ff7c416567e-7ff7c4165681 4562->4572 4574 7ff7c4165a04-7ff7c4165a21 4563->4574 4575 7ff7c41657f5-7ff7c41657f8 4563->4575 4576 7ff7c416542c-7ff7c416542f call 7ff7c4162f54 4564->4576 4577 7ff7c41653f1-7ff7c4165403 call 7ff7c4148798 4564->4577 4578 7ff7c4165389-7ff7c416539b call 7ff7c4148798 4565->4578 4579 7ff7c41653c4-7ff7c41653d5 call 7ff7c4038858 4565->4579 4613 7ff7c416529b-7ff7c41652ab 4566->4613 4614 7ff7c41652b2-7ff7c41652bb call 7ff7c4148810 4566->4614 4597 7ff7c41652d8-7ff7c41652f7 call 7ff7c414eec0 4567->4597 4598 7ff7c41652f9 4567->4598 4602 7ff7c4165348-7ff7c4165351 call 7ff7c4148810 4568->4602 4603 7ff7c4165331-7ff7c4165341 4568->4603 4569->4556 4588 7ff7c416549c-7ff7c41654ad call 7ff7c4038858 4571->4588 4589 7ff7c4165461-7ff7c4165473 call 7ff7c4148798 4571->4589 4586 7ff7c41656be-7ff7c41656de call 7ff7c4163064 call 7ff7c414c0dc 4572->4586 4587 7ff7c4165683-7ff7c4165695 call 7ff7c4148798 4572->4587 4591 7ff7c41657fe-7ff7c4165808 4575->4591 4592 7ff7c416594a-7ff7c4165954 4575->4592 4604 7ff7c4165434-7ff7c416543d call 7ff7c414c0dc 4576->4604 4622 7ff7c416541c-7ff7c4165425 call 7ff7c4148810 4577->4622 4623 7ff7c4165405-7ff7c4165415 4577->4623 4632 7ff7c416539d-7ff7c41653ad 4578->4632 4633 7ff7c41653b4-7ff7c41653bd call 7ff7c4148810 4578->4633 4617 7ff7c41653e7-7ff7c41653ea 4579->4617 4618 7ff7c41653d7-7ff7c41653e5 4579->4618 4665 7ff7c416571b-7ff7c416573b call 7ff7c4163174 call 7ff7c414c0dc 4586->4665 4666 7ff7c41656e0-7ff7c41656f2 call 7ff7c4148798 4586->4666 4646 7ff7c41656ae-7ff7c41656b7 call 7ff7c4148810 4587->4646 4647 7ff7c4165697-7ff7c41656a7 4587->4647 4635 7ff7c41654bf 4588->4635 4636 7ff7c41654af-7ff7c41654bd 4588->4636 4648 7ff7c416548c-7ff7c4165495 call 7ff7c4148810 4589->4648 4649 7ff7c4165475-7ff7c4165485 4589->4649 4599 7ff7c416580a-7ff7c416581c call 7ff7c4148798 4591->4599 4600 7ff7c4165845-7ff7c4165859 call 7ff7c4038858 4591->4600 4605 7ff7c4165956-7ff7c4165968 call 7ff7c4148798 4592->4605 4606 7ff7c4165991-7ff7c41659b1 call 7ff7c40eb3dc call 7ff7c414c0dc 4592->4606 4620 7ff7c41652fc-7ff7c416530f call 7ff7c414c0dc 4597->4620 4598->4620 4655 7ff7c416581e-7ff7c416582e 4599->4655 4656 7ff7c4165835-7ff7c416583e call 7ff7c4148810 4599->4656 4658 7ff7c416585b-7ff7c4165886 call 7ff7c40ea37c call 7ff7c414f1b8 4600->4658 4659 7ff7c4165890 4600->4659 4602->4569 4603->4602 4604->4559 4660 7ff7c416596a-7ff7c416597a 4605->4660 4661 7ff7c4165981-7ff7c416598a call 7ff7c4148810 4605->4661 4682 7ff7c41659ee-7ff7c41659f9 call 7ff7c41634a4 4606->4682 4683 7ff7c41659b3-7ff7c41659c5 call 7ff7c4148798 4606->4683 4613->4614 4614->4567 4617->4604 4618->4604 4620->4556 4622->4576 4623->4622 4632->4633 4633->4579 4652 7ff7c41654c2-7ff7c41654da call 7ff7c414c0dc 4635->4652 4636->4652 4646->4586 4647->4646 4648->4588 4649->4648 4685 7ff7c41654dc-7ff7c41654ee call 7ff7c4148798 4652->4685 4686 7ff7c4165517-7ff7c4165528 call 7ff7c4038858 4652->4686 4655->4656 4656->4600 4699 7ff7c416588b-7ff7c416588e 4658->4699 4671 7ff7c4165893-7ff7c41658ab call 7ff7c414c0dc 4659->4671 4660->4661 4661->4606 4717 7ff7c416573d-7ff7c416574f call 7ff7c4148798 4665->4717 4718 7ff7c4165778-7ff7c4165798 call 7ff7c4163394 call 7ff7c414c0dc 4665->4718 4693 7ff7c416570b-7ff7c4165714 call 7ff7c4148810 4666->4693 4694 7ff7c41656f4-7ff7c4165704 4666->4694 4700 7ff7c41658ad-7ff7c41658bf call 7ff7c4148798 4671->4700 4701 7ff7c41658e8-7ff7c41658fc call 7ff7c4038858 4671->4701 4707 7ff7c41659fc-7ff7c41659ff call 7ff7c414c0dc 4682->4707 4702 7ff7c41659de-7ff7c41659e7 call 7ff7c4148810 4683->4702 4703 7ff7c41659c7-7ff7c41659d7 4683->4703 4714 7ff7c4165507-7ff7c4165510 call 7ff7c4148810 4685->4714 4715 7ff7c41654f0-7ff7c4165500 4685->4715 4719 7ff7c416553a 4686->4719 4720 7ff7c416552a-7ff7c4165538 4686->4720 4693->4665 4694->4693 4699->4671 4729 7ff7c41658d8-7ff7c41658e1 call 7ff7c4148810 4700->4729 4730 7ff7c41658c1-7ff7c41658d1 4700->4730 4723 7ff7c416593c 4701->4723 4724 7ff7c41658fe-7ff7c4165922 call 7ff7c42cc6a4 4701->4724 4702->4682 4703->4702 4707->4574 4714->4686 4715->4714 4740 7ff7c4165768-7ff7c4165771 call 7ff7c4148810 4717->4740 4741 7ff7c4165751-7ff7c4165761 4717->4741 4754 7ff7c416579a-7ff7c41657ac call 7ff7c4148798 4718->4754 4755 7ff7c41657d5-7ff7c41657e0 call 7ff7c4163284 4718->4755 4727 7ff7c416553d-7ff7c4165555 call 7ff7c414c0dc 4719->4727 4720->4727 4734 7ff7c416593f-7ff7c4165945 4723->4734 4744 7ff7c4165924-7ff7c416592f call 7ff7c4046488 4724->4744 4745 7ff7c4165932-7ff7c416593a call 7ff7c4046488 4724->4745 4747 7ff7c4165557-7ff7c4165569 call 7ff7c4148798 4727->4747 4748 7ff7c4165592-7ff7c41655ad call 7ff7c4038858 4727->4748 4729->4701 4730->4729 4734->4707 4740->4718 4741->4740 4744->4745 4745->4734 4764 7ff7c416556b-7ff7c416557b 4747->4764 4765 7ff7c4165582-7ff7c416558b call 7ff7c4148810 4747->4765 4767 7ff7c41655d5 4748->4767 4768 7ff7c41655af-7ff7c41655d3 call 7ff7c41650e0 4748->4768 4773 7ff7c41657ae-7ff7c41657be 4754->4773 4774 7ff7c41657c5-7ff7c41657ce call 7ff7c4148810 4754->4774 4771 7ff7c41657e3-7ff7c41657e6 call 7ff7c414c0dc 4755->4771 4764->4765 4765->4748 4770 7ff7c41655d8-7ff7c41655f0 call 7ff7c414c0dc 4767->4770 4768->4770 4782 7ff7c416562d-7ff7c4165641 call 7ff7c4038858 4770->4782 4783 7ff7c41655f2-7ff7c4165604 call 7ff7c4148798 4770->4783 4771->4563 4773->4774 4774->4755 4790 7ff7c4165643-7ff7c416566e call 7ff7c41650e0 4782->4790 4791 7ff7c4165670 4782->4791 4788 7ff7c416561d-7ff7c4165626 call 7ff7c4148810 4783->4788 4789 7ff7c4165606-7ff7c4165616 4783->4789 4788->4782 4789->4788 4794 7ff7c4165673-7ff7c4165679 4790->4794 4791->4794 4794->4771
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Getcoll$GetvalsLocinfoLocinfo::~_
    • String ID:
    • API String ID: 300757393-0
    • Opcode ID: 50030403e45c4cc7faff76943a8e7e4041d4fe9af1002f74920d183d88f2c468
    • Instruction ID: 1169137850f24797de3fb5ee5df7359f018489af5586a445724c4cac8dd64415
    • Opcode Fuzzy Hash: 50030403e45c4cc7faff76943a8e7e4041d4fe9af1002f74920d183d88f2c468
    • Instruction Fuzzy Hash: FB325125A0A61696EB40BF53F8D01B9A7A0FF84BBCFC45439D98E57395EE3CE4418324
    Function 00007FF7C4120034 Relevance: 27.2, APIs: 18, Instructions: 233encryptionCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 4797 7ff7c4120034-7ff7c4120086 4798 7ff7c4120088-7ff7c412008c 4797->4798 4799 7ff7c412008e-7ff7c4120095 4797->4799 4798->4799 4800 7ff7c412009a-7ff7c41200ac 4798->4800 4799->4800 4801 7ff7c41200b2-7ff7c41200c2 4800->4801 4802 7ff7c4120355-7ff7c4120376 call 7ff7c4038920 4800->4802 4804 7ff7c41200c4-7ff7c41200c7 4801->4804 4805 7ff7c4120116-7ff7c4120127 4801->4805 4809 7ff7c41200c9-7ff7c41200cd 4804->4809 4810 7ff7c41200e0-7ff7c41200ea 4804->4810 4806 7ff7c412012d-7ff7c412014b CryptAcquireContextW 4805->4806 4807 7ff7c4120323-7ff7c412032b 4805->4807 4812 7ff7c412014d-7ff7c412014f 4806->4812 4813 7ff7c4120151-7ff7c4120162 GetLastError 4806->4813 4816 7ff7c412032d CryptDestroyHash 4807->4816 4817 7ff7c4120333-7ff7c412033b 4807->4817 4809->4810 4811 7ff7c41200cf-7ff7c41200de call 7ff7c403a550 4809->4811 4814 7ff7c41200ec-7ff7c41200f1 call 7ff7c40469f8 4810->4814 4815 7ff7c41200ff-7ff7c4120103 4810->4815 4811->4805 4822 7ff7c4120165-7ff7c4120170 4812->4822 4813->4822 4833 7ff7c41200f6-7ff7c41200fd call 7ff7c404688c 4814->4833 4818 7ff7c4120111 4815->4818 4819 7ff7c4120105-7ff7c412010f call 7ff7c40469f8 4815->4819 4816->4817 4823 7ff7c412033d CryptDestroyKey 4817->4823 4824 7ff7c4120343-7ff7c4120346 4817->4824 4818->4805 4819->4833 4822->4807 4827 7ff7c4120176-7ff7c412019c CryptImportKey 4822->4827 4823->4824 4824->4802 4826 7ff7c4120348-7ff7c412034f CryptReleaseContext 4824->4826 4826->4802 4831 7ff7c41201ba-7ff7c41201de CryptCreateHash 4827->4831 4832 7ff7c412019e-7ff7c41201b4 GetLastError 4827->4832 4835 7ff7c41201fc-7ff7c412022f CryptSetHashParam 4831->4835 4836 7ff7c41201e0-7ff7c41201f6 GetLastError 4831->4836 4832->4807 4832->4831 4833->4805 4838 7ff7c412024d-7ff7c4120263 CryptHashData 4835->4838 4839 7ff7c4120231-7ff7c4120247 GetLastError 4835->4839 4836->4807 4836->4835 4840 7ff7c4120286 4838->4840 4841 7ff7c4120265-7ff7c412027e GetLastError 4838->4841 4839->4807 4839->4838 4843 7ff7c412028c-7ff7c4120290 4840->4843 4841->4807 4842 7ff7c4120284 4841->4842 4842->4843 4844 7ff7c4120292-7ff7c41202bf call 7ff7c403a230 CryptHashData 4843->4844 4845 7ff7c41202d6-7ff7c41202fb CryptGetHashParam 4843->4845 4844->4845 4850 7ff7c41202c1-7ff7c41202d4 GetLastError 4844->4850 4847 7ff7c41202fd-7ff7c4120310 GetLastError 4845->4847 4848 7ff7c4120312-7ff7c412031d 4845->4848 4847->4807 4847->4848 4848->4807 4850->4807 4850->4845
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Crypt$ErrorLast$Hash$ContextDataDestroyParam$AcquireCreateImportRelease_invalid_parameter_noinfo
    • String ID:
    • API String ID: 3131456372-0
    • Opcode ID: ef202b370eea610af21c7ac68efd15ef3e2e1150a87e5a3e5e15789bc651126b
    • Instruction ID: 4486ed594b4daf98c5a66e9484a89b5706ccfbc1149a5bff3c2632e452dec201
    • Opcode Fuzzy Hash: ef202b370eea610af21c7ac68efd15ef3e2e1150a87e5a3e5e15789bc651126b
    • Instruction Fuzzy Hash: 53919721B08B428BF760AF67A4C47BAE6B0BF84B68F814236DF8D87554DE7DD4449720
    Function 00007FF7C411BE6C Relevance: 26.6, APIs: 9, Strings: 6, Instructions: 348COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 4851 7ff7c411be6c-7ff7c411beeb call 7ff7c41083e8 call 7ff7c41129c0 4855 7ff7c411bf27-7ff7c411bf29 4851->4855 4856 7ff7c411beed-7ff7c411befe 4851->4856 4858 7ff7c411bf64-7ff7c411bf96 call 7ff7c4109088 4855->4858 4859 7ff7c411bf2b-7ff7c411bf5b call 7ff7c41083e8 4855->4859 4857 7ff7c411bf00-7ff7c411bf25 call 7ff7c41083e8 4856->4857 4856->4858 4857->4858 4866 7ff7c411c05c-7ff7c411c061 call 7ff7c4038160 4858->4866 4867 7ff7c411bf9c-7ff7c411bfa3 call 7ff7c4008c0c 4858->4867 4859->4858 4873 7ff7c411c062-7ff7c411c0c9 call 7ff7c40468ac call 7ff7c401b4e4 4866->4873 4870 7ff7c411bfa9-7ff7c411bfc0 call 7ff7c401b694 4867->4870 4876 7ff7c411bfc2-7ff7c411bfdb 4870->4876 4877 7ff7c411c004-7ff7c411c00b 4870->4877 4890 7ff7c411c2dc-7ff7c411c3b7 call 7ff7c4038160 call 7ff7c41083e8 * 2 call 7ff7c401b4e4 call 7ff7c401b694 4873->4890 4891 7ff7c411c0cf-7ff7c411c11c call 7ff7c401b694 call 7ff7c401b4e4 4873->4891 4882 7ff7c411bfdd-7ff7c411bff0 4876->4882 4883 7ff7c411bff2-7ff7c411bfff call 7ff7c40385ec 4876->4883 4879 7ff7c411c03a-7ff7c411c055 call 7ff7c4038920 4877->4879 4880 7ff7c411c00d-7ff7c411c01e 4877->4880 4884 7ff7c411c020-7ff7c411c033 4880->4884 4885 7ff7c411c035 call 7ff7c40385ec 4880->4885 4882->4873 4882->4883 4883->4877 4884->4885 4889 7ff7c411c056-7ff7c411c05b call 7ff7c40468ac 4884->4889 4885->4879 4889->4866 4908 7ff7c411c120-7ff7c411c128 4891->4908 4908->4908 4910 7ff7c411c12a-7ff7c411c2db call 7ff7c4019d08 call 7ff7c401b694 call 7ff7c41083e8 call 7ff7c401b4e4 call 7ff7c401b694 call 7ff7c401b4e4 call 7ff7c4019d08 call 7ff7c401b694 call 7ff7c41083e8 call 7ff7c401b4e4 call 7ff7c401b694 * 3 call 7ff7c4038920 4908->4910
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource$_invalid_parameter_noinfo_noreturn
    • String ID: In CommonUtil::UnregisterAllSyncRootsFromShellForAllUsers$OneDrive$OneDriveNGSC$Software\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager$UnblockHangingSetupProcesses found active setup processes: $yes
    • API String ID: 879565387-1193557950
    • Opcode ID: 66437d893645637c603f1b528fb2f188509e85e69d809a14aafc60540e6aacbc
    • Instruction ID: c2f741b517bff289b049ed4b8224e7ff15e387fd3510fc06e88c83685123a72b
    • Opcode Fuzzy Hash: 66437d893645637c603f1b528fb2f188509e85e69d809a14aafc60540e6aacbc
    • Instruction Fuzzy Hash: ABF19322B04B8696EB10AF66E4802AD7371FB95BACF815235DE4C17BA5EF3CD144C344
    Function 00007FF7C4025280 Relevance: 25.0, APIs: 1, Strings: 13, Instructions: 493COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 5003 7ff7c4025280-7ff7c402535c call 7ff7c4022974 call 7ff7c4019d08 5009 7ff7c4025362-7ff7c4025379 5003->5009 5010 7ff7c4025a31-7ff7c4025a3c 5003->5010 5016 7ff7c402537b-7ff7c402537e 5009->5016 5017 7ff7c4025395-7ff7c40253b2 call 7ff7c4007b38 5009->5017 5011 7ff7c4025bb9-7ff7c4025bbe call 7ff7c401b708 5010->5011 5012 7ff7c4025a42-7ff7c4025ac0 call 7ff7c401a9c0 call 7ff7c4019d08 call 7ff7c401b694 5010->5012 5023 7ff7c4025bbf-7ff7c4025bc7 call 7ff7c401b708 5011->5023 5036 7ff7c4025b28-7ff7c4025b31 5012->5036 5037 7ff7c4025ac2-7ff7c4025ae7 call 7ff7c410359c 5012->5037 5016->5017 5020 7ff7c4025380-7ff7c4025385 5016->5020 5029 7ff7c40253b8-7ff7c40253ba 5017->5029 5030 7ff7c4025a2a 5017->5030 5020->5017 5024 7ff7c4025387-7ff7c4025392 5020->5024 5024->5017 5033 7ff7c40253bc-7ff7c4025418 call 7ff7c40765d4 call 7ff7c40779c4 call 7ff7c4077510 call 7ff7c4028334 5029->5033 5034 7ff7c402541f-7ff7c4025425 call 7ff7c4028218 5029->5034 5030->5010 5072 7ff7c402541d 5033->5072 5039 7ff7c402542a-7ff7c402545f call 7ff7c4050184 5034->5039 5041 7ff7c4025b5c-7ff7c4025b6d call 7ff7c401b694 5036->5041 5042 7ff7c4025b33-7ff7c4025b50 call 7ff7c41083e8 5036->5042 5037->5036 5050 7ff7c4025ae9-7ff7c4025b19 call 7ff7c4103e90 call 7ff7c4022b74 5037->5050 5053 7ff7c4025463-7ff7c402546b 5039->5053 5054 7ff7c4025b7d-7ff7c4025bb8 call 7ff7c401b694 * 2 call 7ff7c4038920 5041->5054 5055 7ff7c4025b6f-7ff7c4025b7c 5041->5055 5042->5041 5062 7ff7c4025b52-7ff7c4025b5b call 7ff7c40da65c 5042->5062 5070 7ff7c4025b1e-7ff7c4025b25 5050->5070 5053->5053 5058 7ff7c402546d-7ff7c40254ad call 7ff7c401b4e4 call 7ff7c4028de8 5053->5058 5055->5054 5058->5023 5079 7ff7c40254b3-7ff7c402568e call 7ff7c401a9c0 call 7ff7c4019d08 call 7ff7c401bd50 call 7ff7c401b694 * 2 call 7ff7c4022a14 call 7ff7c4050184 call 7ff7c401b4e4 * 2 call 7ff7c4111b9c call 7ff7c411af40 call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c4111b9c call 7ff7c411af40 5058->5079 5062->5041 5070->5036 5072->5039 5112 7ff7c4025693-7ff7c40256a9 call 7ff7c401b694 * 2 5079->5112 5117 7ff7c40256af-7ff7c40259af call 7ff7c4023074 5112->5117 5118 7ff7c40259b4-7ff7c40259bb 5112->5118 5117->5118 5120 7ff7c40259bd-7ff7c40259ce 5118->5120 5121 7ff7c4025a21-7ff7c4025a25 call 7ff7c401b694 5118->5121 5120->5121 5122 7ff7c40259d0-7ff7c40259e1 5120->5122 5121->5030 5122->5121 5124 7ff7c40259e3-7ff7c4025a20 call 7ff7c4001000 5122->5124 5124->5121
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resourceEventTransferWrite
    • String ID: D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\StandaloneUpdaterController.cpp$OdsuCheckForUpdateEndTime$OdsuCheckForUpdateStartTime$Software\Microsoft\OneDrive$StandaloneUpdater$StandaloneUpdaterController::GetUpdateDescriptions$StandaloneUpdaterDownloadUpdateXml$UnexpectedFailure$Update.xml$UpdateDescriptionXml$UpdateXml$\StandaloneUpdater$\Update
    • API String ID: 2234424010-2098091503
    • Opcode ID: c6a050b8decd95000d04bf5f23ba39465e63f02ee8a1ed4538ac92ec86e35916
    • Instruction ID: 16cf0e194f2fc1099c8335e3951d4c29c2e093b284438d3b71aac6e72c6c0cb9
    • Opcode Fuzzy Hash: c6a050b8decd95000d04bf5f23ba39465e63f02ee8a1ed4538ac92ec86e35916
    • Instruction Fuzzy Hash: 96426272A08BC295E720DF61E8806EDB7B4FB8836CF950129DA8D53A69DF3CD194C710
    Function 00007FF7C414C3FC Relevance: 18.3, APIs: 12, Instructions: 331COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: LockitLockit::_std::_$GetctypeYarn
    • String ID:
    • API String ID: 3438675547-0
    • Opcode ID: bf5dd61b7a34776e0edf1a8bae1d9409acaa6ee63d02105d78df123b1f634398
    • Instruction ID: 41bc8463b5b0021220a350693810d36b3a7c7821258f7789a22e4d18eaa5906d
    • Opcode Fuzzy Hash: bf5dd61b7a34776e0edf1a8bae1d9409acaa6ee63d02105d78df123b1f634398
    • Instruction Fuzzy Hash: 53E18222E0A61286F655BF63E9D01B9E6B0AF80BF8F845139D98D57795FE3CF4418320
    Function 00007FF7C4110E98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 118encryptionCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Crypt$Hash$Context$DestroyParamRelease$AcquireCreateDataErrorFromLastString
    • String ID: @
    • API String ID: 3410579537-2766056989
    • Opcode ID: 0e7fac4e6e7da7407f6ae19668e6357d80241ca7640e6147babe29be2ac0a2a8
    • Instruction ID: 4993239a982a30bdbd2be8fb62793271dd8b8cbaa4bc82bd883582c46e65f569
    • Opcode Fuzzy Hash: 0e7fac4e6e7da7407f6ae19668e6357d80241ca7640e6147babe29be2ac0a2a8
    • Instruction Fuzzy Hash: 00516E32F14A518AF710DF72E8816AD77B4FB88B58B94403AEE4DA7A28DF38C545D710
    Function 00007FF7C40E091C Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 278filesynchronizationCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: File$CreateStream$ExistsObjectPathSingleWait
    • String ID: Download failed$Downloading settings from %ls, useBitsAndRetry: true$Failed to copy the downloaded settings file locally.$Failed to download settings, will try to use local file.$PreSignInSettingsConfigJSON
    • API String ID: 2936357844-2725867305
    • Opcode ID: 16febd306c33de69bfee59ef413f4920b181549ae2dcbe9e63c49dbbfdbabc47
    • Instruction ID: 0e9edbff4f8d29654cb1abee24738ba2354b75e959e9f1c40d545d42e8c22cb4
    • Opcode Fuzzy Hash: 16febd306c33de69bfee59ef413f4920b181549ae2dcbe9e63c49dbbfdbabc47
    • Instruction Fuzzy Hash: A1C1AE22B08A1A86EB04EF67D49436DA3B1BB84BACF864076CE4D57754DF3CE094C364
    Function 00007FF7C4030EC4 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 227fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Find$ErrorFileLast$CloseFirstNext
    • String ID: *****$D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\StandaloneUpdaterInstallationRepair.cpp$FileName$StandaloneUpdaterInstallationRepair::ShallowCheckDirectoryForFile
    • API String ID: 1978927887-1546141847
    • Opcode ID: b1b16916b4d52d24f98747d4b22c409dcc0f633320e020e635cd53450767a8fa
    • Instruction ID: ef639dfc1bb9e61d832e6423d5f2b91a7e030883a6254719ce0e61d37b5fd28d
    • Opcode Fuzzy Hash: b1b16916b4d52d24f98747d4b22c409dcc0f633320e020e635cd53450767a8fa
    • Instruction Fuzzy Hash: 21A1E172A08B4185E710EF66D8801EDA7B0FB943ACF824232DA5D57AE9DF7CE584C310
    Function 00007FF7C41107BC Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 387registryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resourceCloseOpenQueryValue_invalid_parameter_noinfo_noreturn
    • String ID: ($LastKnownODSInfo$Software\Microsoft\OneDrive$Value from LastKnownODSInfo was set to:
    • API String ID: 3486858027-422602036
    • Opcode ID: b087e23d63c07346181d0e4d8024874fc9492587e0140d83f81d947ace088f9f
    • Instruction ID: 9d907c4c708171e2ebbbb70f4768474ef4dc26c899e2e2ce4d4e9d2fea443ba5
    • Opcode Fuzzy Hash: b087e23d63c07346181d0e4d8024874fc9492587e0140d83f81d947ace088f9f
    • Instruction Fuzzy Hash: B8F1F522F14A469AEB10EF66E4802EDB7B1FB44BACF804132DE8D27A94DF38D545C354
    Function 00007FF7C403125C Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 178fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Find$ErrorFileLast$CloseFirstNext
    • String ID: D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\StandaloneUpdaterInstallationRepair.cpp$Result$StandaloneUpdaterInstallationRepair::RecursiveCheckDirectoryForFile
    • API String ID: 1978927887-3488611399
    • Opcode ID: 64524530b1d0f504e5f68da9c27695aa5d3c061c6dea0b5e3fe5807a4808f7a0
    • Instruction ID: b716f5668784ee14eff60a1f4e7d84b5a04130eccb60d2d26f56a8fde869185e
    • Opcode Fuzzy Hash: 64524530b1d0f504e5f68da9c27695aa5d3c061c6dea0b5e3fe5807a4808f7a0
    • Instruction Fuzzy Hash: A071A362A08A8295E710EF66E9C02E9A760FB843ACFC10275DD5D576E6DF3CD588C710
    Function 00007FF7C4061D0C Relevance: 10.8, APIs: 7, Instructions: 286COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID:
    • API String ID: 3215553584-0
    • Opcode ID: ce8386b37b8794311d367d85686b18d038fa3dc8e868a277bcfeef69f9b7f61f
    • Instruction ID: feb0381b1a50f1e6e51a0091c8884da1512395343f7ac4d9ce253d74af59e26a
    • Opcode Fuzzy Hash: ce8386b37b8794311d367d85686b18d038fa3dc8e868a277bcfeef69f9b7f61f
    • Instruction Fuzzy Hash: 8FC1C662B5CA8665E7517F5280843FDA690EB817A8FC60179EE4E0B392DF7CE4D48720
    Function 00007FF7C4113C64 Relevance: 10.6, APIs: 7, Instructions: 143encryptionCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: BinaryCryptString$Aligned_get_default_resource_invalid_parameter_noinfo_noreturn
    • String ID:
    • API String ID: 3442064244-0
    • Opcode ID: 4dfde2c2cf7fe4d272eb5990125d5a08c5f494464e00bc4d0c081b30904a2988
    • Instruction ID: 60f87f2b08eb5f90b853a51f7d7954e523d0358b71c171a3a0f3b7db82bf0af5
    • Opcode Fuzzy Hash: 4dfde2c2cf7fe4d272eb5990125d5a08c5f494464e00bc4d0c081b30904a2988
    • Instruction Fuzzy Hash: 0A517572B08B8581EB009F66E4802ADB7B4FB85BA8F500236DE8C57B99DF7DD540C710
    Function 00007FF7C4111748 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 159COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: NameUser_invalid_parameter_noinfo_noreturn
    • String ID: *****
    • API String ID: 1934235484-64375082
    • Opcode ID: d979243b4bf3284b5490b0288f711d2880b3276218cd9be04c29c20c49ff9587
    • Instruction ID: d2c0f79567b36eadef89d1a292017c6448f87385cb62c7ace5a9d6f5bc0a2ba4
    • Opcode Fuzzy Hash: d979243b4bf3284b5490b0288f711d2880b3276218cd9be04c29c20c49ff9587
    • Instruction Fuzzy Hash: B361A272F14A4586EB00EF76D4811ADA371BB48BB8F949632DE6C17B99DF38E081C750
    Function 00007FF7C40E04A4 Relevance: 7.8, Strings: 6, Instructions: 295COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID:
    • String ID: Create webClient: hr = %x$Downloading %ls from %ls hr = %x$PreSignInSettingsConfigJSON$Set a flag to try OfficeConfig if download fails. isToDownloadUpdateRingSEttingsJson: %d, sentOfficeConfig: %d, urlFromOfficeConfi$SettingsDownloader$statusCode: %ls
    • API String ID: 0-1526529126
    • Opcode ID: 997baf19218ef6a2ccc3e54ba31b91af1fc003c0fd3bb9f53601e0f5555e5b41
    • Instruction ID: ab334f6b01b44ea0156068c46d554ba9b18c3b8a04228f5b650ad4e9759e4215
    • Opcode Fuzzy Hash: 997baf19218ef6a2ccc3e54ba31b91af1fc003c0fd3bb9f53601e0f5555e5b41
    • Instruction Fuzzy Hash: 87D16D32B04B5685EB10EFA6E8801ADB3B1FB887A8F914136DE8D57768DF38D585C710
    Function 00007FF7C4139C30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108processCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ChangeCloseCreateFindFirstNotificationProcess32SnapshotToolhelp32
    • String ID: (
    • API String ID: 692674288-3887548279
    • Opcode ID: db5ee6d10f99b75f896f039be5615359d1c97a6990404ecf7742fe26cf9ad3d1
    • Instruction ID: dc8b93e605b2d4d9c81b5005bf80d3f2911b985e939eb612c6389fa7e2221d6b
    • Opcode Fuzzy Hash: db5ee6d10f99b75f896f039be5615359d1c97a6990404ecf7742fe26cf9ad3d1
    • Instruction Fuzzy Hash: 4C519272A18B45C6E720DF26E4802ADB774F788FA8F549226DA9C537A4DF3CE585C700
    Function 00007FF7C40648E8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80timeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveSystemTime
    • String ID: %02ld/%02ld/%04ld %02ld:%02ld:%02ld.%03ld %ls:
    • API String ID: 158492304-2619188813
    • Opcode ID: 86b580618fd72c6665a5c922f3fc81e17f3b6b9c39213da25ec836fe68d4d953
    • Instruction ID: 753c4ef21afd2ee52e9431d17e7288227b6e2bbde396edc2903726ab285f68cc
    • Opcode Fuzzy Hash: 86b580618fd72c6665a5c922f3fc81e17f3b6b9c39213da25ec836fe68d4d953
    • Instruction Fuzzy Hash: 9431A172A1879486E710AF12B48026AE761FB857A5F404135FF8D02B68DF3CE495CB14
    Function 00007FF7C4120880 Relevance: 6.1, APIs: 4, Instructions: 125COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: AccountLookupName_invalid_parameter_noinfo_noreturn
    • String ID:
    • API String ID: 839729955-0
    • Opcode ID: 2c0f7ef2aa94f4ab6c519b8dd6fead764896eb18fa01bda50e0776e5e02ff394
    • Instruction ID: 8674045a9031f8440a45f516cc2726f34a04b0865c74e8d0630b03fafc9a2d7b
    • Opcode Fuzzy Hash: 2c0f7ef2aa94f4ab6c519b8dd6fead764896eb18fa01bda50e0776e5e02ff394
    • Instruction Fuzzy Hash: 1541B173B15A419AEB10AFB6E4802EDA3B1EB44BACF405736DF5D17A98EE38D140C350
    Function 00007FF7C40642AC Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 102COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ErrorLast
    • String ID: (%hs:%d) ERROR: "%hs" failed with 0x%08x in %hs. %hs$Chk
    • API String ID: 1452528299-2899443072
    • Opcode ID: db5372f5f6827d442af5b2b6f322f19c7f2c5e7c1202695eebfb0266df89f503
    • Instruction ID: 36393f9bee0c61e9a92ee43cf35643318d6ad95f666d21aa96a96a9bf0465b1a
    • Opcode Fuzzy Hash: db5372f5f6827d442af5b2b6f322f19c7f2c5e7c1202695eebfb0266df89f503
    • Instruction Fuzzy Hash: 3E418036718A8099E720EF22E8817DAB7A5F788368F800135EE4D47B58DE3DD545CB10
    Function 00007FF7C407B214 Relevance: 6.1, APIs: 4, Instructions: 63fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ControlDevice$ChangeCloseCreateFileFindNotification
    • String ID:
    • API String ID: 3998978727-0
    • Opcode ID: 396d628800b17f8ff3407604a8fe3b5494d36eab048ed13eaf4b054166f969a8
    • Instruction ID: d3902ae5b12b81d5b58e6aa375f1dd4469cf272ce8675ca386666053c4bc3a73
    • Opcode Fuzzy Hash: 396d628800b17f8ff3407604a8fe3b5494d36eab048ed13eaf4b054166f969a8
    • Instruction Fuzzy Hash: BF219132618B4086E7209F11F48465AB7B4F789BA8FA11235EB9D03B58DF3DD545CB44
    Function 00007FF7C407ACC0 Relevance: 4.6, APIs: 3, Instructions: 101fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Find$File$CloseFirstNext
    • String ID:
    • API String ID: 3541575487-0
    • Opcode ID: d22760135097dd94da45b74280fb4d408dfe5d09f6f4ff3793cf992284b1661f
    • Instruction ID: bd7d6781bbb51d916320b6b500ca48028f2ab8f40dbba2476fe6c7af54ade580
    • Opcode Fuzzy Hash: d22760135097dd94da45b74280fb4d408dfe5d09f6f4ff3793cf992284b1661f
    • Instruction Fuzzy Hash: 7C41F522A48A8195EB20EF22D8812FD6370FB447ACF811272DE5D575E9DF7CDA85CB10
    Function 00007FF7C4105810 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53comCOMMON
    Download Yara Rule
    APIs
    Strings
    • d:\dbs\sh\odct\0223_153807_0\cmd\m\client\onedrive\Setup\standalone\webclient\webclient.cpp, xrefs: 00007FF7C4105842
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CreateInstance
    • String ID: d:\dbs\sh\odct\0223_153807_0\cmd\m\client\onedrive\Setup\standalone\webclient\webclient.cpp
    • API String ID: 542301482-4154765878
    • Opcode ID: 14aafecefa20e9860b8ee12c269226518a6562bc8fdbbd7b4a5c63767ea08d00
    • Instruction ID: 67139014f14c4cd7535ae1e7e671333393ea43935afecc05baab2bc193f08a89
    • Opcode Fuzzy Hash: 14aafecefa20e9860b8ee12c269226518a6562bc8fdbbd7b4a5c63767ea08d00
    • Instruction Fuzzy Hash: 1B215E66B18A4282EB14EF17E4D4279B3A0FB88BA8F944436EE4E47764DF2CD444C710
    Function 00007FF7C41410B0 Relevance: 3.4, APIs: 2, Instructions: 372COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn
    • String ID:
    • API String ID: 3668304517-0
    • Opcode ID: 7b7730ee37c83265af0e29a2ad46a84a1375ab3977f4ba9c50997fe6df8a076b
    • Instruction ID: 47b89b8eb3a20f15757542029c33fe5e6e2fdbe3db696d4ec1dc30b33b1bb597
    • Opcode Fuzzy Hash: 7b7730ee37c83265af0e29a2ad46a84a1375ab3977f4ba9c50997fe6df8a076b
    • Instruction Fuzzy Hash: 6CF1BF22F04B4686FB00EF66E4842ACA7A1BB45BB8F995635DE4D17795EF3CD481C320
    Function 00007FF7C414F1B8 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: 677ea510a7776c4316773a18f87642b9b716e8750f8448cfe36950ca3ee5330e
    • Instruction ID: 82c1f88b58ffbd67ca53aaad0e2a49addcfe389105bcb3b33f85e325d7cb6b5d
    • Opcode Fuzzy Hash: 677ea510a7776c4316773a18f87642b9b716e8750f8448cfe36950ca3ee5330e
    • Instruction Fuzzy Hash: B6F082A692C04287E2956E5AE0E5B789390EB54B29FD01131E28E42BD4EA1CD5458B21
    Function 00007FF7C42CD084 Relevance: .2, Instructions: 207COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID:
    • API String ID: 3215553584-0
    • Opcode ID: b21d9d18dfe1e3d240a916f345d58af2051f716ce605decd530715c3b79d86f8
    • Instruction ID: 800c319cb2be8d321943727a55b8990583ef156d565dc8af75ff50ffaff9a006
    • Opcode Fuzzy Hash: b21d9d18dfe1e3d240a916f345d58af2051f716ce605decd530715c3b79d86f8
    • Instruction Fuzzy Hash: B881B232A14A2186FB60EE26D4C237DA360FB84BACF954636EE1E97785DF39D4418350
    Function 00007FF7C4013820 Relevance: 33.9, APIs: 3, Strings: 16, Instructions: 621COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 3883 7ff7c4013820-7ff7c4013869 call 7ff7c4016b70 3886 7ff7c401386b 3883->3886 3887 7ff7c401386e-7ff7c401389a 3883->3887 3886->3887 3888 7ff7c40138ab 3887->3888 3889 7ff7c401389c 3887->3889 3891 7ff7c40138ae-7ff7c401392e call 7ff7c40765d4 call 7ff7c40779c4 call 7ff7c4077510 call 7ff7c401b694 3888->3891 3890 7ff7c401389f-7ff7c40138a7 3889->3890 3890->3890 3892 7ff7c40138a9 3890->3892 3901 7ff7c4013930-7ff7c401394f call 7ff7c4014438 call 7ff7c40385ec 3891->3901 3902 7ff7c4013951-7ff7c4013973 call 7ff7c4007924 3891->3902 3892->3891 3901->3902 3908 7ff7c4013980-7ff7c401399f call 7ff7c40e4c94 3902->3908 3909 7ff7c4013975-7ff7c401397b 3902->3909 3926 7ff7c40139ca-7ff7c4013a1a call 7ff7c40251e0 call 7ff7c4007a78 3908->3926 3927 7ff7c40139a1-7ff7c40139a8 3908->3927 3911 7ff7c4013a6a-7ff7c4013a7d 3909->3911 3914 7ff7c4013b49-7ff7c4013b50 3911->3914 3915 7ff7c4013a83-7ff7c4013acb call 7ff7c40262e0 3911->3915 3916 7ff7c4013b57-7ff7c4013b5d 3914->3916 3921 7ff7c4013adc 3915->3921 3922 7ff7c4013acd 3915->3922 3919 7ff7c4013b63-7ff7c4013b66 3916->3919 3920 7ff7c4013f14-7ff7c4013f34 call 7ff7c4019af8 3916->3920 3924 7ff7c4013b68-7ff7c4013b81 3919->3924 3925 7ff7c4013b93-7ff7c4013bca call 7ff7c41083e8 3919->3925 3936 7ff7c4013f51-7ff7c4013f5f call 7ff7c40136a4 3920->3936 3937 7ff7c4013f36-7ff7c4013f4c call 7ff7c401b4e4 3920->3937 3930 7ff7c4013adf-7ff7c4013b37 call 7ff7c40765d4 call 7ff7c40779c4 3921->3930 3929 7ff7c4013ad0-7ff7c4013ad8 3922->3929 3940 7ff7c4013b87-7ff7c4013b8e 3924->3940 3941 7ff7c40140b0-7ff7c40140b7 3924->3941 3955 7ff7c4013cbe-7ff7c4013f0f call 7ff7c401b4e4 * 2 call 7ff7c4111b9c call 7ff7c410e590 call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c4111b9c call 7ff7c410e590 call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c4111b9c call 7ff7c410e590 call 7ff7c401b694 * 2 call 7ff7c401b4e4 * 2 call 7ff7c4111b9c call 7ff7c410e590 call 7ff7c401b694 * 3 3925->3955 3956 7ff7c4013bd0-7ff7c4013c03 call 7ff7c4019d08 call 7ff7c4077dc8 3925->3956 3926->3911 3954 7ff7c4013a1c-7ff7c4013a5a call 7ff7c40251e0 call 7ff7c4007a78 3926->3954 3927->3926 3932 7ff7c40139aa-7ff7c40139b8 call 7ff7c4028f30 3927->3932 3929->3929 3933 7ff7c4013ada 3929->3933 3960 7ff7c4013b3c-7ff7c4013b47 call 7ff7c4077510 3930->3960 3946 7ff7c40139be-7ff7c40139c1 3932->3946 3933->3930 3958 7ff7c401409b 3936->3958 3959 7ff7c4013f65-7ff7c4013f68 3936->3959 3937->3936 3947 7ff7c40143fa-7ff7c4014435 call 7ff7c4014438 call 7ff7c4038920 3940->3947 3941->3947 3952 7ff7c40140bd-7ff7c40143f7 call 7ff7c4009f6c 3941->3952 3946->3926 3948 7ff7c40139c3 3946->3948 3948->3926 3952->3947 3986 7ff7c4013a5f-7ff7c4013a62 3954->3986 3955->3941 3993 7ff7c4013c08-7ff7c4013c27 3956->3993 3994 7ff7c4013c05 3956->3994 3962 7ff7c401409e-7ff7c40140aa call 7ff7c401b694 3958->3962 3967 7ff7c4013f89-7ff7c4014016 call 7ff7c40765d4 call 7ff7c40779c4 call 7ff7c4077510 call 7ff7c4111bd0 3959->3967 3968 7ff7c4013f6a-7ff7c4013f78 call 7ff7c4012fb0 3959->3968 3960->3916 3962->3941 3962->3947 4012 7ff7c4014018-7ff7c401407d call 7ff7c4019d08 call 7ff7c4019af8 3967->4012 4013 7ff7c401407f-7ff7c401408f call 7ff7c4009194 3967->4013 3983 7ff7c4013f7e-7ff7c4013f83 3968->3983 3983->3962 3983->3967 3986->3911 3992 7ff7c4013a64-7ff7c4013a66 3986->3992 3992->3911 3997 7ff7c4013c29-7ff7c4013c31 3993->3997 3998 7ff7c4013c35 3993->3998 3994->3993 3997->3997 4003 7ff7c4013c33 3997->4003 4000 7ff7c4013c38-7ff7c4013cb4 call 7ff7c40765d4 call 7ff7c40779c4 call 7ff7c4077510 call 7ff7c401b694 call 7ff7c41083e8 3998->4000 4000->3955 4042 7ff7c4013cb6-7ff7c4013cb9 call 7ff7c4009238 4000->4042 4003->4000 4012->4013 4022 7ff7c4014090-7ff7c4014099 call 7ff7c401b694 4012->4022 4013->4022 4022->3962 4042->3955
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource
    • String ID: BootstrapperUsingFallback$D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\StandaloneUpdater.cpp$OdsuCheckForUpdateEndTime$OdsuCheckForUpdateStartTime$OdsuDownloadOneDriveSetupEndTime$OdsuDownloadOneDriveSetupStartTime$Software\Microsoft\OneDrive$StandaloneUpdater$StandaloneUpdater::PerformUpdate$UnexpectedFailure$\OneDrive.exe$\StandaloneUpdater\OneDriveSetup.exe$binaryFilePath$mode$result$versionNumber
    • API String ID: 628915230-3803347822
    • Opcode ID: 33b48419e4d0c677ce5cef387aaed9637095bc19af47dfbce4911a3541f3ba0e
    • Instruction ID: 753afeed5ccd67b96c239339b5f9e84d9721f1f544c28077dca884a334154b96
    • Opcode Fuzzy Hash: 33b48419e4d0c677ce5cef387aaed9637095bc19af47dfbce4911a3541f3ba0e
    • Instruction Fuzzy Hash: DF624072A48BC285E720AF26E4C42EDBBB4FB94758F904139CA8D53A69DF7CD194C710
    Function 00007FF7C4105CF0 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 168synchronizationCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 4948 7ff7c4105cf0-7ff7c4105d05 4949 7ff7c4105d0c-7ff7c4105d16 4948->4949 4950 7ff7c4105d1c-7ff7c4105d40 ResetEvent 4949->4950 4951 7ff7c4105de8-7ff7c4105e25 call 7ff7c4065bc0 call 7ff7c41050cc 4949->4951 4955 7ff7c4105d46-7ff7c4105d4d 4950->4955 4956 7ff7c4105f5c-7ff7c4105f64 4950->4956 4965 7ff7c4105e3a-7ff7c4105e50 WaitForSingleObject 4951->4965 4966 7ff7c4105e27-7ff7c4105e34 call 7ff7c4107df0 4951->4966 4958 7ff7c4105dd3-7ff7c4105dda 4955->4958 4959 7ff7c4105d53-7ff7c4105d5a 4955->4959 4961 7ff7c4105f88-7ff7c4105f8f call 7ff7c4064448 4956->4961 4958->4951 4962 7ff7c4105ddc-7ff7c4105de2 4958->4962 4959->4958 4963 7ff7c4105d5c-7ff7c4105d8d EnterCriticalSection LeaveCriticalSection 4959->4963 4969 7ff7c4105f94-7ff7c4105fbc call 7ff7c40649a8 4961->4969 4962->4951 4967 7ff7c4105db4-7ff7c4105dc0 call 7ff7c4105ab4 4963->4967 4968 7ff7c4105d8f-7ff7c4105daa 4963->4968 4970 7ff7c4105e52 4965->4970 4971 7ff7c4105e58-7ff7c4105e6e WaitForSingleObject 4965->4971 4966->4965 4967->4958 4980 7ff7c4105dc2-7ff7c4105dd2 4967->4980 4968->4967 4970->4971 4973 7ff7c4105e76-7ff7c4105e99 call 7ff7c4065bc0 4971->4973 4974 7ff7c4105e70 4971->4974 4981 7ff7c4105e9e-7ff7c4105ea4 4973->4981 4974->4973 4980->4958 4982 7ff7c4105f66-7ff7c4105f7e call 7ff7c4065bc0 4981->4982 4983 7ff7c4105eaa-7ff7c4105eb6 4981->4983 4992 7ff7c4105f80-7ff7c4105f86 4982->4992 4985 7ff7c4105ebb-7ff7c4105ee0 CompareStringW 4983->4985 4986 7ff7c4105eb8 4983->4986 4989 7ff7c4105ee2-7ff7c4105ee8 4985->4989 4990 7ff7c4105f10-7ff7c4105f17 4985->4990 4986->4985 4989->4990 4991 7ff7c4105eea-7ff7c4105ef4 4989->4991 4993 7ff7c4105f1f-7ff7c4105f32 4990->4993 4994 7ff7c4105f19 4990->4994 4991->4990 4995 7ff7c4105ef6-7ff7c4105f0e call 7ff7c4065bc0 4991->4995 4992->4961 4996 7ff7c4105f54-7ff7c4105f58 4993->4996 4997 7ff7c4105f34-7ff7c4105f3b 4993->4997 4994->4993 4995->4990 4996->4992 5000 7ff7c4105f5a 4996->5000 4997->4996 4999 7ff7c4105f3d-7ff7c4105f4e WaitForSingleObject 4997->4999 4999->4949 4999->4996 5000->4969
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ObjectSingleWait$CriticalSection$CompareEnterEventLeaveResetString
    • String ID: ECSConfigJSON$WebClient$WebClient(%p): Download attempt #%u (max %u)$WebClient(%p): Download attempt #%u result hr=0x%08X$WebClient(%p): Download failed due to disk full error, stop retrying$WebClient(%p): Download succeeded. No changes from previous ECS download$WebClient(%p): Leaving Initialize()$d:\dbs\sh\odct\0223_153807_0\cmd\m\client\onedrive\Setup\standalone\webclient\webclient.cpp
    • API String ID: 3331951236-2224942753
    • Opcode ID: 79388c2f2550d67b7cc665928dcdf7124444024a4e56655f102d1d95c4c4c7f9
    • Instruction ID: 87a915057d74c2e0bcdfd4ddf13c8c297b12393c6a6380a4763c25f348e72897
    • Opcode Fuzzy Hash: 79388c2f2550d67b7cc665928dcdf7124444024a4e56655f102d1d95c4c4c7f9
    • Instruction Fuzzy Hash: A1714131B04A4197E718EF27E9C82E9A3A1FB44BA8F944136DA9D477A0CF3DE455C324
    Function 00007FF7C40A0584 Relevance: 25.0, APIs: 8, Strings: 6, Instructions: 482COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn
    • String ID: DeviceHealth::ScoreRecorder::LoadHealthScores$d:\dbs\sh\odct\0223_153807_0\cmd\o\client\onedrive\Product\Logging\HealthScoreRecorder.cpp$rtTime$scores$trend$unhealthyReportCount
    • API String ID: 3668304517-2805105714
    • Opcode ID: 586e388819ef2fdbf8408010eb88910b7513098c3c8781b001d95b307a109b73
    • Instruction ID: adac533c4a69a04b4f3fdd155f000c6640de2139e0df4879d41817e4901f9c75
    • Opcode Fuzzy Hash: 586e388819ef2fdbf8408010eb88910b7513098c3c8781b001d95b307a109b73
    • Instruction Fuzzy Hash: E422A223A54B8585EB10EF66D8802ADB3B1FB547ACF914672DA5D077A9DF3CE480C720
    Function 00007FF7C401BD50 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 315COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CloseErrorHandleLast$CreateEvent
    • String ID: D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\WebClientUpdateDownloader.cpp$WebClientUpdateDownloader::DownloadUpdateFile$downloadId$downloadUrl$nqV$result$waitResult
    • API String ID: 157767052-3667972493
    • Opcode ID: 448f304648f0b553a8326a5c6088b419eab9513dfb42b23a4743c7bb6694b2e9
    • Instruction ID: f04f35d70d50a69880ab5386c20b50913e78e940d0c47798c301175f900d222a
    • Opcode Fuzzy Hash: 448f304648f0b553a8326a5c6088b419eab9513dfb42b23a4743c7bb6694b2e9
    • Instruction Fuzzy Hash: 6CF18F72A08A568AEB10EF22D4C02A9BBB4FB8476CF91013ADE4D53764DF7CE584C750
    Function 00007FF7C4105208 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 351synchronizationCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveObjectSingleWait
    • String ID: WebClient$WebClient(%p): BITS temporary file=[%ls], foreground download=%ls$WebClient(%p): Failed to set BITS security flags$WebClient(%p): Leaving BeginDownloadUsingBITS()$d:\dbs\sh\odct\0223_153807_0\cmd\m\client\onedrive\Setup\standalone\webclient\webclient.cpp$false$true
    • API String ID: 501323975-3526201224
    • Opcode ID: 71bc7b768be871d095d986434fe72f45f0e7b0fe0b96271553c8005254bb9894
    • Instruction ID: bbeb4d65f1cf517d7190160095c478f4a6070e511a0993185fdea86bd8b58f36
    • Opcode Fuzzy Hash: 71bc7b768be871d095d986434fe72f45f0e7b0fe0b96271553c8005254bb9894
    • Instruction Fuzzy Hash: 01F14C36B08A0692EB14EF26E4D42ADA761FB54FACFA04036CA8D57764DF39E454C360
    Function 00007FF7C4012200 Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 234COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource
    • String ID: 46aaba30eaa7421a8df89563496ade33_UpdateRingSettingsDownloadResult$D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\StandaloneUpdater.cpp$High$PreSignInSettingsConfigJSON$StandaloneUpdater::DownloadAndApplyUpdateRingSettings$UpdateRingSettingsDownloadResult$\PreSignInSettingsConfig.json$diagnosticssync$result
    • API String ID: 628915230-2204762119
    • Opcode ID: 4754d27e277f2f4189f2c741d2d881eb45502ee4a599f90aea6b7d5f6c92f9f7
    • Instruction ID: 936a14a9adfa9aaf6ba14ad7142986dcc458c8f1b3bff90aa58ae90828bd4e4a
    • Opcode Fuzzy Hash: 4754d27e277f2f4189f2c741d2d881eb45502ee4a599f90aea6b7d5f6c92f9f7
    • Instruction Fuzzy Hash: C3C16D32A18A8696EB20EF26D8802ECB374FB84BACF854136DA4D57769DF3CD544C710
    Function 00007FF7C4105FC0 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 215synchronizationCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorItemLastLeaveObjectQueueSingleUserWaitWork
    • String ID: WebClient$WebClient(%p): Beginning Async Download, id=[%ls], highPri=[%ls], Uri=[%ls]$WebClient(%p): Leaving DownloadFileAsync()$d:\dbs\sh\odct\0223_153807_0\cmd\m\client\onedrive\Setup\standalone\webclient\webclient.cpp$false$true
    • API String ID: 1248182837-3046352543
    • Opcode ID: a572cc35dbbd941d7d8ed0ec7ae4a644a3a017dbf6c0632b18bbe6dc2dd70a6a
    • Instruction ID: 6d53e492703615ff688fbd4dce24647e68ae51b762f36907cde123076398256a
    • Opcode Fuzzy Hash: a572cc35dbbd941d7d8ed0ec7ae4a644a3a017dbf6c0632b18bbe6dc2dd70a6a
    • Instruction Fuzzy Hash: CF81E366B18B4282EA14AF17E9C82B9A3A1FF45FA8F904535CE9D07794CF3DE554C320
    Function 00007FF7C4028450 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource$_invalid_parameter_noinfo_noreturn
    • String ID: D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\StandaloneUpdaterController.cpp$EnvironmentTypeFromOC$ODSUUpdateXMLUrlFromOC$Software\Microsoft\OneDrive\UpdateOfficeConfig$StandaloneUpdaterController::TryGetOneDriveAGUpdateXMLUrl$UpdateXMLUrlFromOC$environmentType
    • API String ID: 879565387-657031256
    • Opcode ID: 024cb9e4afe8532b8f0676c3a38b22721e30e224a8a87ec33f1248681245305b
    • Instruction ID: 770b28ba8b59b07b97cbd54e28dcea3b77415c16b4f7bf4aff61b9d9ad2aca63
    • Opcode Fuzzy Hash: 024cb9e4afe8532b8f0676c3a38b22721e30e224a8a87ec33f1248681245305b
    • Instruction Fuzzy Hash: FF914C62B08B429AE710EFA2D4805ED7775BB847ACF814136DE4C27AA9EF3CD149C750
    Function 00007FF7C4106D60 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 159filesynchronizationCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CriticalSection$Leave$CreateEnterEventFileObjectSingleStreamWait
    • String ID: WebClient$WebClient(%p): Download of '%ls' failed$WebClient(%p): Download of '%s' finished successfully.$d:\dbs\sh\odct\0223_153807_0\cmd\m\client\onedrive\Setup\standalone\webclient\webclient.cpp
    • API String ID: 1068316540-2193786703
    • Opcode ID: 01cf9ae1d5b07311e1410f3c3882c59ab8a09c8e85b2a86914b9e6f41a59d2e0
    • Instruction ID: cde7d01023e01a748378fac86370753d7d96b4511e97997993853a6f63a34e1f
    • Opcode Fuzzy Hash: 01cf9ae1d5b07311e1410f3c3882c59ab8a09c8e85b2a86914b9e6f41a59d2e0
    • Instruction Fuzzy Hash: B9616032718A4682EB14EF17E8943ADA361FB84FA8F954036DA8E47764DF3DE445C314
    Function 00007FF7C401602C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 122COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource$CommandLine$Argv
    • String ID: /firstsetup$D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\StandaloneUpdater.cpp$StandaloneUpdater$StandaloneUpdater::HandleZeroExhaustPolicy
    • API String ID: 491714849-1820092732
    • Opcode ID: c45ef09b500ad10163d3b4325438d0846adf12c6d3357f1b7db4a593bf5f35e3
    • Instruction ID: 220581943b6ca7568a399796aacad1f51ef315d3121dcd9c134c67b1c6274f25
    • Opcode Fuzzy Hash: c45ef09b500ad10163d3b4325438d0846adf12c6d3357f1b7db4a593bf5f35e3
    • Instruction Fuzzy Hash: 4D519432A08B4296EB10AF26D8C12ADB760FB84B98F854076EA4D17755DF3DD544C750
    Function 00007FF7C41050CC Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 79synchronizationCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveObjectSingleWait
    • String ID: BITS$URLMon$WebClient$WebClient(%p): BeginDownloadAttempt: using %ls$WebClient(%p): Leaving BeginDownloadAttempt()$d:\dbs\sh\odct\0223_153807_0\cmd\m\client\onedrive\Setup\standalone\webclient\webclient.cpp
    • API String ID: 501323975-1611066937
    • Opcode ID: 71be3a4496e1ca19b384613c83b18469630f4cb63c5398c6aa1a02d83a1bbe88
    • Instruction ID: ddc3a6dabf76ea22bd0342049bd7b5a028b7d69b64d1f219aa2907b24f44010a
    • Opcode Fuzzy Hash: 71be3a4496e1ca19b384613c83b18469630f4cb63c5398c6aa1a02d83a1bbe88
    • Instruction Fuzzy Hash: 23317265B08A4682EB01EF27E8D53B9A362AF85FACF944036CD4E472A5DF7DD445C320
    Function 00007FF7C4106FC8 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 288COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Value$ErrorLastPathTemp
    • String ID: File$GUID$d:\dbs\sh\odct\0223_153807_0\cmd\m\client\onedrive\Setup\standalone\webclient\webclient.cpp
    • API String ID: 4253884725-2326459497
    • Opcode ID: 2e4440596deb87ef5c58fcde1d58ad0fadc3362386fc0bccb84bf98f95bc534b
    • Instruction ID: d2eaf50926bdbde99b5c8ecbcd9869651d4b712737b824139ec4220c9fb5c219
    • Opcode Fuzzy Hash: 2e4440596deb87ef5c58fcde1d58ad0fadc3362386fc0bccb84bf98f95bc534b
    • Instruction Fuzzy Hash: FCC1B472B08B4682EB10EF66E4841BDA7A1FB45BA8FA04136DE9E07794DF3DE544C710
    Function 00007FF7C4124258 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 164registryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: OpenValue$Close
    • String ID: CLSID\$CsiSyncClient.exe$Wow6432Node\$\LocalServer32
    • API String ID: 3504879307-2792177521
    • Opcode ID: f6181fd79e36a383b537d39158a2cd1c1fadc960eab39a6b73049f2598fa36cc
    • Instruction ID: 2b5c019a28f093ec265f9fc4ffe201851af8d006e61824ed8f23fcc2981393b5
    • Opcode Fuzzy Hash: f6181fd79e36a383b537d39158a2cd1c1fadc960eab39a6b73049f2598fa36cc
    • Instruction Fuzzy Hash: 6471A272B08B4285FB10EF26E8802ADA7A0FF957ACF905035DA8D57AA9DF3CD545C710
    Function 00007FF7C4015C14 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 139sleepCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Sleep$Aligned_get_default_resourceEventUninitializeUnregister
    • String ID: D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\StandaloneUpdater.cpp$Software\Microsoft\OneDrive$StandaloneUpdater::Run$StandaloneUpdaterSafeMode
    • API String ID: 3660630638-3811060141
    • Opcode ID: 325bed5babb8b840d698e9db4deec1df7fcde38012751f1eabce0eb2e532ab69
    • Instruction ID: 1632689739f7fe2720857e69282f765a835905be797782adc2f725280f2ac8b7
    • Opcode Fuzzy Hash: 325bed5babb8b840d698e9db4deec1df7fcde38012751f1eabce0eb2e532ab69
    • Instruction Fuzzy Hash: 95619432A58A8295E710BF22E4C02B9B7B1FB847ACF851576EA4D176A5DF3CE144C710
    Function 00007FF7C401E994 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 234COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CommandLine$Aligned_get_default_resourceArgv_invalid_parameter_noinfo_noreturn
    • String ID: /firstsetup$BTSP$FeatureSet$PERM$WVD
    • API String ID: 1486046747-662314634
    • Opcode ID: 636f1f1aa8ab065e091b1cba61957444b1c32ac410c26c08ad43d8fa7fe18b30
    • Instruction ID: e643eb143de907285432d32cc168376fb57614984b59219d924ef3db9da8c2ba
    • Opcode Fuzzy Hash: 636f1f1aa8ab065e091b1cba61957444b1c32ac410c26c08ad43d8fa7fe18b30
    • Instruction Fuzzy Hash: 5BB15023B58B4299FB10EFA2D4911EC6770FB5475CB81503ADE4D63A99EF38D54AC320
    Function 00007FF7C4116324 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 137COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource
    • String ID: /allusers$/firstsetup
    • API String ID: 628915230-3656141830
    • Opcode ID: 41b52546280e2efd49a74099a39e15c682177040806e24bd6cd13039c79346cd
    • Instruction ID: d74c52c4a44038302c7c312fac3b35f371a3b76155b0060b5b836854dd5a6b22
    • Opcode Fuzzy Hash: 41b52546280e2efd49a74099a39e15c682177040806e24bd6cd13039c79346cd
    • Instruction Fuzzy Hash: 01614062A18A1186EB50EF66E8852BC6370BB54BBCF904335EA6E577E5DF3DD044C320
    Function 00007FF7C410359C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 118memoryfileCOMMON
    Download Yara Rule
    APIs
    Strings
    • d:\dbs\sh\odct\0223_153807_0\cmd\16\client\onedrive\Setup\standalone\UpdateXMLParser\UpdateXMLParser.cpp, xrefs: 00007FF7C410370D
    • UpdateXMLParser::GetXMLStream, xrefs: 00007FF7C41036FE
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Variant$String$AllocChangeClearCreateFileFreeInitStreamType
    • String ID: UpdateXMLParser::GetXMLStream$d:\dbs\sh\odct\0223_153807_0\cmd\16\client\onedrive\Setup\standalone\UpdateXMLParser\UpdateXMLParser.cpp
    • API String ID: 593505129-1166790419
    • Opcode ID: 61e4e20d6135379b598a958582408b599f23d2c11c12bb70ab0bed160ccc378c
    • Instruction ID: 80612b0970758ab0777fc1ce844839b0efd5827c17f1a454bf8a3c7b5c471cff
    • Opcode Fuzzy Hash: 61e4e20d6135379b598a958582408b599f23d2c11c12bb70ab0bed160ccc378c
    • Instruction Fuzzy Hash: 0241C362F04A4A86FB00AF67E8851AC63B1BB58FB8F945532CE1D57764EE3CD585C320
    Function 00007FF7C41080D0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 99synchronizationCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CriticalObjectSectionSingleWait$EnterInitializeLeaveUninitialize
    • String ID: WebClient$WebClient(%p): Background thread exiting, hr=0x%08X$WebClient(%p): Background thread started$d:\dbs\sh\odct\0223_153807_0\cmd\m\client\onedrive\Setup\standalone\webclient\webclient.cpp
    • API String ID: 2683532163-4021486414
    • Opcode ID: dc18c2a81bc163a8748b7adec07f97e7be33acccccfd19cc711958619b535fb2
    • Instruction ID: 95522ceb56d50b760f7c670d2309bc0b4ecc3261272161cf31bfd03174961709
    • Opcode Fuzzy Hash: dc18c2a81bc163a8748b7adec07f97e7be33acccccfd19cc711958619b535fb2
    • Instruction Fuzzy Hash: D1415325B0CA4282EB04AF17E8952B9A362BF84FA8F984436D94E573A4DF7DD445C720
    Function 00007FF7C4107DF0 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 60COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7C4065BC0: EnterCriticalSection.KERNEL32(?,?,6666666666666667,?,00000000,00007FF7C40656B4), ref: 00007FF7C4065BE5
      • Part of subcall function 00007FF7C4065BC0: LeaveCriticalSection.KERNEL32 ref: 00007FF7C4065C08
    • WaitForMultipleObjects.KERNEL32 ref: 00007FF7C4107E58
    • GetLastError.KERNEL32 ref: 00007FF7C4107E6C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveMultipleObjectsWait
    • String ID: WebClient$WebClient(%p): WaitForDownloadAttempt()$WebClient(%p): WaitForDownloadAttempt(), WaitForMultipleObjects() returned hr=0x%08X$WebClient(%p): WaitForMultipleObjects() Abort was signaled.$WebClient(%p): WaitForMultipleObjects() DownloadCompleted was signaled.$WebClient(%p): WaitForMultipleObjects() TryCompleted was signaled.
    • API String ID: 1888064639-1074600636
    • Opcode ID: 9033252cf058b3952cc62b4c05938be6a7d4315af6bc6dac307de367de8e1db8
    • Instruction ID: 06bee710de63b8e752a19994e39bb6702d7be7597898fe5bc76438d852495e0a
    • Opcode Fuzzy Hash: 9033252cf058b3952cc62b4c05938be6a7d4315af6bc6dac307de367de8e1db8
    • Instruction Fuzzy Hash: B4217172B08B4182E640EF16E9956F9B3A0FB48BA8FD00136D95D977A0CF3DE905C760
    Function 00007FF7C42D003C Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
    • String ID:
    • API String ID: 1330151763-0
    • Opcode ID: db3f8f3ff8ef0fe14cbd5ee168f45bc9ee01bce68d8b76161bb959add01bb626
    • Instruction ID: eef6e01fe69e8e4c926db7f5e7c5086ef6ab25cb586bd960a18eb0cf133741b5
    • Opcode Fuzzy Hash: db3f8f3ff8ef0fe14cbd5ee168f45bc9ee01bce68d8b76161bb959add01bb626
    • Instruction Fuzzy Hash: A6C1B033B28A4185EB10DFA6C4816ACB771EB49BACB815225DE2E973E4DF39D455C310
    Function 00007FF7C410DD5C Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 160COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource
    • String ID: IsTest$MSFTInternal$Software\Microsoft\SQMClient$Software\Policies\Microsoft\SQMClient
    • API String ID: 628915230-530480142
    • Opcode ID: 9987272d9afe37239ba4b992b7eb05d3f258229c01e98c0f71a71129e1c3eb41
    • Instruction ID: 7fea4d52c1235877d4479318eaa671d7f57436ed175066b317c7943dce6b5678
    • Opcode Fuzzy Hash: 9987272d9afe37239ba4b992b7eb05d3f258229c01e98c0f71a71129e1c3eb41
    • Instruction Fuzzy Hash: F7716D22A14B429AE710AF32D4801EDB770FB95B9CF855136EA4C13BAAEF3CD645C350
    Function 00007FF7C41063D8 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 154synchronizationCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CriticalSection$EnterExistsFileLeaveObjectPathSingleWait
    • String ID: WebClient$WebClient(%p): Leaving GetDownloadedData()$d:\dbs\sh\odct\0223_153807_0\cmd\m\client\onedrive\Setup\standalone\webclient\webclient.cpp
    • API String ID: 2555838569-1528802841
    • Opcode ID: 91ee02311ba42dd27d9a44baceb2f7b170826da9612bf55770dc038ec588b051
    • Instruction ID: abd325dda380db3501cdd1e6cdf033615221233722b0c02dfa509670ef41944a
    • Opcode Fuzzy Hash: 91ee02311ba42dd27d9a44baceb2f7b170826da9612bf55770dc038ec588b051
    • Instruction Fuzzy Hash: 1761D332B18B0286FB10EF66E4842BDA371BB94BACF904136CE4E53798DE38D455C364
    Function 00007FF7C4064D10 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 122COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$Aligned_get_default_resourceFolderPath
    • String ID: Microsoft OneDrive\setup\logs$Microsoft\OneDrive\setup\logs$d:\dbs\sh\odct\0223_153807_0\cmd\l\client\onedrive\Setup\Standalone\fsmanager\fsmanagerimpl.cpp
    • API String ID: 2987415128-2058268419
    • Opcode ID: c3711834d42646a347f2246e7448991f8de90d73d4a93258ea3bb61567791b3d
    • Instruction ID: 459a4ded97a44bf54b42db35120d977be365092b0d72110a41cf1cfe06f37100
    • Opcode Fuzzy Hash: c3711834d42646a347f2246e7448991f8de90d73d4a93258ea3bb61567791b3d
    • Instruction Fuzzy Hash: E951A632A18B8192E710EF26E4C02AAF764FB94768F914136DF9D136A4DF7CD184C714
    Function 00007FF7C4053440 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • FreeLibrary.KERNEL32(?,?,?,00007FF7C4053E6E,?,?,00000000,00007FF7C42CD601,?,?,?,?,00007FF7C414DCC6), ref: 00007FF7C40535BF
    • GetProcAddressForCaller.KERNELBASE(?,?,?,00007FF7C4053E6E,?,?,00000000,00007FF7C42CD601,?,?,?,?,00007FF7C414DCC6), ref: 00007FF7C40535CB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: AddressCallerFreeLibraryProc
    • String ID: api-ms-$ext-ms-
    • API String ID: 3520295827-537541572
    • Opcode ID: 12cf3816012bc3fe5c1545f350b9c82583d50d18c9a010ba7ee4c444b87a26e5
    • Instruction ID: 171c92fe3e1ec512d35f914512170eb6f22bd987b5ad3002e8b161945b9ba608
    • Opcode Fuzzy Hash: 12cf3816012bc3fe5c1545f350b9c82583d50d18c9a010ba7ee4c444b87a26e5
    • Instruction Fuzzy Hash: C9412261B58E0281FA12FF17A8842B5A395FF44BF8F89553ADD0D8B784DE3CE0858324
    Function 00007FF7C4104D88 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 91registryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Close$CriticalSection$Handle$ChangeDeleteEnterFindLeaveNotification_invalid_parameter_noinfo_noreturn
    • String ID: WebClient$WebClient(%p): destroyed
    • API String ID: 872555116-1053654690
    • Opcode ID: e0026fbbe3b5c5738bfe8db654fb63cdbe3f06c8936f89669fcffcfb11580f91
    • Instruction ID: 546238bf67a0bc5a49d4e0cd2c09d2294f5e22164a41198c59d82a70f6a4cc7a
    • Opcode Fuzzy Hash: e0026fbbe3b5c5738bfe8db654fb63cdbe3f06c8936f89669fcffcfb11580f91
    • Instruction Fuzzy Hash: 4141E432A15E4586EB44EF26D4D53B8A370FF94F6DF944536CA0E4A2A4DF2DE448C324
    Function 00007FF7C40F78C8 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 274COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID:
    • String ID: UpdateRingSettingsParser::GetSettingsFromJsonObject$d:\dbs\sh\odct\0223_153807_0\cmd\1k\client\onedrive\Product\UpdateRingSettings\UpdateRingSettingsParser.cpp$settings$value
    • API String ID: 0-676100781
    • Opcode ID: 9b4ea6b1c8da8fbfa575d10a5459b1591690021d5a505221282f77402bcb23d2
    • Instruction ID: f3d6fbd90e6eefa750c215d21082160c13166079ebb72a9f6e06b2b959bebe2b
    • Opcode Fuzzy Hash: 9b4ea6b1c8da8fbfa575d10a5459b1591690021d5a505221282f77402bcb23d2
    • Instruction Fuzzy Hash: 7FB1C222F58A4642FB10AFA6D8C02ADA3A1FB84BACF855136DA0D53795DF3CE481C351
    Function 00007FF7C410FE2C Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 187COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: FileInfoVersion$QuerySizeValue_invalid_parameter_noinfo_noreturn
    • String ID: \StringFileInfo\%04x%04x\OriginalFilename$\VarFileInfo\Translation
    • API String ID: 1927219033-1556208207
    • Opcode ID: f305a5d4802fe668cf9fda1918c8f33807acb5595fd4314793707687fdf3c57f
    • Instruction ID: 4fe52e194d1cc16e0051f261c7ca57e8816226232025e093ef5a8d2350482ed6
    • Opcode Fuzzy Hash: f305a5d4802fe668cf9fda1918c8f33807acb5595fd4314793707687fdf3c57f
    • Instruction Fuzzy Hash: 41915072B08B8585EB10EF6AE4802ADA7B1FB88BA8F904236DE4C57764DF7DD544C710
    Function 00007FF7C411EFC8 Relevance: 10.6, APIs: 7, Instructions: 120COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7fce0f33238d65008f2d20c9c729817b1b59526dabd6495b1cc8238be10422c2
    • Instruction ID: 022c2f298b9ebe839effe1633270f5a5bc19949306ee8869689a704f20ca350d
    • Opcode Fuzzy Hash: 7fce0f33238d65008f2d20c9c729817b1b59526dabd6495b1cc8238be10422c2
    • Instruction Fuzzy Hash: 75510865A08B4686FB50AF57E8C4338A3B1AB85FACF944035DA8D5B3A5CF3DE445C321
    Function 00007FF7C4110600 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource$_invalid_parameter_noinfo_noreturn
    • String ID: IsTest$Software\Microsoft\SQMClient
    • API String ID: 879565387-4109838640
    • Opcode ID: 874cf461619d02d71a53b7bf2cc27a9772faef1abe9e4d95d36d8211a1b40f82
    • Instruction ID: 99cff744a48c685faef25b4d83f228a993df1652e5a03351417aee5fe7a6b1b2
    • Opcode Fuzzy Hash: 874cf461619d02d71a53b7bf2cc27a9772faef1abe9e4d95d36d8211a1b40f82
    • Instruction Fuzzy Hash: 80517B22B04B429AEB10EF62D4801EC7374FB88B9CB805136DE4D27B69EF38D215C354
    Function 00007FF7C4107A3C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 103COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Value$FileFindNamePath
    • String ID: File$GUID$d:\dbs\sh\odct\0223_153807_0\cmd\m\client\onedrive\Setup\standalone\webclient\webclient.cpp
    • API String ID: 419649710-2326459497
    • Opcode ID: 61be581ee4f4e13ce5220fc344eefe86a59dc6ce0e020272d6b7c5bdbdf8ffc8
    • Instruction ID: ca94c385a997e9e4d1ae8f2933e60af309f891bacaf15b002a405995a2fd2b73
    • Opcode Fuzzy Hash: 61be581ee4f4e13ce5220fc344eefe86a59dc6ce0e020272d6b7c5bdbdf8ffc8
    • Instruction Fuzzy Hash: A2419225F0864283EB21AF13E488379A760FB44BA8FA44436CA9D47794CF3DE6958360
    Function 00007FF7C4012E00 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 94synchronizationCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CreateErrorLastMutex
    • String ID: D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\StandaloneUpdater.cpp$ErrorCode$StandaloneUpdater::GrabUpdateMutex$result
    • API String ID: 1925916568-3043308129
    • Opcode ID: a1376326dd3b1872f4736c24994f544964e7e33b6354d60dc54d6590e43706d6
    • Instruction ID: d28ea3fa6789a885565749b9ed7b3b888717287d11c9ad077035606602c3b7a5
    • Opcode Fuzzy Hash: a1376326dd3b1872f4736c24994f544964e7e33b6354d60dc54d6590e43706d6
    • Instruction Fuzzy Hash: 89416A32A14A418AE710EF22E4843A9B7B0FB84BACF81053AEA4D53B64DF7CD159C750
    Function 00007FF7C4106684 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ErrorLastTemp$FileNamePath
    • String ID: d:\dbs\sh\odct\0223_153807_0\cmd\m\client\onedrive\Setup\standalone\webclient\webclient.cpp$wct
    • API String ID: 891594076-3157952432
    • Opcode ID: 7c689e38abf892a117ad0f63fcdc77bfebe8d9a62452ffa2c8f7ad640b5c6618
    • Instruction ID: 5c65f9115b687b2bc3855efcb7006938ebd90b0a39144b76320199e6eeafda82
    • Opcode Fuzzy Hash: 7c689e38abf892a117ad0f63fcdc77bfebe8d9a62452ffa2c8f7ad640b5c6618
    • Instruction Fuzzy Hash: DA31EA65B08B4282F720BF22E4C47B9A3A0FB48B78FD10236DA9D47685DF2DD545C720
    Function 00007FF7C4028218 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 71COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource
    • String ID: https://g.live.com/1rewlive5skydrive/ODSUEnterpriseV2$https://g.live.com/1rewlive5skydrive/ODSUInsiderV2$https://g.live.com/1rewlive5skydrive/ODSUMsitFastV2$https://g.live.com/1rewlive5skydrive/ODSUMsitSlowV2$https://g.live.com/1rewlive5skydrive/ODSUProductionV2
    • API String ID: 628915230-2666494377
    • Opcode ID: fc5f28df7a64533c7fc09b240dc73a366c47016fd2901c59741e6046db3daf2b
    • Instruction ID: cd463d4cb176ecea700ef97d56109da20c5fc4ad2b9a110387961ef54bf26053
    • Opcode Fuzzy Hash: fc5f28df7a64533c7fc09b240dc73a366c47016fd2901c59741e6046db3daf2b
    • Instruction Fuzzy Hash: BE318176A5CB8281EA30EF06E4C0269A371FB85BE8FD14275EA4D17A95CF2CE645C710
    Function 00007FF7C4028334 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 71COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource
    • String ID: https://g.live.com/1rewlive5skydrive/MsitFastV2$https://g.live.com/1rewlive5skydrive/MsitSlowV2$https://g.live.com/1rewlive5skydrive/OneDriveEnterpriseV2$https://g.live.com/1rewlive5skydrive/OneDriveInsiderV2$https://g.live.com/1rewlive5skydrive/OneDriveProductionV2
    • API String ID: 628915230-3224108899
    • Opcode ID: d27a8643cb7814f9687577b3580c83703914e9127744403af444ea6afeca996e
    • Instruction ID: da2a24cd7edef27146b80a8765c4ddc92223b51a9bf5fec5aeed689060e4cd7a
    • Opcode Fuzzy Hash: d27a8643cb7814f9687577b3580c83703914e9127744403af444ea6afeca996e
    • Instruction Fuzzy Hash: 56319422A5CB8282EA70EF07E4C5279A371BB84BE8FC15175DA4D07695DF2DD584C710
    Function 00007FF7C4080440 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 488COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Mtx_unlock
    • String ID: BinaryLoggingSession::StartLoggingSession$aodl$d:\dbs\sh\odct\0223_153807_0\cmd\o\client\onedrive\Product\Logging\BinaryLoggingSession.cpp
    • API String ID: 1418687624-3898848689
    • Opcode ID: eca28e88f72505fcbd84cec41083c5ee5f3dee9bc8b705ceb11f2578b4c9047b
    • Instruction ID: 15d673e2f07c0cc41ce15adb5f375f8dcba7a5be51b04b8b5b14c60f1a424857
    • Opcode Fuzzy Hash: eca28e88f72505fcbd84cec41083c5ee5f3dee9bc8b705ceb11f2578b4c9047b
    • Instruction Fuzzy Hash: 79127B32B49A8682EB14EF26D5802BCA774FB84FA8F854132DE5D17765DF38D4A5C310
    Function 00007FF7C40267E0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 282COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource
    • String ID: D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\StandaloneUpdaterController.cpp$StandaloneUpdaterController::IsMachineThrottled$StandaloneUpdaterController::ShouldApplyUpdate
    • API String ID: 628915230-281803223
    • Opcode ID: ab148a67b1b4bdbea7aba0ab5eb149c78a2cfe35870d0b051df4cd16cf680d0c
    • Instruction ID: 3f6911a2d62066a085e31fac5b2adcc6b755c618c3717fc2ffb902c85000f7f4
    • Opcode Fuzzy Hash: ab148a67b1b4bdbea7aba0ab5eb149c78a2cfe35870d0b051df4cd16cf680d0c
    • Instruction Fuzzy Hash: AEC19372A14A1296EB20EF52D4C45ADB3B4FB44B9CF860079DE0D63695CF3CD5A4C7A0
    Function 00007FF7C40E82C8 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 249COMMON
    Download Yara Rule
    APIs
    Strings
    • UpdateRingRampGroup, xrefs: 00007FF7C40E859F
    • d:\dbs\sh\odct\0223_153807_0\cmd\1k\client\onedrive\Product\UpdateRingSettings\UpdateRingSettingsManager.cpp, xrefs: 00007FF7C40E861D
    • UpdateRingSettingsManager::PropagateRampsToTelemetry, xrefs: 00007FF7C40E8611
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: LockShared$AcquireRelease
    • String ID: UpdateRingRampGroup$UpdateRingSettingsManager::PropagateRampsToTelemetry$d:\dbs\sh\odct\0223_153807_0\cmd\1k\client\onedrive\Product\UpdateRingSettings\UpdateRingSettingsManager.cpp
    • API String ID: 2614130328-582473772
    • Opcode ID: 42b33e794c358f1b1698e4638fc3d8292aaa83d80e3fd95960ec1d7242516bd6
    • Instruction ID: 8de5cfaf8e7d5e9dba55a5a1a0eb7028d3a73f8ddfbf8bbc9316b41a6cedd40e
    • Opcode Fuzzy Hash: 42b33e794c358f1b1698e4638fc3d8292aaa83d80e3fd95960ec1d7242516bd6
    • Instruction Fuzzy Hash: 56B1D463B48A8592EB20EF26D4C0069E7B1FB84B98F855176EACD037A9DF3CD591C710
    Function 00007FF7C401C5CC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 210COMMON
    Download Yara Rule
    APIs
    Strings
    • D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\WebClientUpdateDownloader.cpp, xrefs: 00007FF7C401C68B
    • WebClientUpdateDownloader::CopyOverDownloadedData, xrefs: 00007FF7C401C67E
    • result, xrefs: 00007FF7C401C63D
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource
    • String ID: D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\WebClientUpdateDownloader.cpp$WebClientUpdateDownloader::CopyOverDownloadedData$result
    • API String ID: 628915230-877556936
    • Opcode ID: 70dc243cdfd7fbb94f9ecaec77b5a85526c702f685c0049bb7ceefdf6e8bd674
    • Instruction ID: c5f54bdcbfe2871b55d648848f9877a05f7f1d8a78a253bf7a7f029084b5539c
    • Opcode Fuzzy Hash: 70dc243cdfd7fbb94f9ecaec77b5a85526c702f685c0049bb7ceefdf6e8bd674
    • Instruction Fuzzy Hash: 89916032B48B4685EB10EF66D4802ACA3B5BB84BACF865076DE0D67769EF3CD445C350
    Function 00007FF7C408B578 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: std::ios_base::failure::failure
    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 2264918676-1866435925
    • Opcode ID: 47085ac235619f3cb2bc2866e4c8642aa0954896132e664907964907f12d0016
    • Instruction ID: f742ddec7c863b54f725246d2f13826f0afe76d353a5bdbe7ba0578732c2f2dc
    • Opcode Fuzzy Hash: 47085ac235619f3cb2bc2866e4c8642aa0954896132e664907964907f12d0016
    • Instruction Fuzzy Hash: 8F71BD72A09A4285EB50EF26D4802B8B770FB54B9CFC64076EA4D47798DF3CD596C360
    Function 00007FF7C40F9730 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 169COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource
    • String ID: OverridesProvider::ReadSettingsOverrides$Software\Microsoft\OneDrive\PreSignInSettingsOverrides$d:\dbs\sh\odct\0223_153807_0\cmd\1k\client\onedrive\Product\UpdateRingSettings\OverridesProviderWin.cpp
    • API String ID: 628915230-1023140038
    • Opcode ID: 9e7bc028d644bad1eb08db3f48b31f23875adfba7d9aca4f716a3850984b7531
    • Instruction ID: ac82c57507b470763135f2f0bea9d20fcb0b57f877a2fdf43950a9b393d6034a
    • Opcode Fuzzy Hash: 9e7bc028d644bad1eb08db3f48b31f23875adfba7d9aca4f716a3850984b7531
    • Instruction Fuzzy Hash: 30718022B48A4196FB10EF62E4802EDA3B1FB8476CF911136DE4D63AA9DF3CD549C750
    Function 00007FF7C41246E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: File$InfoOpenPathVersion$LongNameQueryRemoveSizeSpecValue
    • String ID: false
    • API String ID: 1687329707-734881840
    • Opcode ID: 08e9ff1be93866122acf6a0d2e87b31156f8ddadd897695e0af009d22ab42d8a
    • Instruction ID: 33972b30c5605583850c8c6fc745a1f67bc9961f823f0b16f4eb930d2a090e3e
    • Opcode Fuzzy Hash: 08e9ff1be93866122acf6a0d2e87b31156f8ddadd897695e0af009d22ab42d8a
    • Instruction Fuzzy Hash: C561C612A1865286EF20EF27E8811FDA760FF857ACF815031EA8D576AADF3CD545C710
    Function 00007FF7C40F94D0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 159COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource
    • String ID: OverridesProvider::ReadRampOverrides$Software\Microsoft\OneDrive\PreSignInRampOverrides$d:\dbs\sh\odct\0223_153807_0\cmd\1k\client\onedrive\Product\UpdateRingSettings\OverridesProviderWin.cpp
    • API String ID: 628915230-3983309578
    • Opcode ID: f537ae53efe46b1c3d2b1fccfc7304e6036029b17f07d6e284acbc28c6804c76
    • Instruction ID: 52c909480ec837aaa75cc27b5d84be62da787588871fc99ec37b223096f1b9ad
    • Opcode Fuzzy Hash: f537ae53efe46b1c3d2b1fccfc7304e6036029b17f07d6e284acbc28c6804c76
    • Instruction Fuzzy Hash: 06616D22B44A419AFB10EFB2D8802ED73B1BB887ACF814136DE4D67695EF38E555C350
    Function 00007FF7C4111978 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119COMMON
    Download Yara Rule
    APIs
    • _Aligned_get_default_resource.LIBCPMT ref: 00007FF7C41119B8
      • Part of subcall function 00007FF7C401B694: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C401B6EF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource_invalid_parameter_noinfo_noreturn
    • String ID: 16.0.11425.20202$AudienceData$Dogfood$Software\Microsoft\Office\ClickToRun\Configuration
    • API String ID: 4266926526-2226149379
    • Opcode ID: e4ef1327850a9f4ee370ff85bb07f830235563c686a12bdb94924ea65abb30eb
    • Instruction ID: 47c7c9848897683a2d3bfc17c7cd5b70fb5ee4525bdc55d42d3ae2c5e35f353c
    • Opcode Fuzzy Hash: e4ef1327850a9f4ee370ff85bb07f830235563c686a12bdb94924ea65abb30eb
    • Instruction Fuzzy Hash: AF51B432A14B42DAE720AF21E4806EDB374FB94B6CF854135EA4C57B99EF38E644C354
    Function 00007FF7C408B484 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: std::ios_base::failure::failure
    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 2264918676-1866435925
    • Opcode ID: b238f849d1da87789555524576970b916821299d5b6d2f3034c790bee82e9df8
    • Instruction ID: 0b6a235c1acb4721e7226044cfc9b9afa2ef2f48d2378e57d1e586b7838bd175
    • Opcode Fuzzy Hash: b238f849d1da87789555524576970b916821299d5b6d2f3034c790bee82e9df8
    • Instruction Fuzzy Hash: 7A210162A5950282EF54FF02D4D22F8A730FF90B5CFC55076E60E426A5DE7CE186C360
    Function 00007FF7C4105AB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Delete$Value
    • String ID: File$GUID
    • API String ID: 3273747370-2566199573
    • Opcode ID: 3361484d5dd1688e8405f217570241a2c1cd8fc92435ee25ecd727e40d3acda7
    • Instruction ID: bb25c1a0f320bbf868947e28edd1fe8c40a6e491c58883e630d193d99d505e60
    • Opcode Fuzzy Hash: 3361484d5dd1688e8405f217570241a2c1cd8fc92435ee25ecd727e40d3acda7
    • Instruction Fuzzy Hash: A4117821614D85D2DB44EF16E4C92ACE361FB44FA8F948036D74D57255CF38E4AAC364
    Function 00007FF7C410EE14 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 310COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ErrorLast
    • String ID: failed with hr=$Attempting to find process by name: $Found process, PID=$OpenProcess on PID=
    • API String ID: 1452528299-3248908137
    • Opcode ID: 57d183f817150ec273e360e367ab56e2662b588d00195dc9d77f94c1e0a3eff7
    • Instruction ID: bfce1616be0d3aa1be4db340f385d2e655b67e0b6130d34a918301830a6e53b1
    • Opcode Fuzzy Hash: 57d183f817150ec273e360e367ab56e2662b588d00195dc9d77f94c1e0a3eff7
    • Instruction Fuzzy Hash: EAD1D832A18B4286EB10EF62E4C46ADBB70FB94B9CF915032EA8D53665DF3CD584C710
    Function 00007FF7C4038A2C Relevance: 7.6, APIs: 5, Instructions: 94COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock
    • String ID:
    • API String ID: 4144305933-0
    • Opcode ID: 7138c5c5c74faf1bf17974996c6e54c09794ee1c4a732ecb393a2382692d3021
    • Instruction ID: 9ea36375212e818e94d7fad7ea693139322397728347a15187c2da414ffb5d8b
    • Opcode Fuzzy Hash: 7138c5c5c74faf1bf17974996c6e54c09794ee1c4a732ecb393a2382692d3021
    • Instruction Fuzzy Hash: 83316D62E8860341FA14BF2796D23B9AAD1BF413ACFC654F5D94D0B2D3DE2CE4848234
    Function 00007FF7C40E62F4 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201COMMON
    Download Yara Rule
    APIs
    Strings
    • d:\dbs\sh\odct\0223_153807_0\cmd\1k\client\onedrive\Product\UpdateRingSettings\UpdateRingSettingsManager.cpp, xrefs: 00007FF7C40E6554
    • UpdateRingSettingsManager::ApplyRampOverrides, xrefs: 00007FF7C40E6548
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ExclusiveLock$AcquireRelease
    • String ID: UpdateRingSettingsManager::ApplyRampOverrides$d:\dbs\sh\odct\0223_153807_0\cmd\1k\client\onedrive\Product\UpdateRingSettings\UpdateRingSettingsManager.cpp
    • API String ID: 17069307-3830362791
    • Opcode ID: ba887e6362c2516b28591cffdac90769e83cfc55b7cddffc49f6c846d6d31dd3
    • Instruction ID: a971095a49f18e3ecbe2998b39a1e9cf3f6b679f25643bd7ce9b472d1fa53dc5
    • Opcode Fuzzy Hash: ba887e6362c2516b28591cffdac90769e83cfc55b7cddffc49f6c846d6d31dd3
    • Instruction Fuzzy Hash: D791D322B58A8595EB10EF66E4C00EDB771FB84758FC11032EA8E53AA9DF3CD995C710
    Function 00007FF7C4088E50 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 187COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID:
    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 0-1866435925
    • Opcode ID: 87714f46442f176217039e32116a0ddcfafe3d8b16a52a7ecf97f7fcb6cd7d3d
    • Instruction ID: aa1319c6950c35daf58df4396e55ee338b98553db4b72b532699235f087c9099
    • Opcode Fuzzy Hash: 87714f46442f176217039e32116a0ddcfafe3d8b16a52a7ecf97f7fcb6cd7d3d
    • Instruction Fuzzy Hash: FC719B23648A4585DB10EF0AD6C027CA762FB84FA8B968172DE4D477A6CF3DD881D360
    Function 00007FF7C4065DD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 131COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn
    • String ID: !ERROR! (0x%08X) $Chk$gfffffff
    • API String ID: 3668304517-404882245
    • Opcode ID: 94933b167fa7cb938bf16d4f0f5a34dedb9e2272ef9a79088a4ac39beb586fed
    • Instruction ID: 0bee386de38aa8e32288728072a840664a58c18aa8ec3bfeddd162ab05ae6239
    • Opcode Fuzzy Hash: 94933b167fa7cb938bf16d4f0f5a34dedb9e2272ef9a79088a4ac39beb586fed
    • Instruction Fuzzy Hash: F251B562B58A8262FA10AF13F4803E9D350EB847B8FC54475DF4E47A85DF7CE5858721
    Function 00007FF7C4085BE8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: LockitLockit::_std::_std::ios_base::failure::failure
    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 1478341485-1866435925
    • Opcode ID: f9d2e84a63df5cbfce4b6b53e26713151c0e05150a0695005156167181ad00f4
    • Instruction ID: 1d51beb251c788be195ba41f75d73f07c4e0260306b7030e977d2c13696b624d
    • Opcode Fuzzy Hash: f9d2e84a63df5cbfce4b6b53e26713151c0e05150a0695005156167181ad00f4
    • Instruction Fuzzy Hash: 36519A72608B8582DB20EF1AE5C02A9F760FB84BA8F958036DB8D47B65DF7DD485C710
    Function 00007FF7C40E6630 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 128COMMON
    Download Yara Rule
    APIs
    Strings
    • d:\dbs\sh\odct\0223_153807_0\cmd\1k\client\onedrive\Product\UpdateRingSettings\UpdateRingSettingsManager.cpp, xrefs: 00007FF7C40E66AE
    • UpdateRingSettingsManager::ApplySettingsOverrides, xrefs: 00007FF7C40E66A2
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ExclusiveLock$AcquireRelease
    • String ID: UpdateRingSettingsManager::ApplySettingsOverrides$d:\dbs\sh\odct\0223_153807_0\cmd\1k\client\onedrive\Product\UpdateRingSettings\UpdateRingSettingsManager.cpp
    • API String ID: 17069307-752743626
    • Opcode ID: 40f6a16484bc96071de589d7d75a9e541dbf9f9eeb885bfdb1df9a089e7509ae
    • Instruction ID: 562c6a54cdec272aca19715a18bf66b0db0ecd6bd8e1e2cf5e08a24c98c37123
    • Opcode Fuzzy Hash: 40f6a16484bc96071de589d7d75a9e541dbf9f9eeb885bfdb1df9a089e7509ae
    • Instruction Fuzzy Hash: 5F515222B54A0585FF00AF22D4903BCA7A1FB48B9CF894475CA4D17795DF3CE991C364
    Function 00007FF7C40A03E4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON
    Download Yara Rule
    APIs
    Strings
    • DeviceHealth::ScoreRecorder::Initialize, xrefs: 00007FF7C40A04FF
    • d:\dbs\sh\odct\0223_153807_0\cmd\o\client\onedrive\Product\Logging\HealthScoreRecorder.cpp, xrefs: 00007FF7C40A050B
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn
    • String ID: DeviceHealth::ScoreRecorder::Initialize$d:\dbs\sh\odct\0223_153807_0\cmd\o\client\onedrive\Product\Logging\HealthScoreRecorder.cpp
    • API String ID: 3668304517-3147790837
    • Opcode ID: a8a6e27a6bef2a6b4dd8401e3530a5e022f3669b3e2b2d08a84b601a2dab8951
    • Instruction ID: 2b6c958a4b4cce869c9298954970c97ba8112c6ac2b410ef7762f5eba792d04b
    • Opcode Fuzzy Hash: a8a6e27a6bef2a6b4dd8401e3530a5e022f3669b3e2b2d08a84b601a2dab8951
    • Instruction Fuzzy Hash: 3D41BE62A54A4A85FB00AF66D8843ADA371FB85BBCF911235DA5C066D6DF3CD4C0C320
    Function 00007FF7C40954F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: std::ios_base::failure::failure
    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 2264918676-1866435925
    • Opcode ID: 7a919d8a825dafe9a351aa55b289e998eddbaa0a7f4385a493efb2bdf812f25c
    • Instruction ID: dde6d80443478ed853ad8e2f19e00ef10bf714be804956ef1889438adc4e68fd
    • Opcode Fuzzy Hash: 7a919d8a825dafe9a351aa55b289e998eddbaa0a7f4385a493efb2bdf812f25c
    • Instruction Fuzzy Hash: 5451CE32645B8585EB10DF16E9C57A8B3A1FB84BACF9A8135CA0D47760DF3ED146C340
    Function 00007FF7C4124240 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64libraryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Library$FreeLoad
    • String ID: WofIsExternalFile$wofutil.dll
    • API String ID: 534179979-1578866952
    • Opcode ID: 74b2b2c819f6d5cf1847ea2736576c82eedb666c69edd6b7fe44470a726a7b9b
    • Instruction ID: 22dab665970168b5f7032cdcfb113a48df8fa11d4e3a8810ea82c23baa5f584d
    • Opcode Fuzzy Hash: 74b2b2c819f6d5cf1847ea2736576c82eedb666c69edd6b7fe44470a726a7b9b
    • Instruction Fuzzy Hash: 6E212B71B18B4582EB60AF17E88016AA3A1EB98FA8F845136DD4D57764CF3DE445C710
    Function 00007FF7C4016228 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON
    Download Yara Rule
    APIs
    Strings
    • D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\StandaloneUpdater.cpp, xrefs: 00007FF7C4016303
    • StandaloneUpdater, xrefs: 00007FF7C40162A4
    • StandaloneUpdater::HandleChinaTypeApproval, xrefs: 00007FF7C40162F4
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource
    • String ID: D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\StandaloneUpdater.cpp$StandaloneUpdater$StandaloneUpdater::HandleChinaTypeApproval
    • API String ID: 628915230-1525699153
    • Opcode ID: c91feb166604a7cc0378e5acb3ca1e2e53f7663bd691e564398c4a7cac623b0b
    • Instruction ID: 383783130230c4e73c9260d257616167c525206debb52cfddbded7412c69753c
    • Opcode Fuzzy Hash: c91feb166604a7cc0378e5acb3ca1e2e53f7663bd691e564398c4a7cac623b0b
    • Instruction Fuzzy Hash: 25317122A18B8586EB50EF16E8C1369A7A0FBD57A9F854075E98D43765CF3CD045CB20
    Function 00007FF7C410E590 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60registryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CloseDeleteOpenValue
    • String ID: Software\Microsoft\OneDrive
    • API String ID: 849931509-3283851750
    • Opcode ID: 32d9244246d1992a65adcc5ad3f9ad6a620cd7300ab76fa773eb912995376f28
    • Instruction ID: 62323fc965dcc8d488d792aad7b5664aa6e80c7adc8ba32ad362fdba0c293f15
    • Opcode Fuzzy Hash: 32d9244246d1992a65adcc5ad3f9ad6a620cd7300ab76fa773eb912995376f28
    • Instruction Fuzzy Hash: AB21A472714B4582EB109F27F9C5A2AA7B1FB89BD8F905036DE4D83B24DE2DD494C710
    Function 00007FF7C411AF40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57registryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CloseCreateValue
    • String ID: UpdateDescriptionXml
    • API String ID: 1818849710-2514070205
    • Opcode ID: cf0b3a7420e4d22434441805a8ba46aa01c8c67b2242518831d03f8621292be2
    • Instruction ID: 68b7bd25819016c239b0115bc6e1be3903d28d16e7d775d493a0a47fb7f12159
    • Opcode Fuzzy Hash: cf0b3a7420e4d22434441805a8ba46aa01c8c67b2242518831d03f8621292be2
    • Instruction Fuzzy Hash: 70219273A18A4282E7609F62E48576AB7A0FB84BE8F444135EE8C46654CF7CC1958B50
    Function 00007FF7C40E2720 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7C4110D90: GetLastError.KERNEL32 ref: 00007FF7C4110E06
      • Part of subcall function 00007FF7C4110D90: StringFromGUID2.OLE32 ref: 00007FF7C4110E40
    • _Aligned_get_default_resource.LIBCPMT ref: 00007FF7C40E276B
      • Part of subcall function 00007FF7C4065BC0: EnterCriticalSection.KERNEL32(?,?,6666666666666667,?,00000000,00007FF7C40656B4), ref: 00007FF7C4065BE5
      • Part of subcall function 00007FF7C4065BC0: LeaveCriticalSection.KERNEL32 ref: 00007FF7C4065C08
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CriticalSection$Aligned_get_default_resourceEnterErrorFromLastLeaveString
    • String ID: Failed to set machine ID, no need to download settings. Machine ID: %ls$Update settings. hresult = %x$UpdateRingSettingsDownloader
    • API String ID: 412170431-2296922706
    • Opcode ID: 119f6e13fb46291855f4127d67f527a38a63b138703d1cf0f9a7a0489a95b6f6
    • Instruction ID: 016eef4fc69ceaf49bf0bd0da408ad9d881c00d9a94e35aa7a59e8a503214ec1
    • Opcode Fuzzy Hash: 119f6e13fb46291855f4127d67f527a38a63b138703d1cf0f9a7a0489a95b6f6
    • Instruction Fuzzy Hash: 2C219262B28A8696EB00AF56F4804A9A370FBC8BA8FC11036FE8D43655DF3CD545C710
    Function 00007FF7C4116AA8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 48COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource
    • String ID: OneDriveSetup.exe$OneDriveStandaloneUpdater.exe$OneDriveUpdaterService.exe
    • API String ID: 628915230-2437466349
    • Opcode ID: 38b2820c0630f54c051373c87e7e1680c98f506226e1634054b6403dfa50633a
    • Instruction ID: 15a84f4c26d4a2168ca76ee02e2aff21fc7a089c9a5e40bcdab0d83d2e6c7d8a
    • Opcode Fuzzy Hash: 38b2820c0630f54c051373c87e7e1680c98f506226e1634054b6403dfa50633a
    • Instruction Fuzzy Hash: 93219252A0D7C352EB10BF32E8D1165A770BBC576CFC50179E98C561A6DFACE244C724
    Function 00007FF7C405DD74 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
    Download Yara Rule
    APIs
    • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7C405DD14), ref: 00007FF7C405DE97
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7C405DD14), ref: 00007FF7C405DF21
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ConsoleErrorLastMode
    • String ID:
    • API String ID: 953036326-0
    • Opcode ID: c22c136ad7da4be2a86e7befceb2637fd3ceef22e23df49dd2282a87cdc296e8
    • Instruction ID: 5b48207cf6c6c61e5bd601d7e052a14638f87f0059f70360e0824f32c4a2424e
    • Opcode Fuzzy Hash: c22c136ad7da4be2a86e7befceb2637fd3ceef22e23df49dd2282a87cdc296e8
    • Instruction Fuzzy Hash: 3091F132E58A1285FB50AF6694C06BDA7A1FF44BACF858176DE0E13694CF38E0C1D724
    Function 00007FF7C41102EC Relevance: 6.2, APIs: 4, Instructions: 199COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: FileInfoVersion$QuerySizeValue_invalid_parameter_noinfo_noreturn
    • String ID:
    • API String ID: 1927219033-0
    • Opcode ID: db13498da46a2c7ece3ec984e49cebe1a310b38b8b5eb059d1b85ab52139e8a4
    • Instruction ID: 564922708f007d8c145eb409c1421d4397f12dbf16d532a6d272e5267b4299f3
    • Opcode Fuzzy Hash: db13498da46a2c7ece3ec984e49cebe1a310b38b8b5eb059d1b85ab52139e8a4
    • Instruction Fuzzy Hash: E791A662E18B8182EB10DF35D5812BDA770FB95B9CF51A221DE8C539A6DF38E1D5C700
    Function 00007FF7C4134FFC Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 40COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ErrorLast
    • String ID: '$MachineId$Software\Microsoft\SQMClient
    • API String ID: 1452528299-1507667817
    • Opcode ID: 9527abf31fd9fbf22428c0eba52a235ea669481e82987c677b9db191330cc292
    • Instruction ID: 369bd49444c5bd9c896ba8970c453d8913f30c79c11dea8aa57d44f6350c7c87
    • Opcode Fuzzy Hash: 9527abf31fd9fbf22428c0eba52a235ea669481e82987c677b9db191330cc292
    • Instruction Fuzzy Hash: C211A92171864186EB50EF26F5853B9B391FF84B68FC00135D98D83696DF3CD5088B50
    Function 00007FF7C41350A8 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 40COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ErrorLast
    • String ID: '$Software\Microsoft\SQMClient$UserId
    • API String ID: 1452528299-1208274305
    • Opcode ID: 7028caa977fdf96f92654840885df27c2a8bab7bf6cf4ae10f73bc11007d4a44
    • Instruction ID: 4cd41a50ff9220cbcb6806530a4b5fdb3bcac1645e158ec4895c60f4b3a920eb
    • Opcode Fuzzy Hash: 7028caa977fdf96f92654840885df27c2a8bab7bf6cf4ae10f73bc11007d4a44
    • Instruction Fuzzy Hash: 6D11A92171C64296EB50EF26F5913B9B391FF84BA8FC04135D98D83695DF7CD5088B10
    Function 00007FF7C40E8E90 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 203COMMON
    Download Yara Rule
    APIs
    Strings
    • d:\dbs\sh\odct\0223_153807_0\cmd\1k\client\onedrive\Product\UpdateRingSettings\UpdateRingSettingsManager.cpp, xrefs: 00007FF7C40E8F20
    • UpdateRingSettingsManager::TryUpdate, xrefs: 00007FF7C40E8F19
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn
    • String ID: UpdateRingSettingsManager::TryUpdate$d:\dbs\sh\odct\0223_153807_0\cmd\1k\client\onedrive\Product\UpdateRingSettings\UpdateRingSettingsManager.cpp
    • API String ID: 3668304517-1924243555
    • Opcode ID: d33c9962e8118329a0de4bf8f0d9f473af4224b52c75f8d5e43379656e0b7b56
    • Instruction ID: 1b2c823d441ce200a7facea61a0f0f6462b7084b0cc6c6fe6ad7408b2246c95a
    • Opcode Fuzzy Hash: d33c9962e8118329a0de4bf8f0d9f473af4224b52c75f8d5e43379656e0b7b56
    • Instruction Fuzzy Hash: 3E810222F44A498AEB00BF72D4802BCA371BB45BBCF854171DE5D27695DE38E495C358
    Function 00007FF7C4080EEC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CreateErrorFileLast
    • String ID: invalid hash bucket count
    • API String ID: 1214770103-1101463472
    • Opcode ID: 0459557b1758c9892a8d412e3491ddb4900acb5f1b90690342782e9167a49da1
    • Instruction ID: 77287836be5acbdca183920cbe56efefd1d81a68f434bc34057c39fd2c79fbed
    • Opcode Fuzzy Hash: 0459557b1758c9892a8d412e3491ddb4900acb5f1b90690342782e9167a49da1
    • Instruction Fuzzy Hash: 9051AD33605B81C2D7009F12E9901ACB3A4FB48BB8B958235EBAD47796DF78D4A5C310
    Function 00007FF7C4135C10 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 139COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource
    • String ID: ActivePolicyCode$Software\Microsoft\Windows\CurrentVersion\DeviceAccess
    • API String ID: 628915230-3119669494
    • Opcode ID: 3acae6c7e7d20a13308c83eb941f20220a86f0bedeacf2f9722a5e590bb60590
    • Instruction ID: be8eb337adc0abf8a84772710be88b1d8b1aaefd918cbda786e2ada6269a64a3
    • Opcode Fuzzy Hash: 3acae6c7e7d20a13308c83eb941f20220a86f0bedeacf2f9722a5e590bb60590
    • Instruction Fuzzy Hash: 4E615032B14B429AEB10EF61E4801EC6375FB94B9CF815236EE4D53A99EF38D245C364
    Function 00007FF7C40E01A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7C40649A8: EnterCriticalSection.KERNEL32 ref: 00007FF7C40649CD
      • Part of subcall function 00007FF7C40649A8: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00007FF7C4064414), ref: 00007FF7C40649F4
    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C40E02E5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave_invalid_parameter_noinfo_noreturn
    • String ID: Downloaded file is too big: %lld bytes$Failed to fetch data
    • API String ID: 2008198395-2480692681
    • Opcode ID: 91a22837ad8ec0b63f19964c41bac959b80edd4ee8bbed5e3e92b4042916a88b
    • Instruction ID: c16f84a3e639ea2d75d228eb009df02d4b189b7a10433fca7bc44403206debd3
    • Opcode Fuzzy Hash: 91a22837ad8ec0b63f19964c41bac959b80edd4ee8bbed5e3e92b4042916a88b
    • Instruction Fuzzy Hash: 3931A072B54A4589EB00AF77D4802ECA361AB88BACF954136EE0D57799DE3CD581C314
    Function 00007FF7C4076D98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
    Download Yara Rule
    APIs
    • SHCreateDirectoryExW.SHELL32(?,?,?,?,?,?,00000000,?,?,00007FF7C407717D), ref: 00007FF7C4076EA3
    • CoTaskMemFree.OLE32(?,?,?,?,?,?,00000000,?,?,00007FF7C407717D), ref: 00007FF7C4076EC5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CreateDirectoryFreeTask
    • String ID: Microsoft\OneDrive\logs
    • API String ID: 701814230-1342002985
    • Opcode ID: 30d40df8687429ec63a985edcabe2bc3b9a1d7921f75a4115c69225b9d9ed251
    • Instruction ID: 57d7cd5ebfc4cbcebdf03d9c4c61076dc831383d4ef3a8dbe0a091276ab996d2
    • Opcode Fuzzy Hash: 30d40df8687429ec63a985edcabe2bc3b9a1d7921f75a4115c69225b9d9ed251
    • Instruction Fuzzy Hash: C441E622A08A4182EB10AF26D48127DB370FB547ACF854535DB4D47656DF3CF5E0C361
    Function 00007FF7C411F868 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource
    • String ID: EnableFasterRingUpdate$Software\Microsoft\OneDrive
    • API String ID: 628915230-2463706878
    • Opcode ID: 2dd6d65cea684e73399aea0e189dbc3efa96bdd3bebc6524caaefdee2def031e
    • Instruction ID: 9784c905657db870539f12ffb5b180db94da4ef5009cee1df33a5bd5a199bb2a
    • Opcode Fuzzy Hash: 2dd6d65cea684e73399aea0e189dbc3efa96bdd3bebc6524caaefdee2def031e
    • Instruction Fuzzy Hash: 6E418C32E18B029AE710EF62D4912ACB370FB98B58F811036DA4C637A5DF38D64AC350
    Function 00007FF7C4113F98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ErrorFromLastString
    • String ID: 00000000-0000-0000-0000-000000000000
    • API String ID: 3006059378-2169625225
    • Opcode ID: 34ef2f68a09a61820b4c2817cd890da18039c26a080f46f4e74543acaceb0fc1
    • Instruction ID: 172b857f991fb55883454cb63c817985a2abb3a89b18e6832faea5a7b3860c1e
    • Opcode Fuzzy Hash: 34ef2f68a09a61820b4c2817cd890da18039c26a080f46f4e74543acaceb0fc1
    • Instruction Fuzzy Hash: C5215221A1CA4642FA20BF17F8912FAA360FF94BA8FC05235EADE47596DF2CD144C750
    Function 00007FF7C41244F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: LongNamePath_invalid_parameter_noinfo
    • String ID: CsiSyncClient.exe
    • API String ID: 2490818102-1478280356
    • Opcode ID: 5f09272a820b5787a0241981bc3b370ed49144f4a83b6643df02407e9ee2b343
    • Instruction ID: a6fb7b9504c0dcebc88e5c43769d4206a6f3eb40dda05551986b72a4b541f8bd
    • Opcode Fuzzy Hash: 5f09272a820b5787a0241981bc3b370ed49144f4a83b6643df02407e9ee2b343
    • Instruction Fuzzy Hash: 7E11D651B1964242FE34BF13B8917B6D280AF84FA8FC40035DD8E47395FE3CE1428660
    Function 00007FF7C411FC24 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • _Aligned_get_default_resource.LIBCPMT ref: 00007FF7C411FC49
      • Part of subcall function 00007FF7C401B694: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C401B6EF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource_invalid_parameter_noinfo_noreturn
    • String ID: Software\Microsoft\OneDrive$UpdateRingPostAuthConditions
    • API String ID: 4266926526-1747481121
    • Opcode ID: 0fd571bcdba47acaee44bd6feeabe7f12668f816fbea5d979bd084b9ce94cd7f
    • Instruction ID: fdc840c75f53c875aa194a05a93a801474e55d560fcb625d23a9b066b076f4f8
    • Opcode Fuzzy Hash: 0fd571bcdba47acaee44bd6feeabe7f12668f816fbea5d979bd084b9ce94cd7f
    • Instruction Fuzzy Hash: 8C21AE22F14B5299FB10EFA2E8806EC7374BB94758F815135DE4C67A69DF78D145C310
    Function 00007FF7C41059E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48registryCOMMON
    Download Yara Rule
    APIs
    Strings
    • Software\Microsoft\OneDrive\Installer\BITS, xrefs: 00007FF7C4105A28
    • d:\dbs\sh\odct\0223_153807_0\cmd\m\client\onedrive\Setup\standalone\webclient\webclient.cpp, xrefs: 00007FF7C4105A75
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Create
    • String ID: Software\Microsoft\OneDrive\Installer\BITS$d:\dbs\sh\odct\0223_153807_0\cmd\m\client\onedrive\Setup\standalone\webclient\webclient.cpp
    • API String ID: 2289755597-2170662684
    • Opcode ID: 561e55094ef5e03da29d174d4485ab7789939f26d37239ad73716eff0a219b71
    • Instruction ID: 8e3d9cdc325251a575dd59cbd6ce2d2264257c62d57c8cc368678cec986bdea5
    • Opcode Fuzzy Hash: 561e55094ef5e03da29d174d4485ab7789939f26d37239ad73716eff0a219b71
    • Instruction Fuzzy Hash: 4B118162B18B8287E710AF56F4C127AF3A0FB88778F904639EA9D46A55DF7CD0548B10
    Function 00007FF7C41123C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resourceValue
    • String ID: Software\Microsoft\OneDrive$Version
    • API String ID: 2543255588-344254544
    • Opcode ID: 316d76a3d0effa9c20cca153c0195670e9c1dd36ee62bd0f6ca5aad0db5aff17
    • Instruction ID: 734b7143736cc4991c1abd4d13beff566e87da080e7a16c3dbe1772423fbe0ca
    • Opcode Fuzzy Hash: 316d76a3d0effa9c20cca153c0195670e9c1dd36ee62bd0f6ca5aad0db5aff17
    • Instruction Fuzzy Hash: 7711662261CA8582EA10EF55F4C53AAB370FB85B68F801236EB9D03695DF3CD145CB10
    Function 00007FF7C401C900 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
    Download Yara Rule
    APIs
    Strings
    • D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\WebClientUpdateDownloader.cpp, xrefs: 00007FF7C401C93E
    • WebClientUpdateDownloader::OnDownloadFinished, xrefs: 00007FF7C401C92F
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Event
    • String ID: D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\WebClientUpdateDownloader.cpp$WebClientUpdateDownloader::OnDownloadFinished
    • API String ID: 4201588131-4285687176
    • Opcode ID: df334dddfe5031c2549479ef8661131533f6e47b096c33f3768104e3ed1a7c43
    • Instruction ID: 6d25f69bd13f6c7b10ddd0a6dd1faf9767da69343d225bfaf2b0f12a7324cc04
    • Opcode Fuzzy Hash: df334dddfe5031c2549479ef8661131533f6e47b096c33f3768104e3ed1a7c43
    • Instruction Fuzzy Hash: 54017572A1CA4186E720EF21E4923B9B7A0FB88369F800535E98D46695DF7CD148CB10
    Function 00007FF7C407F570 Relevance: 4.7, APIs: 3, Instructions: 246COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn$Mtx_unlock
    • String ID:
    • API String ID: 3867719841-0
    • Opcode ID: 6d6b3e4155746caf47c0f523568494c76331a8f05d2c9096db2fff648c612de4
    • Instruction ID: 251032dcbed6d0a56a79bcd2811b87fa1b1692943a02070265fbec4b22b0a717
    • Opcode Fuzzy Hash: 6d6b3e4155746caf47c0f523568494c76331a8f05d2c9096db2fff648c612de4
    • Instruction Fuzzy Hash: AFA18172B48A8585EB50EF26E4803ADB7A1FB84BA8F854172DE5D437A5CF3CE491C710
    Function 00007FF7C40872A0 Relevance: 4.7, APIs: 3, Instructions: 152timeCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Time$Concurrency::cancel_current_taskFileSystem$CheckCommonCompareHandler
    • String ID:
    • API String ID: 2357225875-0
    • Opcode ID: 308ed3bd1c0d3ff40e0db2f463adb552832af9fdaf42dfb905ab381cd85138d4
    • Instruction ID: 7e783cc2a68f85215ab65018ce4e3afa3ad18aeee8b821861c0fc4d142e133c1
    • Opcode Fuzzy Hash: 308ed3bd1c0d3ff40e0db2f463adb552832af9fdaf42dfb905ab381cd85138d4
    • Instruction Fuzzy Hash: A8618C32B04A419AEB00EF66D9801AC77B1FB48B9CB815076DE0E53758DF38D895C350
    Function 00007FF7C410EA74 Relevance: 4.6, APIs: 3, Instructions: 129registryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CloseEnumOpen
    • String ID:
    • API String ID: 1332880857-0
    • Opcode ID: 76036d0cb1828e072940a03cdf12fffab531da981f2086b2564bea9fc3c6c661
    • Instruction ID: 721f3a5713ff0e1b55cc3b8e0cd2420429f43059509906579cc08a2270328ae4
    • Opcode Fuzzy Hash: 76036d0cb1828e072940a03cdf12fffab531da981f2086b2564bea9fc3c6c661
    • Instruction Fuzzy Hash: 0241D536A08B8182E720AF17F98426AE7A0FB847ACF901136EE8D43794DF7DD485D710
    Function 00007FF7C410EC54 Relevance: 4.6, APIs: 3, Instructions: 119registryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CloseEnumOpenValue
    • String ID:
    • API String ID: 4012628704-0
    • Opcode ID: 5535cf94339a3f41eee311b4cbe2deb904bb1b88178c715e23694bf9c43b597e
    • Instruction ID: 8dcc9b3cd41712bc46dabaa236e3e0a94b5f902291a45154ce857da50b148221
    • Opcode Fuzzy Hash: 5535cf94339a3f41eee311b4cbe2deb904bb1b88178c715e23694bf9c43b597e
    • Instruction Fuzzy Hash: CF41A833A08B8183E6209F17F8842AAE3A0FB84BA8F914535DE9D07B94DF7CD555C710
    Function 00007FF7C4140A9C Relevance: 4.6, APIs: 3, Instructions: 108COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnshared_ptr
    • String ID:
    • API String ID: 1838787889-0
    • Opcode ID: 48804624218ca76a882a9e3f9f7c02d2065f7ed42dfc5549bee531f95b8d48f9
    • Instruction ID: 0aa63469156604634a4c3334f6694884e4a4dafdc5be9ff38e96d935c4512bbb
    • Opcode Fuzzy Hash: 48804624218ca76a882a9e3f9f7c02d2065f7ed42dfc5549bee531f95b8d48f9
    • Instruction Fuzzy Hash: 09310662B0465246FD14FE23A4842BC96A5AB44FFCF995571DEAC07BC5EE3CE4828318
    Function 00007FF7C414C0DC Relevance: 4.6, APIs: 3, Instructions: 91COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: std::_$Concurrency::cancel_current_taskLocinfoLocinfo::~_LockitLockit::_
    • String ID:
    • API String ID: 400335648-0
    • Opcode ID: 897e9a7f2828f84e3745df2b0885f2593a3bc68b42fe3aa68dd1e2fb0a6e7619
    • Instruction ID: 5cadeafdb12fb334bc8e457e6b463c0383d84aacf14c4f6ad0434a9010dc322d
    • Opcode Fuzzy Hash: 897e9a7f2828f84e3745df2b0885f2593a3bc68b42fe3aa68dd1e2fb0a6e7619
    • Instruction Fuzzy Hash: 6B416A26A08B4582EB14EF16E49026DA761FB88FD8F859532DE8D03B69EF3CD951C350
    Function 00007FF7C42BDA84 Relevance: 4.6, APIs: 3, Instructions: 72COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo$_local_unwind
    • String ID:
    • API String ID: 1677304287-0
    • Opcode ID: 6fe01124587191e27233f4c75016b79927349169d73242d7148f3472c8829fbe
    • Instruction ID: de0cf0b36d1fc251d1b795065feecd7e5de3a00a786b9ef6da02546228b30934
    • Opcode Fuzzy Hash: 6fe01124587191e27233f4c75016b79927349169d73242d7148f3472c8829fbe
    • Instruction Fuzzy Hash: C521C531A2894681EA44FF16D4D22FCB360EB99BA8FC51271E90E473D1DE7DE545C320
    Function 00007FF7C408642C Relevance: 4.6, APIs: 3, Instructions: 72COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_LocinfoLocinfo::~_Register
    • String ID:
    • API String ID: 2315694003-0
    • Opcode ID: 5cfb39fb0a01a8a0683c0257c668e4fccde2ac57817baf4d9bafa5adfa5bba71
    • Instruction ID: 6bbca65621841c54ce53988711664ca025a2358ad1c3f877187ac54ed41f9ee4
    • Opcode Fuzzy Hash: 5cfb39fb0a01a8a0683c0257c668e4fccde2ac57817baf4d9bafa5adfa5bba71
    • Instruction Fuzzy Hash: 7D318F26A49B4181EA14BF13E5C017DA760FB88FB8F8A1575DA5D077A5DE3CE481C320
    Function 00007FF7C411262C Relevance: 4.6, APIs: 3, Instructions: 70registryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CloseOpenQueryValue
    • String ID:
    • API String ID: 3677997916-0
    • Opcode ID: 987b7138fe94a6851b97319996b35f0643cb5bdc09944c6e770f5c79a8db5598
    • Instruction ID: 18267f327a2d6aebfb8471abf430caa3ae6077f3112be16a24f08b6dea5961e3
    • Opcode Fuzzy Hash: 987b7138fe94a6851b97319996b35f0643cb5bdc09944c6e770f5c79a8db5598
    • Instruction Fuzzy Hash: B021A232728B5286EB209F26F4C461BB2B0FB85B98F901136EB8D43A54DE3DD5548B20
    Function 00007FF7C4112730 Relevance: 4.6, APIs: 3, Instructions: 66registryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CloseOpenQueryValue
    • String ID:
    • API String ID: 3677997916-0
    • Opcode ID: 5047a86c199932b5af0a7911cf9a30ca49b67aa1e8f684d0206cfdbfec1a6a05
    • Instruction ID: 1f56beb113c16c6bf5164e8877cdf308751b745c90b1f905d52c819d48cdfa95
    • Opcode Fuzzy Hash: 5047a86c199932b5af0a7911cf9a30ca49b67aa1e8f684d0206cfdbfec1a6a05
    • Instruction Fuzzy Hash: 5D21A632A18B4286EB209F16F4C462AB3F0FB48BA9F905135EB8D47754DF3DD4558B20
    Function 00007FF7C402EE70 Relevance: 4.6, APIs: 3, Instructions: 66registryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CloseOpenQueryValue
    • String ID:
    • API String ID: 3677997916-0
    • Opcode ID: 9c33a27fa1d419cd47717bba867c6a458436254db0b5b9f138c9db466695d678
    • Instruction ID: 2fb2bd0f3dc50b22b5a59ec8c4c2a2d571217a93d4065ef330c91d57be2634d6
    • Opcode Fuzzy Hash: 9c33a27fa1d419cd47717bba867c6a458436254db0b5b9f138c9db466695d678
    • Instruction Fuzzy Hash: CB21C732758B4286EB609F16F4C466AB7E0FB897A8F800136EB8D47B54DE3CD054CB50
    Function 00007FF7C4028F30 Relevance: 4.6, APIs: 3, Instructions: 64COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource$ExistsFilePath
    • String ID:
    • API String ID: 2289898590-0
    • Opcode ID: d8a21661d1f567ad713d53faa6c69bd0ec26cdbde39bb947187881bd5eb12523
    • Instruction ID: d351a14ede40f3bee1a0b96ceee573e5fbdcad8e9bc8b24b4c127c9767a1262d
    • Opcode Fuzzy Hash: d8a21661d1f567ad713d53faa6c69bd0ec26cdbde39bb947187881bd5eb12523
    • Instruction Fuzzy Hash: 7B215236A08F4682EB20AF17E4C416DA361FB88F98F944232EA8D47764DF3DD541C710
    Function 00007FF7C4135154 Relevance: 4.6, APIs: 3, Instructions: 64registryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CloseOpenQueryValue
    • String ID:
    • API String ID: 3677997916-0
    • Opcode ID: 571d7be88da916435b1834045258c9542402878e43f99d626120bfe0add84d47
    • Instruction ID: 8cb60d71550bf0434916adbd7e9753375accedc3f0e43a68e9fda0e4480ad194
    • Opcode Fuzzy Hash: 571d7be88da916435b1834045258c9542402878e43f99d626120bfe0add84d47
    • Instruction Fuzzy Hash: 5F21972671974587E760DF52B89057AB3E0EB44FA8F841131EE8D43A14EF3CD544CB10
    Function 00007FF7C402F220 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CloseCreateValue
    • String ID:
    • API String ID: 1818849710-0
    • Opcode ID: aded8b8a11ba7c276ec9837d47961e10a92c73dba9c669fb721afac7271ce716
    • Instruction ID: f1207abc3581070932cd1a21af56d7ae2ab1d3fad1ed857f6f5ba0ce5f7f68d8
    • Opcode Fuzzy Hash: aded8b8a11ba7c276ec9837d47961e10a92c73dba9c669fb721afac7271ce716
    • Instruction Fuzzy Hash: 8621B832A18A8582EB609F52F48436AF3A0FBC5BECF544135DA4D47758CF3CC0588B50
    Function 00007FF7C414C1C8 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7C414C226
      • Part of subcall function 00007FF7C402D904: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7C402D91B
      • Part of subcall function 00007FF7C402D904: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF7C402D95A
      • Part of subcall function 00007FF7C414C3FC: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7C414C449
      • Part of subcall function 00007FF7C414C3FC: _Getctype.LIBCPMT ref: 00007FF7C414C4A6
      • Part of subcall function 00007FF7C414C3FC: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7C414C552
      • Part of subcall function 00007FF7C414C3FC: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7C414C5CC
    • std::_Locinfo::~_Locinfo.LIBCPMT ref: 00007FF7C414C215
    • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7C414C299
      • Part of subcall function 00007FF7C4038140: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7C4038149
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskGetctypeLocinfoLocinfo::_Locinfo::~_Locinfo_ctorstd::bad_alloc::bad_alloc
    • String ID:
    • API String ID: 1625665728-0
    • Opcode ID: db2911422380c632175408739cb0f9d9dd673d901138753845d45aec4756bf97
    • Instruction ID: 1566b1274e3e2a1e47360a39f4341e8ab1777cf943c26c42b51aaaa019f5a9c2
    • Opcode Fuzzy Hash: db2911422380c632175408739cb0f9d9dd673d901138753845d45aec4756bf97
    • Instruction Fuzzy Hash: FC217126609A4692EA60EF52F4D06B9A360FF84B98F855531DA8D03B65EF3CE950C720
    Function 00007FF7C4038858 Relevance: 4.5, APIs: 3, Instructions: 29COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Concurrency::cancel_current_task$CheckCommonHandlerstd::bad_alloc::bad_alloc
    • String ID:
    • API String ID: 578624868-0
    • Opcode ID: 84b5d08723c792a72248bd953c951071d923513f621b148705325d60b2f4c97c
    • Instruction ID: 56727eb7ccc53fd37762378d94f8a562b76e718e73aa4ba1e99e0f7738edad83
    • Opcode Fuzzy Hash: 84b5d08723c792a72248bd953c951071d923513f621b148705325d60b2f4c97c
    • Instruction Fuzzy Hash: CDE03052E9914341FD5C7FB305861B485902F597F8EDA16F0ED3D063C2EE0CE5D18660
    Function 00007FF7C4024BCC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 288COMMON
    Download Yara Rule
    APIs
    • SHGetSpecialFolderPathW.SHELL32 ref: 00007FF7C4024DB9
      • Part of subcall function 00007FF7C41102EC: GetFileVersionInfoSizeW.VERSION ref: 00007FF7C4110357
      • Part of subcall function 00007FF7C41102EC: GetFileVersionInfoW.VERSION ref: 00007FF7C411039B
      • Part of subcall function 00007FF7C41102EC: VerQueryValueW.VERSION ref: 00007FF7C41103BD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: FileInfoVersion$FolderPathQuerySizeSpecialValue
    • String ID: \OneDriveSetup.exe
    • API String ID: 1814992152-3077312612
    • Opcode ID: e35f0874c524c9a54ba95860ee363a254550973427a80d986ed0578d9fd3e349
    • Instruction ID: 927461f5f38c5cdc1092ff2698af48a57c34d7e5e7fdb2b29710c59c734e7e28
    • Opcode Fuzzy Hash: e35f0874c524c9a54ba95860ee363a254550973427a80d986ed0578d9fd3e349
    • Instruction Fuzzy Hash: 22D1AD73605B4586DB60DF2AD98026DB3B4FB48FA8B568126CE5C53BA4DF3CE891C350
    Function 00007FF7C4139968 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 182COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Concurrency::cancel_current_task
    • String ID: gfffffff
    • API String ID: 118556049-1523873471
    • Opcode ID: aaf06d691201b316cb0a75739cd8089afc561bff66ceabfb1394e48e1df54b50
    • Instruction ID: 355eb4c1420643ffa67bb370a2ab3272bf3d39aeaae08c6a8cdb4a430a7909c5
    • Opcode Fuzzy Hash: aaf06d691201b316cb0a75739cd8089afc561bff66ceabfb1394e48e1df54b50
    • Instruction Fuzzy Hash: E071F5B3B18B8582DA10DF1AF58846DB3A8FB58BD8B519226DF9D87750DF38E190C300
    Function 00007FF7C414591C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Xinvalid_argumentstd::_
    • String ID: bad conversion
    • API String ID: 909987262-2629740042
    • Opcode ID: 08b8b637e1ef0ffd60f1d62ffb69fb264ecce0c716dfe29943364dda724ac44e
    • Instruction ID: 8549cefada984ed70777b38bc7a06851b821e15ee294f944e3cbd659b6877d85
    • Opcode Fuzzy Hash: 08b8b637e1ef0ffd60f1d62ffb69fb264ecce0c716dfe29943364dda724ac44e
    • Instruction Fuzzy Hash: 55618B22B14B459AE710EFA2E4801AD73B5FB44B6CF905025DF8D13A94EF38D569C354
    Function 00007FF7C4077024 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 158COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: PathRelative
    • String ID: Common
    • API String ID: 1021466915-3795875175
    • Opcode ID: f77da248145983928a9af540ca05c0cc98d414fe47319e63f26ceb968230cfae
    • Instruction ID: 394fda0bc42b0678954ab9ffc87a0277514d46798ca8b149a858977fcea3ca2e
    • Opcode Fuzzy Hash: f77da248145983928a9af540ca05c0cc98d414fe47319e63f26ceb968230cfae
    • Instruction Fuzzy Hash: B3617D22F4868189E710EFA6D8802AC77B1FB457ACF811075DE4E6BB69DF38E449C350
    Function 00007FF7C412FE98 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 151COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Concurrency::cancel_current_task
    • String ID: gfffffff
    • API String ID: 118556049-1523873471
    • Opcode ID: da01ae192f33f6329a4d01478e68d8cfb8486efb935b6df04ae80f15bc066f32
    • Instruction ID: 3e01e316f6ae57fe5671b436eff0c2b3061c7924300ae5489058652c6e1e690f
    • Opcode Fuzzy Hash: da01ae192f33f6329a4d01478e68d8cfb8486efb935b6df04ae80f15bc066f32
    • Instruction Fuzzy Hash: 6851D422A04B8983D660DF26F980269B3A0F748BE8F549125EFDD53B55EF38E185D301
    Function 00007FF7C40A5C78 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Hash_seqstd::_
    • String ID: unordered_map/set too long
    • API String ID: 1492732761-306623848
    • Opcode ID: 029ef4cb25c6206ee7907666c3dbdfe142d820341cede23331935b3dbe97df31
    • Instruction ID: 7000407cece5998a9561dc02bc7edc8232b276d9cb70a9df3f8a4dadfd8b3728
    • Opcode Fuzzy Hash: 029ef4cb25c6206ee7907666c3dbdfe142d820341cede23331935b3dbe97df31
    • Instruction Fuzzy Hash: 3351F363659B4582EA24AF57E08027CB360FF88BE8F998532DE4E17755DF3CE1918320
    Function 00007FF7C408676C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Time$CurrentFileProcessSystem
    • String ID: %Y-%m-%d.%H%M
    • API String ID: 2307650585-1379819877
    • Opcode ID: 00358643d3f73428f411666e1901820eea312d2db20b01d83f188d314e8ebf8f
    • Instruction ID: 849fa7b1246c3dfeebd8ad06c320ac580177a8d411143cdc742794cbcca25535
    • Opcode Fuzzy Hash: 00358643d3f73428f411666e1901820eea312d2db20b01d83f188d314e8ebf8f
    • Instruction Fuzzy Hash: A641A422A48A4291EB20FF52E8812EDB760FF857A8FC15036EA4D476A5DF3CD585C750
    Function 00007FF7C4125438 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource
    • String ID: Software\Microsoft\RDInfraAgent
    • API String ID: 628915230-1656033187
    • Opcode ID: 485e5e2662def4e13307c9d88d03b02b218f023320d276624961288b31bde128
    • Instruction ID: 66390805caf09d0fd750247c52c31143a63bc899b1df3bb390b006b950bc5243
    • Opcode Fuzzy Hash: 485e5e2662def4e13307c9d88d03b02b218f023320d276624961288b31bde128
    • Instruction Fuzzy Hash: A1015232A28B8196DB009F16E48009EB370FB84B94F845225FB8D53B9ADF3CD105CB40
    Function 00007FF7C4064F8C Relevance: 3.2, APIs: 2, Instructions: 159fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7C4064B6C: EnterCriticalSection.KERNEL32 ref: 00007FF7C4064BC8
      • Part of subcall function 00007FF7C4064B6C: LeaveCriticalSection.KERNEL32 ref: 00007FF7C4064C52
      • Part of subcall function 00007FF7C4064D10: EnterCriticalSection.KERNEL32 ref: 00007FF7C4064D59
      • Part of subcall function 00007FF7C4064D10: _Aligned_get_default_resource.LIBCPMT ref: 00007FF7C4064D99
      • Part of subcall function 00007FF7C4064D10: SHGetFolderPathW.SHELL32 ref: 00007FF7C4064DF7
    • CreateFileW.KERNELBASE ref: 00007FF7C4065174
    • GetLastError.KERNEL32 ref: 00007FF7C4065189
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CriticalSection$Enter$Aligned_get_default_resourceCreateErrorFileFolderLastLeavePath
    • String ID:
    • API String ID: 2826797238-0
    • Opcode ID: 90bd16fff8ac0a4754d0e071c97363f575fe83fcc3b6586f31f010bfe3450a01
    • Instruction ID: 8c956c6f1be5fef8fb69249212a5ed01b156635f8389ff7dc32f627a6715734c
    • Opcode Fuzzy Hash: 90bd16fff8ac0a4754d0e071c97363f575fe83fcc3b6586f31f010bfe3450a01
    • Instruction Fuzzy Hash: 4A717032B58B8295FB00DF66E8802E9A3A4FB947ACF910136DE4D57A95DF3CE584C710
    Function 00007FF7C4071CA0 Relevance: 3.1, APIs: 2, Instructions: 121registryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CloseOpen
    • String ID:
    • API String ID: 47109696-0
    • Opcode ID: c9b898542888d0d6629e1275e2cf395d777ecab5d06fa451b5648c931f9c77e2
    • Instruction ID: 13f4a3b0317048d95cb98b634f9fa93fc86f6ccdb7049ad51fa131003fbe9e16
    • Opcode Fuzzy Hash: c9b898542888d0d6629e1275e2cf395d777ecab5d06fa451b5648c931f9c77e2
    • Instruction Fuzzy Hash: 1651A322B54A8299F710EF72E4811FCA3B1BB9476CF814531EE4D56A9ADF38D584C350
    Function 00007FF7C401A488 Relevance: 3.1, APIs: 2, Instructions: 118COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
    • String ID:
    • API String ID: 73155330-0
    • Opcode ID: 38d3b42bab1e8fcd92fc5d5db9615c84184a78f71e1ce146a9ad9010599ad38d
    • Instruction ID: 202525f8ccbbd1bfadbd86b596cb91962db8e34c7c044565ddc2fa14b8c7055f
    • Opcode Fuzzy Hash: 38d3b42bab1e8fcd92fc5d5db9615c84184a78f71e1ce146a9ad9010599ad38d
    • Instruction Fuzzy Hash: 18411923B4864255EE14BF2799852B9A261BF44BF8F850672DE2E477D1EE3CE0C18710
    Function 00007FF7C414409C Relevance: 3.1, APIs: 2, Instructions: 116COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn
    • String ID:
    • API String ID: 3668304517-0
    • Opcode ID: 64e159eec5ba67525ac31ea5e6e38ee7a2dc667cd3b5c9a182241cb9c5b4b3c1
    • Instruction ID: 74a9d41788c97d4328a08bcd845a350de8f1be3b6d68e803c2696847cfac5448
    • Opcode Fuzzy Hash: 64e159eec5ba67525ac31ea5e6e38ee7a2dc667cd3b5c9a182241cb9c5b4b3c1
    • Instruction Fuzzy Hash: 6541C262B1466246FF00AF6BA8853ACA361AB55FFCF841631DE1C177C5EF38E4828350
    Function 00007FF7C40A7268 Relevance: 3.1, APIs: 2, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn
    • String ID:
    • API String ID: 3668304517-0
    • Opcode ID: 94b301dab37ccdcd7c436ec9dfde98726f86b6323355a47e008ff0cbc47d1e02
    • Instruction ID: 8a2cfcb68d0dca5c5672d264c34f1a7b726db889e15be6dc81a4504f60055f5a
    • Opcode Fuzzy Hash: 94b301dab37ccdcd7c436ec9dfde98726f86b6323355a47e008ff0cbc47d1e02
    • Instruction Fuzzy Hash: 37419FB3B14A4481EB08AF26C58836CA361EB54FBDF928672DB5C076D9CF6DD8D08354
    Function 00007FF7C40E8D1C Relevance: 3.1, APIs: 2, Instructions: 102COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ExclusiveLock$AcquireRelease
    • String ID:
    • API String ID: 17069307-0
    • Opcode ID: 218f1446f38a1950de1cfaebd2ce496f9eeebb6780045b956c224588b2cbc886
    • Instruction ID: d0e0c94dca6be0688df0192fcb8dcd4cdb501b064e951f9ffb52a614132656eb
    • Opcode Fuzzy Hash: 218f1446f38a1950de1cfaebd2ce496f9eeebb6780045b956c224588b2cbc886
    • Instruction Fuzzy Hash: FF416C22B54B0685FB00EF62D9913BCA3A5BB48BE8F854471DE4C17B59DF3CE5928360
    Function 00007FF7C4112834 Relevance: 3.1, APIs: 2, Instructions: 99registryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CloseOpen
    • String ID:
    • API String ID: 47109696-0
    • Opcode ID: 309f8565431deecee6466e2eb5a7511012c0eddc588f092cbe7bc37eb1711fcc
    • Instruction ID: c332678e1bee25e593ef18e9527215e904e7d0193c703b502042f2cbceadeda1
    • Opcode Fuzzy Hash: 309f8565431deecee6466e2eb5a7511012c0eddc588f092cbe7bc37eb1711fcc
    • Instruction Fuzzy Hash: 1E41B372708B8586EB209F1AE4806AAA7B0F789BA8F404236DF9C57764DE7DD444C710
    Function 00007FF7C40E6A04 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ExclusiveLock$AcquireRelease
    • String ID:
    • API String ID: 17069307-0
    • Opcode ID: a52f02afd52039ef20a21c2a8fd9b749793abeb58375e6f487ae6f462ea6dec8
    • Instruction ID: e030f79b82a4508acd47915757179ff6e171220b53bba814c1ccaa369cd4ab8c
    • Opcode Fuzzy Hash: a52f02afd52039ef20a21c2a8fd9b749793abeb58375e6f487ae6f462ea6dec8
    • Instruction Fuzzy Hash: A131C422A48A4981EF51EF16E080379A7A1EB84FACFD94471DB8E07795CF2CD8A1C714
    Function 00007FF7C4130B3C Relevance: 3.1, APIs: 2, Instructions: 86registryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CloseOpen
    • String ID:
    • API String ID: 47109696-0
    • Opcode ID: c021bee72f9394e60f5ab8f3802e77c66cb397d71389ea3ad5861b0d11f4287b
    • Instruction ID: 813f590f3e45caf7a358fab4859a3df423ae52b5b15c47b0a505011c3c5c1a1e
    • Opcode Fuzzy Hash: c021bee72f9394e60f5ab8f3802e77c66cb397d71389ea3ad5861b0d11f4287b
    • Instruction Fuzzy Hash: 1F313072608B818AE7209F5AE8C42AAA7B0F789FA9F544136DF8C47768CF3DD554C710
    Function 00007FF7C405D824 Relevance: 3.1, APIs: 2, Instructions: 74fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ErrorFileLastWrite
    • String ID:
    • API String ID: 442123175-0
    • Opcode ID: b210457f69cdedcc833c522d187e1f57bd8b44b0908bf27100a7769f8ef38535
    • Instruction ID: 8a4943b94745ee75bbc5a45f387c0b0a825ab897420297cdb6278b7b41fe197c
    • Opcode Fuzzy Hash: b210457f69cdedcc833c522d187e1f57bd8b44b0908bf27100a7769f8ef38535
    • Instruction Fuzzy Hash: F931C532A19B8196DB10AF16E4802E9B7A0FB58798F858033EF8D83754DF3CD555C714
    Function 00007FF7C4110D90 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ErrorFromLastString
    • String ID:
    • API String ID: 3006059378-0
    • Opcode ID: 6bb9f58bdb983c4b8aa3b46d06469b26feb6c11e6b41b97f60ccaf098538320f
    • Instruction ID: 663366f7a13ea1ad6b8c496bf682a249db22b2fdfb699f01654bcaf95c74254e
    • Opcode Fuzzy Hash: 6bb9f58bdb983c4b8aa3b46d06469b26feb6c11e6b41b97f60ccaf098538320f
    • Instruction Fuzzy Hash: C121C822B18B4582E720EF17E4C02AAA7B0FB98B68FC04235EADD43695DF3CD545C760
    Function 00007FF7C4038940 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Initialize_invalid_parameter_noinfo_set_fmode
    • String ID:
    • API String ID: 3548387204-0
    • Opcode ID: 36fc153796fea83cdf4f3a541401c628bb0157591ca3492735c06590df4852bb
    • Instruction ID: 8b983874938d465aac4fe19c07b84378d219dc536bbb39c9c3b903a6f2bd5b11
    • Opcode Fuzzy Hash: 36fc153796fea83cdf4f3a541401c628bb0157591ca3492735c06590df4852bb
    • Instruction Fuzzy Hash: F7119A51E9950342FA54BFB346C62B8C9916F9832DFCB14F4E90D462E3EE1CB8D08672
    Function 00007FF7C40636D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF7C406354D,?,?,00000000,00007FF7C4063602), ref: 00007FF7C406373E
    • GetLastError.KERNEL32(?,?,?,00007FF7C406354D,?,?,00000000,00007FF7C4063602), ref: 00007FF7C4063748
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ChangeCloseErrorFindLastNotification
    • String ID:
    • API String ID: 1687624791-0
    • Opcode ID: f7a5f2ce10f31a94824610c7345421d26d13861c99f7259af3626c606b309b64
    • Instruction ID: e30fe42a233a0a51c83f111f730ab8463574cfd77265da22bb27cab5b64fcc5e
    • Opcode Fuzzy Hash: f7a5f2ce10f31a94824610c7345421d26d13861c99f7259af3626c606b309b64
    • Instruction Fuzzy Hash: 07210761B58A8241FE647F63A0D12BC95829F407BCF8542BDEE1E473C5CE7CE4C08220
    Function 00007FF7C4052E8C Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF7C4047326,?,?,?,00007FF7C40475EE,?,?,?,?,00007FF7C4060DE0,?,?,?), ref: 00007FF7C4052EA0
    • FreeEnvironmentStringsW.KERNEL32(?,?,00000000,00007FF7C4047326,?,?,?,00007FF7C40475EE,?,?,?,?,00007FF7C4060DE0,?,?,?), ref: 00007FF7C4052F0A
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: EnvironmentStrings$Free
    • String ID:
    • API String ID: 3328510275-0
    • Opcode ID: eeb74cd6e0af9f6bd475ca350fb883224579acd6067a959c8a7b97642224c8ab
    • Instruction ID: d52a40db73380416e32cea0525cf365004335fe7a7e48e1ab1b0b3293714c3cf
    • Opcode Fuzzy Hash: eeb74cd6e0af9f6bd475ca350fb883224579acd6067a959c8a7b97642224c8ab
    • Instruction Fuzzy Hash: 8F018611E48B5141DA10BF126455069A360EF54BB4FC94174DE6E137D5DE2CE4828754
    Function 00007FF7C4032A4C Relevance: 3.0, APIs: 2, Instructions: 45COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturnshared_ptr
    • String ID:
    • API String ID: 2168938143-0
    • Opcode ID: d005dbde5efec947eb4f736d471612ec88b3744960d2571c3b00fbc7fb13794b
    • Instruction ID: 1394f38a4218d7b86ca9a04354c967c420b6769ce97d371f5098ae033b3a7c85
    • Opcode Fuzzy Hash: d005dbde5efec947eb4f736d471612ec88b3744960d2571c3b00fbc7fb13794b
    • Instruction Fuzzy Hash: 87016162B4494543FE24AE26D58436DE761EB48BF8F5D4A75DB2C0BA89CF7CD4D08310
    Function 00007FF7C401B82C Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Concurrency::cancel_current_task__std_exception_copy_invalid_parameter_noinfo_noreturn
    • String ID:
    • API String ID: 2371198981-0
    • Opcode ID: 09fa084edcc1f4ca3c0daf4fd6dbf2df63a84f8f3a2beedbb96584f1974857ea
    • Instruction ID: c398fea8f779ca071cb57f189fe3c733784bf971775da065fabb91abccd764fe
    • Opcode Fuzzy Hash: 09fa084edcc1f4ca3c0daf4fd6dbf2df63a84f8f3a2beedbb96584f1974857ea
    • Instruction Fuzzy Hash: D9F06251E4574A90DE15AF62D4C10A953A09F59B78B854B71DA2C0A3D1EE2CE5D5C310
    Function 00007FF7C4050F00 Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,00007FF7C4047783,00007FF7C4056682,?,?,?,00007FF7C40569FF,?,?,00000000,00007FF7C4057568,?,?,?,00007FF7C405749B), ref: 00007FF7C4050F16
    • GetLastError.KERNEL32(?,?,00007FF7C4047783,00007FF7C4056682,?,?,?,00007FF7C40569FF,?,?,00000000,00007FF7C4057568,?,?,?,00007FF7C405749B), ref: 00007FF7C4050F20
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ErrorLanguagesLastPreferredRestoreThread
    • String ID:
    • API String ID: 588628887-0
    • Opcode ID: 0b6dae97ffca4b8e32fb011204c4957ed53db2bc798c70a76fbcb7083b5f3604
    • Instruction ID: 4ebc0e79420698588070938256fd7ffbcdb97afa073064ca41c9a88255a74559
    • Opcode Fuzzy Hash: 0b6dae97ffca4b8e32fb011204c4957ed53db2bc798c70a76fbcb7083b5f3604
    • Instruction Fuzzy Hash: D5E08610F59A0242FF187FF354D50B895648F84B79FC55874C94D42291ED2C68C19334
    Function 00007FF7C4107F48 Relevance: 2.6, APIs: 2, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave
    • String ID:
    • API String ID: 3168844106-0
    • Opcode ID: 959598d607d225d787bff5bc479d776011f20bafc3898567677b3ebb6d11edb2
    • Instruction ID: 0994c5ac5e5a4879fd4c74d2e01367623b3bb6952c984b6a5f82c6a0466e4e47
    • Opcode Fuzzy Hash: 959598d607d225d787bff5bc479d776011f20bafc3898567677b3ebb6d11edb2
    • Instruction Fuzzy Hash: 0E412736A09F0586EB14AF26E49432CA760FF88FA9F584132CE5D03768DF6ED844C364
    Function 00007FF7C40649A8 Relevance: 2.5, APIs: 2, Instructions: 28COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave
    • String ID:
    • API String ID: 3168844106-0
    • Opcode ID: dbf070c3ab106ad0012074d281cdb6d096a90a5a7d16d8a09526fedf964e80d3
    • Instruction ID: 4454dce95b62d28f65fa1c904697827e4e9ffa2b68fb0bfbcf575ad9b02fdae6
    • Opcode Fuzzy Hash: dbf070c3ab106ad0012074d281cdb6d096a90a5a7d16d8a09526fedf964e80d3
    • Instruction Fuzzy Hash: 95F0897570875052F714AF12B4840E9E715EB957E9F400135EF8D03B55CF3CD59AC618
    Function 00007FF7C4065BC0 Relevance: 2.5, APIs: 2, Instructions: 26COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave
    • String ID:
    • API String ID: 3168844106-0
    • Opcode ID: 08f4d9a072a5697c8e9ee5f465f55970225a7c6f687ee7213528f5e382713201
    • Instruction ID: 98310248281153a87450c33c307f1b986b3753f605b6ee724161bade2f09768e
    • Opcode Fuzzy Hash: 08f4d9a072a5697c8e9ee5f465f55970225a7c6f687ee7213528f5e382713201
    • Instruction Fuzzy Hash: E5F0A776608B9492E7109F12B4440DAE710EB85BE9F400039EF8D03B55CF3CD59AC718
    Function 00007FF7C4143180 Relevance: 1.8, APIs: 1, Instructions: 255COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn
    • String ID:
    • API String ID: 3668304517-0
    • Opcode ID: 2a4b86ad36b716e41aabe01d66633124b1eeca7650ef80b4c12497063eb21f87
    • Instruction ID: 5d413f2263dcc3fbce682c4e2a625a95ae67ff941fdaa774ee542b6e7f57f021
    • Opcode Fuzzy Hash: 2a4b86ad36b716e41aabe01d66633124b1eeca7650ef80b4c12497063eb21f87
    • Instruction Fuzzy Hash: 67B16762B04A518AEB14DE6BE4803ADB7A1FB44FACF946136CE8D47799DF38D841C350
    Function 00007FF7C4120378 Relevance: 1.7, APIs: 1, Instructions: 241COMMON
    Download Yara Rule
    APIs
    • _Aligned_get_default_resource.LIBCPMT ref: 00007FF7C412038D
      • Part of subcall function 00007FF7C41167FC: GetCurrentProcess.KERNEL32 ref: 00007FF7C4116856
      • Part of subcall function 00007FF7C4116AA8: _Aligned_get_default_resource.LIBCPMT ref: 00007FF7C4116AE3
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource$CurrentProcess
    • String ID:
    • API String ID: 3082324263-0
    • Opcode ID: f63771f413988e58959b0a5d12e7bf235cafc9bed3305a75b9ba23d3fe877673
    • Instruction ID: 6e4d4f9d237af65298cc2fad36f1562aed7aace1d8b7cba07819ea3b766da82c
    • Opcode Fuzzy Hash: f63771f413988e58959b0a5d12e7bf235cafc9bed3305a75b9ba23d3fe877673
    • Instruction Fuzzy Hash: 6CB1A122A18B818AEB20EF61E8801EDB7B0FB9475CF805135EF8D57A9ADF38D545C750
    Function 00007FF7C408BE40 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn
    • String ID:
    • API String ID: 3668304517-0
    • Opcode ID: 89f08a7217b56e2cdbd635fbeb737cdc213b5bca2ce99f3ac6117d0e27162c99
    • Instruction ID: ece0cc8a3a4437c1e563fe6d177f46135ecdaf904ae508c9c8001c517edae0dc
    • Opcode Fuzzy Hash: 89f08a7217b56e2cdbd635fbeb737cdc213b5bca2ce99f3ac6117d0e27162c99
    • Instruction Fuzzy Hash: B7A15B73609A41C8DB20AF26C5C02AC73B1FB58B9CF925232EA4D47B99DF3AD484C710
    Function 00007FF7C4144A1C Relevance: 1.7, APIs: 1, Instructions: 193COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn
    • String ID:
    • API String ID: 3668304517-0
    • Opcode ID: f03c3821ee799b612c4c567ba139c09d8d0eb6adae2e2614be4315f6b1291335
    • Instruction ID: 0c6346e59fe9c0a9eaefa7e822603cd9faac2a06bf8aa04625809c42f5620fe0
    • Opcode Fuzzy Hash: f03c3821ee799b612c4c567ba139c09d8d0eb6adae2e2614be4315f6b1291335
    • Instruction Fuzzy Hash: 5481AE32F18A419AEB10EF62E4802AD73B1EB54B6CF845535CE8D13A98EF38E559C354
    Function 00007FF7C40A6AF8 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
    Download Yara Rule
    APIs
    • _Mtx_init_in_situ.LIBCPMT ref: 00007FF7C40A6B2C
      • Part of subcall function 00007FF7C4038858: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7C4038888
      • Part of subcall function 00007FF7C4038858: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7C403888E
      • Part of subcall function 00007FF7C4038858: __GSHandlerCheckCommon.LIBCMT ref: 00007FF7C40388A2
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Concurrency::cancel_current_task$CheckCommonHandlerMtx_init_in_situ
    • String ID:
    • API String ID: 1568983462-0
    • Opcode ID: 71bf19e9faa3c9284b18db263c737d84c6aab8fcef08b1ac508b36802013550d
    • Instruction ID: b762f0f1258ca99041e4ab8f81e22ec7620e4fd051a4be7e815ff9b442e3dcb4
    • Opcode Fuzzy Hash: 71bf19e9faa3c9284b18db263c737d84c6aab8fcef08b1ac508b36802013550d
    • Instruction Fuzzy Hash: D3514333245B80A6C7099F20E98029DBBF8FB88758F958029DB9C53724EF78E5B5C350
    Function 00007FF7C42CDA0C Relevance: 1.6, APIs: 1, Instructions: 105COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID:
    • API String ID: 3215553584-0
    • Opcode ID: ff31d3cc53424af764c390567fb79b5fe55bc895cf04ef9fbb9ce5241749c6c7
    • Instruction ID: a2130b43fa4ab396e85856029936996c00c829fdd9eed69a1cbf902d4cffd8c4
    • Opcode Fuzzy Hash: ff31d3cc53424af764c390567fb79b5fe55bc895cf04ef9fbb9ce5241749c6c7
    • Instruction Fuzzy Hash: B341B73291861583FA74AF1AE4C127DB3A0EB91B68F940231DA9E877D1DF2DE443C760
    Function 00007FF7C413F5B0 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn
    • String ID:
    • API String ID: 3668304517-0
    • Opcode ID: ab34ffbba8abc48d363c605bf10efc9ba95eea93dd8ad3a6bdaaed00d9a42e00
    • Instruction ID: c4cf4468a5d83e730317dc2e77baae35fbd25f67b778fbeb521f57c3e9542492
    • Opcode Fuzzy Hash: ab34ffbba8abc48d363c605bf10efc9ba95eea93dd8ad3a6bdaaed00d9a42e00
    • Instruction Fuzzy Hash: 8041B133614B4586EB10EF22E4813AEB7A1FB897A8F814631EA8D07B95DF7CD581C750
    Function 00007FF7C407E398 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Mtx_init_in_situ
    • String ID:
    • API String ID: 3366076730-0
    • Opcode ID: 2239276cf98b74a5188a8bbe0c96f75c3de580ac14bb543414dddb355def5e71
    • Instruction ID: 04e3d9e632739dfb7e59c10069cbeeea1fe352d7bf44d92600247fc86d1a8b79
    • Opcode Fuzzy Hash: 2239276cf98b74a5188a8bbe0c96f75c3de580ac14bb543414dddb355def5e71
    • Instruction Fuzzy Hash: 0841E333155BD185E7409F61E8843D973A8F748F98F58823AEB9C4BB99EF7490A5C320
    Function 00007FF7C4061BF0 Relevance: 1.6, APIs: 1, Instructions: 74COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID:
    • API String ID: 3215553584-0
    • Opcode ID: ce5b99f190d0430723ef27ac96a51395b3a63e38a9d235c041903079eb58a6d3
    • Instruction ID: 03f667c7cedc52899a701889aeedc809ed6eca15399035d184615f855631abb9
    • Opcode Fuzzy Hash: ce5b99f190d0430723ef27ac96a51395b3a63e38a9d235c041903079eb58a6d3
    • Instruction Fuzzy Hash: 64318F22B58A4155E7457F9794C12BCAA64AF80BB8FC306B5D91E073D3DEBCA4808731
    Function 00007FF7C4019AF8 Relevance: 1.6, APIs: 1, Instructions: 72COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Concurrency::cancel_current_task
    • String ID:
    • API String ID: 118556049-0
    • Opcode ID: e91fce25f638684a5b8254f95a9dbc90ae5d50a3f2ca227cec01f8f2134244bf
    • Instruction ID: 1c1e1af622008cb26f197126cdef0d5d51e958caf974490c54c343ff4b98cc7e
    • Opcode Fuzzy Hash: e91fce25f638684a5b8254f95a9dbc90ae5d50a3f2ca227cec01f8f2134244bf
    • Instruction Fuzzy Hash: EF21F762F48A4184EA14AF17A5802B8A270EB54BF8F584771EB7D077D5EF2CD0D1C340
    Function 00007FF7C408715C Relevance: 1.6, APIs: 1, Instructions: 68COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: LocinfoLocinfo::~_std::_
    • String ID:
    • API String ID: 2823473280-0
    • Opcode ID: 691b85cd56ca58f63016942d18bc75eca041c70522621e457475bc6abc1f2dc1
    • Instruction ID: 2b0bd018d728ad7a79bbe288cba4d8090295c78d945c038562e40762616bb27f
    • Opcode Fuzzy Hash: 691b85cd56ca58f63016942d18bc75eca041c70522621e457475bc6abc1f2dc1
    • Instruction Fuzzy Hash: DE21C832A49B4185EB20EF16E5803B9B3A0FF847A4F864571EA4C03795EF3CD490C350
    Function 00007FF7C42CF8E0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID:
    • API String ID: 3215553584-0
    • Opcode ID: ff68aeca87b4da2310bf737107c7627ecdde129dcf4df9af6470528147ee77d2
    • Instruction ID: ad0ed1ec4bebaef33b008b800fcd0c397ce78043fa885fba947daeb3aa3b3d0c
    • Opcode Fuzzy Hash: ff68aeca87b4da2310bf737107c7627ecdde129dcf4df9af6470528147ee77d2
    • Instruction Fuzzy Hash: 7621C832A0868246EB71AF19D481379B6A0EB84B6CF954234EB5D476D9DF3ED4408B10
    Function 00007FF7C42CCDB8 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID:
    • API String ID: 3215553584-0
    • Opcode ID: 43b982df4bdcc9a0eb6a9274553db4681419506a585dd51b9a3da18eb664f449
    • Instruction ID: 57cfbeb5b8871a58a9553c305da9a517e958dcfec68d0ce619ae462ecd05bd80
    • Opcode Fuzzy Hash: 43b982df4bdcc9a0eb6a9274553db4681419506a585dd51b9a3da18eb664f449
    • Instruction Fuzzy Hash: 2B11D821A1C68282FA70BF47948127DE264BF45BA8FC50434EE4C97B86DF3DD8409760
    Function 00007FF7C4116710 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: InformationToken
    • String ID:
    • API String ID: 4114910276-0
    • Opcode ID: 59d978035e98c39ff22f13dfbc1f3998f132d7ff43caa30dfb46fe568dfab0c9
    • Instruction ID: 59966368b4108ddb74922a454ab933f098d0ea893b3b4ebe61916df306027c6a
    • Opcode Fuzzy Hash: 59d978035e98c39ff22f13dfbc1f3998f132d7ff43caa30dfb46fe568dfab0c9
    • Instruction Fuzzy Hash: 9D213076608A4682EB609F16E48036AB770FB89FD8F944136DA4D07728CF3ED544CB10
    Function 00007FF7C4065C18 Relevance: 1.6, APIs: 1, Instructions: 50fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: a256ef63936d6bdb1731879260660355e04c8c4ea8c7bd0c33fa6792688f90d2
    • Instruction ID: 806666249f715b1f7bd61ea34d30d4fab28bc85d9f245582b3ca5396835fb946
    • Opcode Fuzzy Hash: a256ef63936d6bdb1731879260660355e04c8c4ea8c7bd0c33fa6792688f90d2
    • Instruction Fuzzy Hash: DC11C262B68B4645EE54AF62B49127AE3A0BF847B8F864435DE4E0BB55CE3CE4408610
    Function 00007FF7C4081280 Relevance: 1.5, APIs: 1, Instructions: 49fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: fede611926bd553b2d0ebb1fdc686398f0d9474feeb4c19362613e88661a10a9
    • Instruction ID: b20dd2fb12280a4251e2d1f4698fd3429c439fff52bf654bec106256d7e4c265
    • Opcode Fuzzy Hash: fede611926bd553b2d0ebb1fdc686398f0d9474feeb4c19362613e88661a10a9
    • Instruction Fuzzy Hash: B5119A3277869142EB10EF16E585769B350F784BF4F801235F65A4BB85CF3DD1518B40
    Function 00007FF7C410D3C4 Relevance: 1.5, APIs: 1, Instructions: 47registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7C410D272), ref: 00007FF7C410D437
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Open
    • String ID:
    • API String ID: 71445658-0
    • Opcode ID: 24ce0d325fb44d3bd056293ed65412aae83f5baa574ba06e185e6f3732a8e999
    • Instruction ID: c2a5de0fe206bf090051a1aeab438c2e18bd21aed64efd8dfe6419207e487666
    • Opcode Fuzzy Hash: 24ce0d325fb44d3bd056293ed65412aae83f5baa574ba06e185e6f3732a8e999
    • Instruction Fuzzy Hash: A211E9B1714B4581EB10AF26F4D1A66B7A1FB98BD8F901136CE4D83B25CE3CD490C710
    Function 00007FF7C407EDD8 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Mtx_unlock
    • String ID:
    • API String ID: 1418687624-0
    • Opcode ID: 72438f761be25e108077e82a679225d603157860a1885808aa871e83059a702a
    • Instruction ID: d26d99a182402a764c058a71c141ed85597bac2155b1f40e61c408886e9027cd
    • Opcode Fuzzy Hash: 72438f761be25e108077e82a679225d603157860a1885808aa871e83059a702a
    • Instruction Fuzzy Hash: E0117032704A4582EB14AF27B4902ADA765EB98BE8F880571EF8E47B55DF3DE4418350
    Function 00007FF7C4140D98 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn
    • String ID:
    • API String ID: 3668304517-0
    • Opcode ID: 550a4f931fb56f287c68c2df5d72d76bc8604f324f8494a2b60a442bfbebadb6
    • Instruction ID: 93b7946aa927bd900dbaf9bfe33cace9b10b8e1f45eddd06b58788aedc405b4c
    • Opcode Fuzzy Hash: 550a4f931fb56f287c68c2df5d72d76bc8604f324f8494a2b60a442bfbebadb6
    • Instruction Fuzzy Hash: 4101C0A2B1054546EE18BE33D4953BCA3609F44FBCF982675CA2C0E1C6DE2CE9D4C390
    Function 00007FF7C4048D64 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID:
    • API String ID: 3215553584-0
    • Opcode ID: da745c093014d2f81b6c0f8073760d4483a5e0a34614487dddc869a4a90146a8
    • Instruction ID: 6c86c45e5aec5f8e3b88c8cfa501c3955dc7a1a1464ec7a0402c255e768c8e01
    • Opcode Fuzzy Hash: da745c093014d2f81b6c0f8073760d4483a5e0a34614487dddc869a4a90146a8
    • Instruction Fuzzy Hash: 4D111436A10B069DEB10AFA0D4812EC37B8FB0436CF911A36EA4D12B59EF34C194C3A0
    Function 00007FF7C4051870 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF7C405149A,?,?,?,00007FF7C4046A01,?,?,?,?,00007FF7C405169E,?,?,00000000), ref: 00007FF7C40518C5
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: f6f58e17aaaf3202dd725def8ae694481d68a40c727e5b06579fb5c9be69bc33
    • Instruction ID: 11af557e7616a36f472600ceded56d82279b85f28917a40eccb5dbbf838cd1b5
    • Opcode Fuzzy Hash: f6f58e17aaaf3202dd725def8ae694481d68a40c727e5b06579fb5c9be69bc33
    • Instruction Fuzzy Hash: E7F03C10F89A0641FE647EA364812B492859F44BA8FCA5470CD0E8A2C2EE1CA4D08238
    Function 00007FF7C41482C4 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Yarn
    • String ID:
    • API String ID: 1767336200-0
    • Opcode ID: 42c5f168b88bf70b6cedf738c2cdc578343e93d7a1bd0c5c1daaa99887097674
    • Instruction ID: 25bb239112e78b838a8e4c5edcda898986bfbce8810eae721538362ce50771bc
    • Opcode Fuzzy Hash: 42c5f168b88bf70b6cedf738c2cdc578343e93d7a1bd0c5c1daaa99887097674
    • Instruction Fuzzy Hash: C3018FB2605B8486DB149F2EE58015877B0F719FC8BA4A134DB8C43715DB39C4B2C700
    Function 00007FF7C411F38C Relevance: 1.5, APIs: 1, Instructions: 34COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7C411F868: _Aligned_get_default_resource.LIBCPMT ref: 00007FF7C411F8C7
    • _Aligned_get_default_resource.LIBCPMT ref: 00007FF7C411F3A3
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource
    • String ID:
    • API String ID: 628915230-0
    • Opcode ID: 4d65320993bc7012d4227e75c0166f2c78762cf2a76a65eaf2ee75e7e401246c
    • Instruction ID: ce65ae84d59043b6810cca63af0015eb7a755837269f0db2f06d395dc9215dfe
    • Opcode Fuzzy Hash: 4d65320993bc7012d4227e75c0166f2c78762cf2a76a65eaf2ee75e7e401246c
    • Instruction Fuzzy Hash: 41011B7291868582EB21AF52E580269B3B0FB89B6CF840235DACD06295CF3CE185C615
    Function 00007FF7C413F82C Relevance: 1.5, APIs: 1, Instructions: 33COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturnshared_ptr
    • String ID:
    • API String ID: 2168938143-0
    • Opcode ID: 9ed8cf880f7cc7bd8b5ab9524d65615aa2c5f7851869210192ac80e09264b114
    • Instruction ID: 9aaac0f2ae1501a52462a0b0b0085797bf9a98983fcb16c9cd3c58088d1bc16b
    • Opcode Fuzzy Hash: 9ed8cf880f7cc7bd8b5ab9524d65615aa2c5f7851869210192ac80e09264b114
    • Instruction Fuzzy Hash: 96F06DA2B5458682FF1CBE66E18937CA712EB19FACFD01471DA4C0A68ADF6DD4C48350
    Function 00007FF7C4120A30 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: NameUser
    • String ID:
    • API String ID: 2645101109-0
    • Opcode ID: b92e2adce9a8fbe29abd0cd764d7c42809e477a869babeda42e830652301f614
    • Instruction ID: 1c8565a136286416193a6133d32ec6c5f618a12b607155ae4db4eff4da623fae
    • Opcode Fuzzy Hash: b92e2adce9a8fbe29abd0cd764d7c42809e477a869babeda42e830652301f614
    • Instruction Fuzzy Hash: 86F0672261CA8096E6609F51F4D53AAA370FB84768FC15331D7AD476D5DF7CD148C740
    Function 00007FF7C4054E88 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(?,?,?,00007FF7C4051685,?,?,00000000,00007FF7C4046A77,?,?,?,00007FF7C4047783,?,?,?,00007FF7C4047679), ref: 00007FF7C4054EC6
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: abcb5a8b87a5b71316a14f217ff42fbe299c9595cd5410c0e55a3f12113f42e9
    • Instruction ID: 039d84a35d3d4f08ccda1f91b03de9cfd5d36f8df39a68e7bc6b4c7dde3d8646
    • Opcode Fuzzy Hash: abcb5a8b87a5b71316a14f217ff42fbe299c9595cd5410c0e55a3f12113f42e9
    • Instruction Fuzzy Hash: C1F05E10F8DA4641FE557EA35AC13F5D1808F447B8FCA0674D92E862C1DE6CA8D0A238
    Function 00007FF7C407F746 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Mtx_unlock
    • String ID:
    • API String ID: 1418687624-0
    • Opcode ID: 16e842590be2e7df17869df71923ce9b31f12df57d3ec26b15337c0df8650b20
    • Instruction ID: 0855c2015cf4a3ce5c9ea8130ef40d475ee0155a7c7b0af2855d617cdd6b3cbe
    • Opcode Fuzzy Hash: 16e842590be2e7df17869df71923ce9b31f12df57d3ec26b15337c0df8650b20
    • Instruction Fuzzy Hash: 94E0922770468181EA11EF22F5413AAA310BB89FE9F4400338F4D03756CF3CC0C38614
    Function 00007FF7C42CD5D4 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID:
    • API String ID: 3215553584-0
    • Opcode ID: a91d87733f2431b6f55e9b58867493385ccae49aff1c5ec6964c4aba7c861886
    • Instruction ID: 6cec60d3e18b4a93acf71b0cd6689716c2cc1035c89947060f3c09225a62b359
    • Opcode Fuzzy Hash: a91d87733f2431b6f55e9b58867493385ccae49aff1c5ec6964c4aba7c861886
    • Instruction Fuzzy Hash: DBE0ED71E5910286FA653FA689823BDA2A49F5176CFD24570D51C473C2DE7E28824731
    Function 00007FF7C4123110 Relevance: 1.5, APIs: 1, Instructions: 20registryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Enum
    • String ID:
    • API String ID: 2928410991-0
    • Opcode ID: 58a5cb2ba9b800201c87955cf8d299cf42edeff4c5b22bdaf35e29357395d10f
    • Instruction ID: e43ab27471841918add151edb9cd380f1a0f68bfcf43513d9fdb6a762e786f8a
    • Opcode Fuzzy Hash: 58a5cb2ba9b800201c87955cf8d299cf42edeff4c5b22bdaf35e29357395d10f
    • Instruction Fuzzy Hash: 21E0C966629FC882D7608F16B88564AA7A4F788BD4F104115EECD43B28EF38C4608B04
    Function 00007FF7C41232F0 Relevance: 1.5, APIs: 1, Instructions: 16registryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: QueryValue
    • String ID:
    • API String ID: 3660427363-0
    • Opcode ID: 29702790335004db37999fe4fef7badbca55fb2a53bea902d276f4f85d8e0242
    • Instruction ID: e0e6f37872f9e99b9923f38f3abcff9a4b924fc5b48f1c2d5f9c9f32e39ef691
    • Opcode Fuzzy Hash: 29702790335004db37999fe4fef7badbca55fb2a53bea902d276f4f85d8e0242
    • Instruction Fuzzy Hash: 6ED01776A18F4882CA10CF57B84545AA760F799BD8F100212EE8C03738DE3CC1A18A08
    Function 00007FF7C4113E94 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource
    • String ID:
    • API String ID: 628915230-0
    • Opcode ID: cfd881905aefe9ddad0d19f8d21e32a2f4963ff934f57eb101df287e5a64d619
    • Instruction ID: d6242e4591b0df916867800e012ac08895d488334d87967523c11ea9478190fb
    • Opcode Fuzzy Hash: cfd881905aefe9ddad0d19f8d21e32a2f4963ff934f57eb101df287e5a64d619
    • Instruction Fuzzy Hash: 81D05E50B4470581DE08BF67A48126C9311AB8AFD0F885031DD0D0B351CD2CD0919320
    Function 00007FF7C411F364 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource
    • String ID:
    • API String ID: 628915230-0
    • Opcode ID: 9165917813f6924b2fe427d363525dba862c3ac11501a748096fb6e98cae80e0
    • Instruction ID: ce34466c07565520dae364ef187b19eec28d3c5d6624cd8dd818bb6da9f6811a
    • Opcode Fuzzy Hash: 9165917813f6924b2fe427d363525dba862c3ac11501a748096fb6e98cae80e0
    • Instruction Fuzzy Hash: 02D0C979A04B85C2CA14EF4AD4910A87360BBC8F95BD04022DE4D4B325DE6CD115DB10

    Non-executed Functions

    Function 00007FF7C41241D0 Relevance: 44.3, APIs: 13, Strings: 12, Instructions: 572libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ErrorLast$Process$MemoryRead$Library$AddressCloseConcurrency::cancel_current_taskFreeHandleLoadOpenProc_invalid_parameter_noinfo_noreturn
    • String ID: Allocate the buffer failed. hr=$LoadLibrary failed. hr=$NtQueryInformationProcess$OpenProcess with pid=$ReadProcessMemory failed trying to read the PEB. hr=$ReadProcessMemory failed trying to read the command line. hr=$ReadProcessMemory failed trying to read the process parameters. hr=$Unable to read the process basic information status=$basicInformation.PebBaseAddress is null. hr=$failed with hr=$ntdll$peb.ProcessParameters is null. hr=
    • API String ID: 1051646886-941745286
    • Opcode ID: 748954d665aa1cded9c7f4e6cf24d62386d891dfaa643e195f21751a4f42bea8
    • Instruction ID: a62e6f71342aecd6eafab6be767cb739a84eb350441e0b41e7f2c08e34b1fcba
    • Opcode Fuzzy Hash: 748954d665aa1cded9c7f4e6cf24d62386d891dfaa643e195f21751a4f42bea8
    • Instruction Fuzzy Hash: 92328622A59A4292EB10AF66E4C11EAE770FFD17A8F811036EA8E42675DF3CD585C710
    Function 00007FF7C416C520 Relevance: 37.2, APIs: 7, Strings: 14, Instructions: 473COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn
    • String ID: DeviceInfo.NetworkCost$DeviceInfo.NetworkProvider$DeviceInfo.NetworkType$DeviceInfo.OsBuild$DeviceInfo.OsName$DeviceInfo.OsVersion$EventInfo.Level$Metered$OverDataLimit$Unknown$Unmetered$WWAN$Wifi$Wired
    • API String ID: 3668304517-218813173
    • Opcode ID: 0936d9fa8513abb8d72f0aa2c8cea7177969ae4b6341d2e428214f12acf5c19d
    • Instruction ID: 406add6e3f6ebdc09cc1774b158781270b874623de14b22a4aeecdd32bc2de8d
    • Opcode Fuzzy Hash: 0936d9fa8513abb8d72f0aa2c8cea7177969ae4b6341d2e428214f12acf5c19d
    • Instruction Fuzzy Hash: 8E12CB62A1868652FA10AF2AF4853B9E361FBC57B8FC05335E9DC02AD9EF6CD145C710
    Function 00007FF7C41AC7A0 Relevance: 23.5, APIs: 5, Strings: 8, Instructions: 704COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Mtx_unlock$_invalid_parameter_noinfo_noreturn
    • String ID: %p: LogEvent(properties.name="%s", ...)$%p: LogFailure(signature="%s", properties.name="%s", ...)$%p: LogPageAction(pageActionData.actionType=%u, properties.name="%s", ...)$<unnamed>$Failed to log %s event %s/%s: invalid arguments provided$Failure$PageAction$custom
    • API String ID: 3123592497-2525901976
    • Opcode ID: cf801635a7be05968af9fca338abf2cce70d07d40befbe9d8097c6ad17c9b0aa
    • Instruction ID: 55404d818dff603e069bbd47cf06ad809384316671d4ca55b8bf144385ec4b13
    • Opcode Fuzzy Hash: cf801635a7be05968af9fca338abf2cce70d07d40befbe9d8097c6ad17c9b0aa
    • Instruction Fuzzy Hash: 1F62AF22A18B8586FB10AF66E4853ECA761FB85BACF804235EE9D17795DF38D185C310
    Function 00007FF7C4114714 Relevance: 23.3, APIs: 7, Strings: 6, Instructions: 562COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
    • String ID: 9$AppData\Local\Microsoft\Windows\UsrClass.dat$NTUSER.DAT$ProfileImagePath$Software\Microsoft\Windows NT\CurrentVersion\ProfileList\$\NTUSER.DAT
    • API String ID: 3723918569-2654858704
    • Opcode ID: 7a06866def23978929af95bf0928dd18bbafa17e8a10cc7f923a15a0776a152d
    • Instruction ID: dd9e0f111bcd37ffa376f95cf2d487758b019c247c9dac242f19ae8a763a113f
    • Opcode Fuzzy Hash: 7a06866def23978929af95bf0928dd18bbafa17e8a10cc7f923a15a0776a152d
    • Instruction Fuzzy Hash: 8E428022A04B519AEB10EFB6E8802ED7770FB8476CF911136EE4D17AA9DF78D149C710
    Function 00007FF7C4158570 Relevance: 13.7, APIs: 5, Strings: 2, Instructions: 1497COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn$LockitLockit::_std::_$Find_elem
    • String ID: $+xv$0123456789-
    • API String ID: 713437749-795863860
    • Opcode ID: a827013702466e175b67674a3f574cd5622aafc6ba17de87177943ec0c0448e0
    • Instruction ID: 9c03806f27b45509d20d95aff96350f219f6f5f1c0758f5cb167a49153593669
    • Opcode Fuzzy Hash: a827013702466e175b67674a3f574cd5622aafc6ba17de87177943ec0c0448e0
    • Instruction Fuzzy Hash: 7AE2A332A19A8586EB509F2AE0D01BDB774FB44FA8F949036DA8E47794CF3DD891C710
    Function 00007FF7C4058914 Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
    • String ID:
    • API String ID: 2591520935-0
    • Opcode ID: eb5083ad156808c0cd8f6aefb1b870ef16911619f18d93158d82892593add95d
    • Instruction ID: 5cab4c15b46876fa0d2f7a6743fb0341ddf4bbcf13820de8ab7c2540e6dbe7f4
    • Opcode Fuzzy Hash: eb5083ad156808c0cd8f6aefb1b870ef16911619f18d93158d82892593add95d
    • Instruction Fuzzy Hash: 9E718D63B48A0289FB10AF62D4816BCA3A4FF447ACF854175CE0D93695DF3DE4A4C369
    Function 00007FF7C415C8E0 Relevance: 9.6, APIs: 6, Instructions: 629COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: LockitLockit::_std::_
    • String ID:
    • API String ID: 3382485803-0
    • Opcode ID: c5bc659ad6d2400934dc38c3d8c73492eaaf5bebfcece1907d99fc57aab27436
    • Instruction ID: 218e5f52d48cc7d745415d1859f3655b6e170d5bb5d64a6894d84207d62887b8
    • Opcode Fuzzy Hash: c5bc659ad6d2400934dc38c3d8c73492eaaf5bebfcece1907d99fc57aab27436
    • Instruction Fuzzy Hash: 31529662A18F8586EB109F2AE4841FDA761FB54FACF905132DA8D47B95EF3CD580C350
    Function 00007FF7C40B8874 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 156COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn
    • String ID: AES$ChainingMode$ChainingModeCBC
    • API String ID: 3668304517-2985348328
    • Opcode ID: 822c79848f966aac036654f59ea58fa01759f4f509956c055eee607bd4adae95
    • Instruction ID: d56745ec503ab59cc37f42f21b29f88b235fe56cc5778c20a24f480d38ebe11b
    • Opcode Fuzzy Hash: 822c79848f966aac036654f59ea58fa01759f4f509956c055eee607bd4adae95
    • Instruction Fuzzy Hash: 5A51E433B5864286EB10AF66E0907B9A3A0FB887ACF854175EE4D47A99DF3CE140C714
    Function 00007FF7C413C7E0 Relevance: 7.9, APIs: 5, Instructions: 359registryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CloseEnumInfoOpenQuery_invalid_parameter_noinfo_noreturn
    • String ID:
    • API String ID: 3890109837-0
    • Opcode ID: d1a53bbb5d69a94a16ed45a0e36ab4d779bcdcf0d213a1bf01bb9bc44bcd2376
    • Instruction ID: d6f15e543169c256608dccb6d896da091cd5c76463dc6fa4dec25ef2c3577bfb
    • Opcode Fuzzy Hash: d1a53bbb5d69a94a16ed45a0e36ab4d779bcdcf0d213a1bf01bb9bc44bcd2376
    • Instruction Fuzzy Hash: 6AF18F33A58B9186E710DF66E8801ADB7B0FB54BACF904235DA9D53A98EF38D590C350
    Function 00007FF7C40F45F8 Relevance: 1.8, APIs: 1, Instructions: 348COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn
    • String ID:
    • API String ID: 3668304517-0
    • Opcode ID: 4234fe7d9ffbb3d36c05a77e151b86e7eaacfa3abc8a9b66635b20f29fb2e8d7
    • Instruction ID: 6f64dc3230fba3b35b4aaf79c7d2a5b6c3094f278049a87c42a2434ec6a9877b
    • Opcode Fuzzy Hash: 4234fe7d9ffbb3d36c05a77e151b86e7eaacfa3abc8a9b66635b20f29fb2e8d7
    • Instruction Fuzzy Hash: C7E1B032A4864286FA68AE67C1D477CA7E1FB557A8F824175CF4D47691CF2CE4E0C328
    Function 00007FF7C40C41FC Relevance: 1.8, APIs: 1, Instructions: 314COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Concurrency::cancel_current_task
    • String ID:
    • API String ID: 118556049-0
    • Opcode ID: 3b781a240ae162b9da03ee55da720aa796fc86d0f7bbc6572ff14b3c72615291
    • Instruction ID: 0851007dfe7ac46177f498cae858af7c067ded88354908d715466d3e04d8c5e3
    • Opcode Fuzzy Hash: 3b781a240ae162b9da03ee55da720aa796fc86d0f7bbc6572ff14b3c72615291
    • Instruction Fuzzy Hash: 3DC1C072B15B8582DA14DF1AE58426DB3A4FB64BE8F614232DE8D07B95DF78E1D2C300
    Function 00007FF7C40C4698 Relevance: 1.8, APIs: 1, Instructions: 313COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Concurrency::cancel_current_task
    • String ID:
    • API String ID: 118556049-0
    • Opcode ID: d9c27adcec7561452afd5096e476d0e8acf93d3268352a684dbc81c91fe5eee9
    • Instruction ID: b5dab61e4407a3fc136da62b6bfb9c2799f28c9dd81363a236c7fa4e3943ea49
    • Opcode Fuzzy Hash: d9c27adcec7561452afd5096e476d0e8acf93d3268352a684dbc81c91fe5eee9
    • Instruction Fuzzy Hash: 24D19E32A08B85C2DA20DF25E68026AB3A4F754B9CFA15225DF9D07B54DF7CE1E5C341
    Function 00007FF7C40C8310 Relevance: 1.8, APIs: 1, Instructions: 286COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Concurrency::cancel_current_task
    • String ID:
    • API String ID: 118556049-0
    • Opcode ID: a7e537dad34ba72783bbd0f504efa2ca427cfd35dc6a4e205f61720cf0c04d02
    • Instruction ID: 3f1aa8989409b1c956c7464c29041fc03269fe3ec266bf173e5a90f171f3601c
    • Opcode Fuzzy Hash: a7e537dad34ba72783bbd0f504efa2ca427cfd35dc6a4e205f61720cf0c04d02
    • Instruction Fuzzy Hash: 1EA11563B4879582DA24EF13B48406EE764FB95BE4F914132EE8D17B54EF3CE4818704
    Function 00007FF7C4094620 Relevance: 1.8, APIs: 1, Instructions: 252COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn
    • String ID:
    • API String ID: 3668304517-0
    • Opcode ID: afe850be9d93aad4f07be341f973cefab4ac3952d48306f1628271cf66f65505
    • Instruction ID: 7ad8151de17039df7332fe4a742ec95546e425350b9d925e0cc698b92d3fe459
    • Opcode Fuzzy Hash: afe850be9d93aad4f07be341f973cefab4ac3952d48306f1628271cf66f65505
    • Instruction Fuzzy Hash: 84A1D362F0C69685FB10EF66D8806BDA7A1BB65BACF864075DE4D17B84DF38D481C320
    Function 00007FF7C40585E0 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ErrorLastValue$InfoLocale
    • String ID:
    • API String ID: 673564084-0
    • Opcode ID: 900b5362cedf92cd1298dd0b44a4bc01ccecbd881f8b8c8e53c01bb734b02f26
    • Instruction ID: 42320195f90448b581c5c86b29ae8b462fb76940176b45fb84b40449a203259b
    • Opcode Fuzzy Hash: 900b5362cedf92cd1298dd0b44a4bc01ccecbd881f8b8c8e53c01bb734b02f26
    • Instruction Fuzzy Hash: A631B632A48A4286EB24EF33E4813AEB3A0FB44799F814475DA4D83395DF3CE4908754
    Function 00007FF7C4058228 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7C40512C0: GetLastError.KERNEL32 ref: 00007FF7C40512CF
      • Part of subcall function 00007FF7C40512C0: FlsGetValue.KERNEL32 ref: 00007FF7C40512E4
      • Part of subcall function 00007FF7C40512C0: SetLastError.KERNEL32 ref: 00007FF7C405136F
    • EnumSystemLocalesW.KERNEL32(?,?,?,00007FF7C4058A17,?,00000000,00000092,?,?,00000000,?,00007FF7C4048841), ref: 00007FF7C40582C6
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystemValue
    • String ID:
    • API String ID: 3029459697-0
    • Opcode ID: fcd1d0e915c24937d86626db0e378f0fa692b7176b1ee41891a8c94a49cc2de6
    • Instruction ID: a05f95ad72f1560b4ea3f95b665a591869419fae82f9466e1a5baa0dd7b71c2a
    • Opcode Fuzzy Hash: fcd1d0e915c24937d86626db0e378f0fa692b7176b1ee41891a8c94a49cc2de6
    • Instruction Fuzzy Hash: 5D11D277E48E458AEB14AF16E0802B8BBA0FB50BA8F858135DA69433D0DE68D5E1C754
    Function 00007FF7C40587E8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7C40512C0: GetLastError.KERNEL32 ref: 00007FF7C40512CF
      • Part of subcall function 00007FF7C40512C0: FlsGetValue.KERNEL32 ref: 00007FF7C40512E4
      • Part of subcall function 00007FF7C40512C0: SetLastError.KERNEL32 ref: 00007FF7C405136F
    • GetLocaleInfoW.KERNEL32(?,?,?,00007FF7C405858D), ref: 00007FF7C405881F
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ErrorLast$InfoLocaleValue
    • String ID:
    • API String ID: 3796814847-0
    • Opcode ID: 9184ed228a4ee769309b4505e3af879f3f28d84536c3c316c91a83640034886d
    • Instruction ID: a1c119eef3776a8ad86ce6eb36ae2460e3611ec44f92462a946e03a0a7dd3125
    • Opcode Fuzzy Hash: 9184ed228a4ee769309b4505e3af879f3f28d84536c3c316c91a83640034886d
    • Instruction Fuzzy Hash: 2D113A33E5CA5282E7647F13D080679A2A0FB407B8F954171EF29476C4DE39D8E08754
    Function 00007FF7C40582F8 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00007FF7C40512C0: GetLastError.KERNEL32 ref: 00007FF7C40512CF
      • Part of subcall function 00007FF7C40512C0: FlsGetValue.KERNEL32 ref: 00007FF7C40512E4
      • Part of subcall function 00007FF7C40512C0: SetLastError.KERNEL32 ref: 00007FF7C405136F
    • EnumSystemLocalesW.KERNEL32(?,?,?,00007FF7C40589D3,?,00000000,00000092,?,?,00000000,?,00007FF7C4048841), ref: 00007FF7C4058376
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystemValue
    • String ID:
    • API String ID: 3029459697-0
    • Opcode ID: 76ec7a8b0537e3056620b15473c057ccbb618670a7280db60b74ee404279d856
    • Instruction ID: b07f7743e5f413b4b7e9f2f3ebdc2584224b03126fdac1ef2f7d58a8b9af5493
    • Opcode Fuzzy Hash: 76ec7a8b0537e3056620b15473c057ccbb618670a7280db60b74ee404279d856
    • Instruction Fuzzy Hash: F301F573F086418AE7106F17E4807BDB2E1FB40BB8F869271DA68472C4DF6894D0C714
    Function 00007FF7C42B4600 Relevance: .7, Instructions: 668COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 15598170c4e219c1fed1d8407dff443a20c6cac9f33d97d193ea03927027a2aa
    • Instruction ID: 76e14a18b7bb5fc5eb3841627b335086df994fc250e4e862736193b6db4cab1e
    • Opcode Fuzzy Hash: 15598170c4e219c1fed1d8407dff443a20c6cac9f33d97d193ea03927027a2aa
    • Instruction Fuzzy Hash: AC627A72A186518BD7649F2AC0C153C77B1F75DF6CB605236DF0A43789CA3AE891CBA0
    Function 00007FF7C4048690 Relevance: .3, Instructions: 309COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
    • String ID:
    • API String ID: 4023145424-0
    • Opcode ID: 0c259e7e14965f61cf9cf02e0f74da2cec5e4e7e1a36e7b86064b225628a1674
    • Instruction ID: 8f6d9aa914ff46c2fe1b0877405687aae9ea85f6b59aa38c5c28a4854aa31fee
    • Opcode Fuzzy Hash: 0c259e7e14965f61cf9cf02e0f74da2cec5e4e7e1a36e7b86064b225628a1674
    • Instruction Fuzzy Hash: 86C1E52BA4868245FB60AF6398907BAA7A0FF947ACF815475DE4D47AC4DF3CD581C310
    Function 00007FF7C4190154 Relevance: .3, Instructions: 306COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 09f369739d1dc597dbf4e8c694f92dce2ed7aac6ab24d9d4fde7add358abfa13
    • Instruction ID: 45002f75296253c48a2a24f4d92779c2dda7a2f906cff76bf13398315c345b91
    • Opcode Fuzzy Hash: 09f369739d1dc597dbf4e8c694f92dce2ed7aac6ab24d9d4fde7add358abfa13
    • Instruction Fuzzy Hash: AAC1BF22608B8586EB64AF17F98416AAB72FB55FE8F841431DE9E47795CF3AD180C310
    Function 00007FF7C4174120 Relevance: .3, Instructions: 306COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d9ee84c17bfe5d2bae113dd60a057cb2c01c1fb846ca8572ecb6d5b05cfb7aff
    • Instruction ID: de8d9aa90750e076e55bbdbf28558d5cd1249229f864611f4ebfa57e40dc815a
    • Opcode Fuzzy Hash: d9ee84c17bfe5d2bae113dd60a057cb2c01c1fb846ca8572ecb6d5b05cfb7aff
    • Instruction Fuzzy Hash: 58C18A2660CF9582EA60EE17F184169A761FB49FE8F841531EEDE57795CF38E880C720
    Function 00007FF7C42B8130 Relevance: .2, Instructions: 249COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0e8dbf452419a69db4963a785c829d168b996700be1bd811c9d74d0bf4ac8606
    • Instruction ID: e4d34945820fa02e74419d4563cfac44ad085963ecf47d32bda2d391e67f7625
    • Opcode Fuzzy Hash: 0e8dbf452419a69db4963a785c829d168b996700be1bd811c9d74d0bf4ac8606
    • Instruction Fuzzy Hash: 76C14A63F08F828AF7118F6994425EDB371FB89798F515721EFC922A09EF399255C380
    Function 00007FF7C404C1AC Relevance: .2, Instructions: 244COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7ed021cad9cdc4207a736d9a1c8dbfb8eb28145466836173afe80b3e92b19b51
    • Instruction ID: b1e8f03f697c5c2776fb13c6dff44523e8271541d83ee4add9b371ce24fda22b
    • Opcode Fuzzy Hash: 7ed021cad9cdc4207a736d9a1c8dbfb8eb28145466836173afe80b3e92b19b51
    • Instruction Fuzzy Hash: 74B17E73A4C75585E764AF3A818023CBBA0E745B6CFAB2179CA4E07399CF39D481C764
    Function 00007FF7C42B81B0 Relevance: .2, Instructions: 199COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 17e70c536852cf1c99ba6510785e92bebb3166d3b4351d28670b2176a3f42db9
    • Instruction ID: dc6d22a6eb1a6874aeefd6c88e4cfdba29d1aca0fddbe914b72b3e593be865e4
    • Opcode Fuzzy Hash: 17e70c536852cf1c99ba6510785e92bebb3166d3b4351d28670b2176a3f42db9
    • Instruction Fuzzy Hash: D6719FB37301749BEB648B2E9514AA93390F36A34DFC56115EB8947B81CE3EB921CF50
    Function 00007FF7C42B8850 Relevance: .0, Instructions: 40COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: dbdc1a3f118d3b8b859566733d9e33d3283d4ffa3789efa3bcfdd3670eea43d7
    • Instruction ID: a99dc27186e6dfcf416fec6631f43dbe44c346173d2565457c2688690a7e2928
    • Opcode Fuzzy Hash: dbdc1a3f118d3b8b859566733d9e33d3283d4ffa3789efa3bcfdd3670eea43d7
    • Instruction Fuzzy Hash: 5A1163DBC1EF9906EA037B3F9883551A710AFE34E8E50E762EDF030271EB1975185224
    Function 00007FF7C419C344 Relevance: 40.7, APIs: 13, Strings: 10, Instructions: 415COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn$Mtx_unlock
    • String ID: any$battery$charging$high$low$metered$restricted$roaming$unknown$unmetered
    • API String ID: 3867719841-4065239879
    • Opcode ID: d183e2ec0e6e08642421b63d5d253ebf0944c1f0d9bb727fc0970d525b91d77a
    • Instruction ID: 73091646e3cf29f0b83daf7d2d1f6bc78a22a824be1a6e4525b801281c50d05a
    • Opcode Fuzzy Hash: d183e2ec0e6e08642421b63d5d253ebf0944c1f0d9bb727fc0970d525b91d77a
    • Instruction Fuzzy Hash: 3902A662F1474685FF00AF6AD8850AC6771BB94BBCF905635CEAC227D5EE38D185C320
    Function 00007FF7C4194144 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 301libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn$AddressHandleModuleProcValue
    • String ID: RtlGetVersion$ntdll.dll
    • API String ID: 141191560-1489217083
    • Opcode ID: 134a1a10571099d73d65468c9fb3fcc99357a9d57261c7da29bb03641f954fe4
    • Instruction ID: 26e802cfd895f3234cd575a23852e34793ed439617d7f19671c0a4ad5d267d9c
    • Opcode Fuzzy Hash: 134a1a10571099d73d65468c9fb3fcc99357a9d57261c7da29bb03641f954fe4
    • Instruction Fuzzy Hash: 70C19652A196C246EE10AF7BD8853EDA352FB95BBCF805731D96C467D6EE2CE140C310
    Function 00007FF7C4038250 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
    • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
    • API String ID: 2565136772-3242537097
    • Opcode ID: 7934b5ba7122d8acefc61b9f8ca4447883364d440483a89aa90a2f1bb12528f8
    • Instruction ID: 70e9f6378e28ca160412488f453968c9b1012699f400ff116445394542b90533
    • Opcode Fuzzy Hash: 7934b5ba7122d8acefc61b9f8ca4447883364d440483a89aa90a2f1bb12528f8
    • Instruction Fuzzy Hash: 30215C21E59A0381FE55FF22E9D55B4AAE0BF847A9FC500B5C90E027A0EE2DF585C224
    Function 00007FF7C4034560 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 143timeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource$CompareFileTime
    • String ID: D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\StandaloneUpdaterCustomerPromises.cpp$HKCU$HKLM$StandaloneUpdaterCustomerPromises::GetUpdateFailedReason$c#VC$exists
    • API String ID: 3974154690-2352077611
    • Opcode ID: 9598d16ede45ebcd11af43290055f66013bddbb2d6d496c5389fdc4f0f6551aa
    • Instruction ID: 33f68e4ff5e1570d424040d3aed4b438cfe0610be8b47146510b631f34811fbb
    • Opcode Fuzzy Hash: 9598d16ede45ebcd11af43290055f66013bddbb2d6d496c5389fdc4f0f6551aa
    • Instruction Fuzzy Hash: E8715C36B08A0299EB10EF62D8816ACB764FB887ACF810136DE4D537A8CF7DD145C754
    Function 00007FF7C411427C Relevance: 15.1, APIs: 10, Instructions: 135COMMON
    Download Yara Rule
    APIs
    • OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C4116868), ref: 00007FF7C41142AE
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C4116868), ref: 00007FF7C41142BE
    • GetTokenInformation.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C4116868), ref: 00007FF7C41142EE
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C4116868), ref: 00007FF7C41142F8
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C4116868), ref: 00007FF7C4114308
    • GetTokenInformation.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C4116868), ref: 00007FF7C411434B
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C4116868), ref: 00007FF7C4114355
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C4116868), ref: 00007FF7C4114394
    • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C4116868), ref: 00007FF7C4114419
    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C4116868), ref: 00007FF7C411442C
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ErrorLast$Token$Information$CloseFreeHandleLocalOpenProcess
    • String ID:
    • API String ID: 1214604485-0
    • Opcode ID: 4d1671f3988bdea75c5ac188db1e51470793b67e48a794a91f1382d0997262a5
    • Instruction ID: f753c1f990a89bce410c9487b9444127ee63f00e30830111bde81c23e7633367
    • Opcode Fuzzy Hash: 4d1671f3988bdea75c5ac188db1e51470793b67e48a794a91f1382d0997262a5
    • Instruction Fuzzy Hash: 82514162F14B5286F710AFA7E8C11BDA3B0BF44B6DB804536CE8D63655DF3CE5458220
    Function 00007FF7C40B02E0 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 185COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn
    • String ID: #$LoggingTelemetrySession::UpdateTelemetryTransmissionProfile$OD_CUSTOM_PROFILE$TRANSMIT_IMMEDIATE$d:\dbs\sh\odct\0223_153807_0\cmd\o\client\onedrive\Product\Logging\LoggingTelemetrySession.cpp
    • API String ID: 3668304517-581840345
    • Opcode ID: 0e0725cf11d324ebdb768aad1b3a11227ce35e813cbfbe78fe0725463b4a1041
    • Instruction ID: 2844ba22ae2ad0a47e2faf204d6560fe94cebe44e7c8e4cd8885f1ef95e10e30
    • Opcode Fuzzy Hash: 0e0725cf11d324ebdb768aad1b3a11227ce35e813cbfbe78fe0725463b4a1041
    • Instruction Fuzzy Hash: A671AE62B58B4685FB10AF66D4843ADA371AB44BBCF854271DE1C06AE5DF2DE480C328
    Function 00007FF7C40FC834 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 354COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID:
    • String ID: -NodeType:$-NodeType:NullNode$ECSConfigurationParser::GetSettingsFromJsonObject$d:\dbs\sh\odct\0223_153807_0\cmd\1k\client\onedrive\Product\UpdateRingSettings\ECSConfigurationParser.cpp
    • API String ID: 0-1770375861
    • Opcode ID: cfd949ca7c23218a35a796e3d5740a6968ce0b9e841efda83714a66632ed68d5
    • Instruction ID: 6f6dc3b8b5d67de477ad2b31d3001b9fd43104ef327074e2412f55ceead3c153
    • Opcode Fuzzy Hash: cfd949ca7c23218a35a796e3d5740a6968ce0b9e841efda83714a66632ed68d5
    • Instruction Fuzzy Hash: ABE1C222B58A8185FB00EF66D4C12ADA7B1FB85BACF814136DA0D176D5DF3CE581C350
    Function 00007FF7C41B45C0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180COMMON
    Download Yara Rule
    APIs
    • _Mtx_unlock.LIBCPMT ref: 00007FF7C41B46D1
      • Part of subcall function 00007FF7C4079480: std::ios_base::failure::failure.LIBCPMT ref: 00007FF7C40796D1
    • std::runtime_error::runtime_error.LIBCPMT ref: 00007FF7C41B477C
      • Part of subcall function 00007FF7C41B4128: __std_exception_copy.LIBVCRUNTIME ref: 00007FF7C41B4164
      • Part of subcall function 00007FF7C403A478: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7C401B651,?,?,?,?,00007FF7C40016C7), ref: 00007FF7C403A4BC
      • Part of subcall function 00007FF7C403A478: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7C401B651,?,?,?,?,00007FF7C40016C7), ref: 00007FF7C403A502
    • shared_ptr.LIBCPMT ref: 00007FF7C41B4805
    • _Mtx_unlock.LIBCPMT ref: 00007FF7C41B481F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Mtx_unlock$ExceptionFileHeaderRaise__std_exception_copyshared_ptrstd::ios_base::failure::failurestd::runtime_error::runtime_error
    • String ID: ' is already registered$Viewer: '$nullptr passed for data viewer
    • API String ID: 725075926-3957438740
    • Opcode ID: 81cd5a1e18a72653ac46f2bee7b4f3ad58a1024eb5ff01dcde9e2c85243aee36
    • Instruction ID: 4c211a8abd3abb4266d0385f90b1f1afb05c6f66888d5cfdf63df24a072d5335
    • Opcode Fuzzy Hash: 81cd5a1e18a72653ac46f2bee7b4f3ad58a1024eb5ff01dcde9e2c85243aee36
    • Instruction Fuzzy Hash: AF717272A19A4182EB10AF27E4802BDA3A4FB85FA8F949132DE9D477A5DF3CD441C750
    Function 00007FF7C40C07AC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187memoryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: String$AllocFree_invalid_parameter_noinfo
    • String ID: OneDrive Standalone Update Task
    • API String ID: 1379249218-1505381665
    • Opcode ID: 30fc1179a9369d8b959fe8951d99ce1d6ae0bb4536113bec9f75bae370621c77
    • Instruction ID: c421847dd232474cb78f457f0134b656d5eb9086cb74142e8115e61e367c61c4
    • Opcode Fuzzy Hash: 30fc1179a9369d8b959fe8951d99ce1d6ae0bb4536113bec9f75bae370621c77
    • Instruction Fuzzy Hash: B371C832B48746C6EB24AF579580279E2A0FF84BA8F858235DE4D43791DF3CE485C751
    Function 00007FF7C419C154 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Mtx_unlock$CurrentDebugOutputStringSystemThreadTime
    • String ID: No active profile found, disabling all transmission timers.$Profile %s current rule %iz >= profile length %iz$Profile %s rule %iz has no timers$REAL_TIME$gfffffff
    • API String ID: 2624072379-2916182173
    • Opcode ID: 697f153174fb6c1a49dd756f1ad09bd5a3c18d7f1987f6a7e231e06b48a90a4f
    • Instruction ID: 078067669f1d8fa44364658c1751a808f8ff1356e74af7359bb5a7e5d49afae3
    • Opcode Fuzzy Hash: 697f153174fb6c1a49dd756f1ad09bd5a3c18d7f1987f6a7e231e06b48a90a4f
    • Instruction Fuzzy Hash: B7517E71A0874282EA50BF27F9841A8A351EB94BF8F804336D9AD977E5DF3DE541C321
    Function 00007FF7C4138644 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 201COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CompareOrdinalString
    • String ID: Personal$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace${a52bba46-e9e1-435f-b3d9-28daa648c0f6}
    • API String ID: 2409332303-3553581249
    • Opcode ID: d2bde10a4d890579d0dec3a90e3179e81c8e16f90a02e7ea2804f89de69160fe
    • Instruction ID: 0d6c3fbd338957a58201629126fdae3183ee01bf909072d512d1f54256e6a863
    • Opcode Fuzzy Hash: d2bde10a4d890579d0dec3a90e3179e81c8e16f90a02e7ea2804f89de69160fe
    • Instruction Fuzzy Hash: 75816D32B48B0196EB10EF66E4801EDA7B1FB957ACF900136DE8D52A99DF3CE549C350
    Function 00007FF7C40F4224 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 157COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: std::ios_base::failure::failure
    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 2264918676-1866435925
    • Opcode ID: 3df389681227d844e12be39d85f0a25d6fb1667d63837fabcb923040ac3b4875
    • Instruction ID: 8bda3b0e894d7f4816fff11ebc66612c0dc02f2748a764a2691d08e024a6f11e
    • Opcode Fuzzy Hash: 3df389681227d844e12be39d85f0a25d6fb1667d63837fabcb923040ac3b4875
    • Instruction Fuzzy Hash: 1B617122648A4681EB54AF16D4D13BDA7A0FF90BACF868076CE4E437A5CF6CD485C364
    Function 00007FF7C41B4850 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 126COMMON
    Download Yara Rule
    APIs
    • _Mtx_unlock.LIBCPMT ref: 00007FF7C41B4959
      • Part of subcall function 00007FF7C4079480: std::ios_base::failure::failure.LIBCPMT ref: 00007FF7C40796D1
    • std::runtime_error::runtime_error.LIBCPMT ref: 00007FF7C41B49E7
      • Part of subcall function 00007FF7C41B4128: __std_exception_copy.LIBVCRUNTIME ref: 00007FF7C41B4164
      • Part of subcall function 00007FF7C403A478: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7C401B651,?,?,?,?,00007FF7C40016C7), ref: 00007FF7C403A4BC
      • Part of subcall function 00007FF7C403A478: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7C401B651,?,?,?,?,00007FF7C40016C7), ref: 00007FF7C403A502
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: ExceptionFileHeaderMtx_unlockRaise__std_exception_copystd::ios_base::failure::failurestd::runtime_error::runtime_error
    • String ID: ' is not currently registered$Viewer: '$nullptr passed for viewer name
    • API String ID: 195388382-4062399862
    • Opcode ID: 031faa4ea3df161d2d1336911bac14bc50a905cacf38a14d1c86a893344cf22e
    • Instruction ID: 844017e63c288753fa1f4d91b8e60c258756a4c25be38f4bc5a3918978808681
    • Opcode Fuzzy Hash: 031faa4ea3df161d2d1336911bac14bc50a905cacf38a14d1c86a893344cf22e
    • Instruction Fuzzy Hash: E0517672B45A4292EA10EF27E4812ADA360FB84BB8F849131DE9D476A5DF3CD545C710
    Function 00007FF7C403C6E0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: CallEncodePointerTranslator
    • String ID: MOC$RCC
    • API String ID: 3544855599-2084237596
    • Opcode ID: d0ccb143cfec8bd3d3a8f4f3222803ec5a5273aaf7a0b38131afa4e5190723ed
    • Instruction ID: 88cf9148146deefc2bd8765b9edd4106fe650488e76aad2f541ced57b4f57991
    • Opcode Fuzzy Hash: d0ccb143cfec8bd3d3a8f4f3222803ec5a5273aaf7a0b38131afa4e5190723ed
    • Instruction Fuzzy Hash: 7991BF73A48B818AE710EF66E9803ADBBA0FB4479CF51412AEE8C57755DF38D195CB00
    Function 00007FF7C4018830 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 176COMMON
    Download Yara Rule
    APIs
    • _Aligned_get_default_resource.LIBCPMT ref: 00007FF7C4018873
      • Part of subcall function 00007FF7C4019AF8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7C4019BC6
    Strings
    • D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\StandaloneUpdater.cpp, xrefs: 00007FF7C4018AA9
    • version, xrefs: 00007FF7C4018A45
    • StandaloneUpdater::SetMaxPerUserProductVersion, xrefs: 00007FF7C4018A9C
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resourceConcurrency::cancel_current_task
    • String ID: D:\dbs\sh\odct\0417_205450_0\cmd\1l\client\onedrive\Product\StandaloneUpdater\standaloneupdaterlib\StandaloneUpdater.cpp$StandaloneUpdater::SetMaxPerUserProductVersion$version
    • API String ID: 3100672956-1118071478
    • Opcode ID: 51fac543b52c855cd3328d4f98a497e93d6d9edf9451f8883ada97d8b0477e55
    • Instruction ID: b2801a1152ba2903e5d71c2efd9f27a8d01ab97a3842e07c8de71292e85340b3
    • Opcode Fuzzy Hash: 51fac543b52c855cd3328d4f98a497e93d6d9edf9451f8883ada97d8b0477e55
    • Instruction Fuzzy Hash: 82814732B44E429AEB10EF66D4C01EC7371FB947ACB810136EA4D27AA9EF38D555C354
    Function 00007FF7C40C0594 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 147COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: LockitLockit::_std::_std::ios_base::failure::failure
    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 1478341485-1866435925
    • Opcode ID: 20557b6a8990bdc54b5e63833a755f472b752bea3fc15f9632e01408c05c3b14
    • Instruction ID: 034dc214fc192eab55d267f7fcd7b2c474f1dc678e067124ccbf515e4273f9da
    • Opcode Fuzzy Hash: 20557b6a8990bdc54b5e63833a755f472b752bea3fc15f9632e01408c05c3b14
    • Instruction Fuzzy Hash: DC519E72A48B8582EB10EF5AE4C03A9E760FBC4B98F858132DA8C47B65DF7DD485C710
    Function 00007FF7C4184854 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn
    • String ID: invalid_iterator
    • API String ID: 3668304517-2508626007
    • Opcode ID: 3e9db08025722f21c4f13ba2575d278146d25e97c37426ce44209fdb5791862b
    • Instruction ID: 20d20d815e719131a295e1e40158ae530ec66a3a0d8ac6bf1b327e16305d8e05
    • Opcode Fuzzy Hash: 3e9db08025722f21c4f13ba2575d278146d25e97c37426ce44209fdb5791862b
    • Instruction Fuzzy Hash: 1641A462F14A4545FB10EF6AE4853ACA361AB89BBCF815735DE6C176CAEE2CD1808350
    Function 00007FF7C41982F8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 235COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo_noreturn
    • String ID: gfffffff
    • API String ID: 3668304517-1523873471
    • Opcode ID: 4926bbbb928c2598666776ecc0cbc4f6b87253b78e4f7ac3b77995c1c7563c4d
    • Instruction ID: 1aa21d1f30d404e61ea503d16c9a87b31ec34b35a329a3d82d125ab420861317
    • Opcode Fuzzy Hash: 4926bbbb928c2598666776ecc0cbc4f6b87253b78e4f7ac3b77995c1c7563c4d
    • Instruction Fuzzy Hash: C381F162B14A8542EE04AF17F9802A9A751FB58FD8F888435DF9D4BB55DF3CE1628301
    Function 00007FF7C41B4220 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Mtx_unlock
    • String ID: nullptr passed for viewer name
    • API String ID: 1418687624-3904132613
    • Opcode ID: 157a384f6c0c88933729d59f0ab06537c1c90a6ff182471720c7605449ad14bc
    • Instruction ID: cbe5b6119845b42c8d4fdf6c8bd8f08d5559b5ed612c6ad7d74fd9676eb82cec
    • Opcode Fuzzy Hash: 157a384f6c0c88933729d59f0ab06537c1c90a6ff182471720c7605449ad14bc
    • Instruction Fuzzy Hash: 3D515E72A08A5582EA64AF27F58127CA360FB84FB8F988231DE9D437A5DF3CD441C710
    Function 00007FF7C4018630 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: Aligned_get_default_resource
    • String ID: Software\Microsoft\OneDrive$Version
    • API String ID: 628915230-344254544
    • Opcode ID: 0698cf9696835d39b50fdb7c675b180e4a512da826b017931116504b780d21c4
    • Instruction ID: 33b6724a9e19562ed0e056bd63e83274fd360924d4bd5d3137ba39a5d98eb531
    • Opcode Fuzzy Hash: 0698cf9696835d39b50fdb7c675b180e4a512da826b017931116504b780d21c4
    • Instruction Fuzzy Hash: D2516D33B04A819AEB10EF66D4802ED6371FB84B9CF855136EA4D63B69EF38D650C354
    Function 00007FF7C405C1AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2899553634.00007FF7C4001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C4000000, based on PE: true
    • Associated: 00000000.00000002.2899360126.00007FF7C4000000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900140362.00007FF7C42E9000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900415218.00007FF7C43BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900445177.00007FF7C43C3000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900500105.00007FF7C43CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900527412.00007FF7C43CB000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900560114.00007FF7C43DD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C43E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2900692178.00007FF7C4401000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7c4000000_OneDriveUpdater.jbxd
    Similarity
    • API ID: _set_errno_from_matherr
    • String ID: exp
    • API String ID: 1187470696-113136155
    • Opcode ID: f6b7601b6d44efb385b7349c102ec396340d0876a401fade95c56295c57b4bc5
    • Instruction ID: 749f3d9fdb45731bee6cc2ffd06e1f0af37e3764447ba590e469ca2223de20a3
    • Opcode Fuzzy Hash: f6b7601b6d44efb385b7349c102ec396340d0876a401fade95c56295c57b4bc5
    • Instruction Fuzzy Hash: 98215E36F18A158EE740EF79D4806AC73F0FB49358F811536EA0D92B49DF38E4818B58